UK Government consults on ransomware incident reporting

As part of its focus on cybersecurity in 2025, the UK Government’s Home Office is consulting on new ransomware incident response rules aimed at reducing payments made by victims of ransomware incidents and increasing the government’s ability to respond to these attacks. 

The Government’s proposals are part of wider plans to reform UK cybersecurity rules which were announced last year and are expected to take shape in 2025. 

Context

The UK has recently seen high profile ransomware incidents such as the attack against Royal Mail, Capita and the British Library which have led to calls for reform to UK cybersecurity policy. 

Cybersecurity obligations apply in the UK such as through UK GDPR and more targeted requirements for certain sectors via the Network and Information Systems Regulations 2018 (“NIS”), but these are in need of an update to reflect the current cybersecurity climate. Sector specific requirements (such as for communication providers under the Telecommunications (Security) Act 2021) have been updated but, in general, the UK has not had significant changes in its approach since Brexit. In contrast, the EU is moving forward with new cyber legislation with the NIS2 Directive and the Cyber Resilience Act (among others). 

To update the UK’s cybersecurity rulebook, plans were announced in the King’s Speech to introduce a Cyber Security and Resilience Bill to: 

1. expand the scope and application of cyber requirements in the UK;
2. increase regulator powers to oversee compliance; and
3. increase incident reporting including following ransomware attacks. 

The Home Office’s ransomware consultation appears to be meeting part of this promise and could potentially be separate to the Cyber Security and Resilience Bill. Wider consultations on the Bill are expected in 2025 – the exact direction of the Bill remain unconfirmed, but it is generally expected to update the UK’s NIS framework and may align it more closely with the EU’s NIS2 regime (which has a broader scope and more extensive obligations, including faster reporting of incidents). 

The Home Office’s ransomware proposals 

The Home Office has put forward three proposals covering a:

1. Targeted ban on ransomware payments for Critical National Infrastructure (“CNI”) and the public sector – this would prevent organisations in the UK public sector and owners/operators of CNI from making a payment in response to a ransomware incident.
2. Broader ransomware payment prevention scheme – any victim of a ransomware attack would need to report their intention to make a ransomware payment to the Government before paying over any money. Information gathered from reports would feed into Government intelligence to support investigations and/or operations to contract ransomware attacks. The Government would then decide whether to assist the victim and confirm if there is a reason to block them from making any payment to the attackers. The consultation will consider any relevant thresholds that could apply under this proposal (e.g. a simplified process for SMEs).
3. Reporting regime for ransomware incidents – requiring victims to report incidents to the Government regardless of the victim’s intention to pay a ransom. The Government is considering whether a reporting threshold should apply or whether all incidents should be reportable. The Government’s proposal is to have a staged reporting timeframe.
   1. An initial report within 72 hours informing the government of a ransom demand, whether the victim can recover from existing resilience measures, and if the ransomware group is identifiable.
   2. A detailed report within 28 days informing the government of the vector of access, whether resilience measures have been implemented by the victim, and at further details on the attack. 

According to the Home Office, an estimated $1 billion flowed to ransomware criminals globally in 2023, with millions coming from the UK, whilst the NCSC considers ransomware attacks to be the most disruptive and highest risk cybercrime. The Home Office’s ransomware proposals seek to stem the flow of that money as well as disrupt threats to the UK’s critical national infrastructure. Blocking companies from making these payments may  reduce the flow of the money and make it less profitable for the cyber-criminal, but this may be at the expense of the valuable data that is being ransomed.

Next steps

The Home Office consultation is open until 8 April 2025 and provides an opportunity to feed into discussions before these develop into more concrete policy proposals. 

The consultation is part of the GN overnment’s wider work on cybersecurity and should be seen in the context of wider reform – for example the Home Office notes that it will work with the Department for Science, Innovation and Technology (DSIT) so that its proposals are aligned with the upcoming Cyber Security and Resilience Bill. 

Key questions that the consultation will need address include any thresholds or exemptions, and whether ransomware reporting could duplicate reporting requirements. The Home Office’s intention is that UK victims of ransomware attacks are required to report an individual ransomware incident once (for example, avoiding dual notification requirements under the UK’s NIS rules). However, the application of this in practice will need careful review. 

For more information please contact Matthew Buckwell and Rory Coutts.