The UK government has completed a public consultation on bold proposals to reduce the growing threat of ransomware, a cybercrime that has cost businesses millions and continues to disrupt critical infrastructure. Closed yesterday (8 April), the consultation sought input on three potential legislative changes: a targeted ban on ransomware payments by public sector and critical […]
The UK government has completed a public consultation on bold proposals to reduce the growing threat of ransomware, a cybercrime that has cost businesses millions and continues to disrupt critical infrastructure.
Closed yesterday (8 April), the consultation sought input on three potential legislative changes: a targeted ban on ransomware payments by public sector and critical national infrastructure (CNI) organisations, a new authorisation system for any ransomware payments, and a mandatory incident reporting regime.
The proposals form part of a wider drive to confront what officials describe as a national security threat. While distinct from the forthcoming Cyber Security and Resilience Bill—which aims to bolster broader digital defences—these ransomware-specific measures represent an unprecedented attempt to undercut the economic incentive fuelling such attacks.
At a roundtable hosted by the Royal United Services Institute (RUSI) in Westminster last week, cyber experts and policy analysts weighed the benefits and challenges of the proposed measures.
The event, sponsored by cybersecurity consultancy CyXcel, shed light on the thinking behind the consultation, and the practical hurdles that may stand in the way.
Choking off the ransomware economy
RUSI research fellow Jamie MacColl explained that the proposals stem from a belief within the Home Office that “we can’t arrest our way out of the problem” due to ransomware gangs operating from jurisdictions beyond UK reach. “But we can stop the flow of money,” he added, noting the emphasis on curbing financial transactions with cybercriminals.
Indeed, a targeted ban on payments by the public sector and CNI organisations could, in theory, reduce attackers’ incentives. Yet several panellists questioned the effectiveness and enforceability of such a ban in isolation.
Edward Lewis, CEO of CyXcel, a global cybersecurity consultancy and a business division of the law firm Weightmans, described the payment ban as “a good thing in principle,” but warned that in practice “there’s an awful lot the government needs to do first.” His concern: if companies are barred from paying but lack alternative recovery options, the consequences could be disastrous.
Lewis said: “We’ve seen how fragile many organisations are—without proper contingency plans, being unable to pay a ransom could mean going out of business,” said Lewis. He stressed the need for clear, support for businesses on a national and regional level, and greater investment in cyber resilience.
Verona Johnstone-Hulse, UK head of government affairs at cyber firm the NCC Group, also raised red flags about unintended consequences.
“If successful, the ban could displace attacks onto sectors that aren’t considered critical but are vital to the economy—like manufacturing or SMEs,” she said. “Sophisticated threat actors may simply pivot to new tactics like DDoS or data extortion.”
Authorisation system: Speed bump or bureaucratic hurdle?
The proposal—to introduce a government backed authorisation regime for ransomware payments—was met with a mixed reception. The idea is to create friction in the decision-making process, requiring businesses to request government approval before engaging with ransomware criminals. Victims would receive a response within 72 hours.
MacColl described the plan as “unprecedented” and likely to increase hesitation among victims. He noted that the government envisions a 24/7 unit staffed to provide advice but questioned whether public bodies are best placed to make such sensitive, high-stakes decisions.
Alexander Martin, UK editor of The Record, was sceptical of the policy’s depth. “This looks like a speed bump, not a framework,” he said. “It’s unclear who would make the call on authorisation, what criteria would be used, and whether the advice would be binding.”
Johnstone-Hulse raised practical issues around timing: “Those first 24 to 72 hours are critical. You’re in the middle of a crisis and you might not hear back from government in time. That creates real risks.”
CyXcel’s Lewis echoed this sentiment, warning that the regime could polarise relationships between government and industry. The government risks re-victimising victims, he argued. “There needs to be a clear escalation path, judicial oversight, and transparency in decision-making.”
Edward Lewis CEO, CyXcel and Partner in law firm Weightmans
The estimated annual cost of the unit (£17 million) also drew criticism. “That money might be better spent empowering law enforcement to disrupt ransomware groups directly,” RUSI’s MacColl suggested.
Mandatory reporting gains broad support
Among the three proposals in the Home Office’s consultation, mandatory reporting of ransomware incidents received the strongest backing among the panel. While some businesses may assume such a system already exists, current reporting mechanisms, such as the City of London Police’s reporting centre Action Fraud, have been criticised for inefficiency.
MacColl argued that a clear reporting regime is vital: “You can’t make good policy without knowing the scale of the problem.” However, he raised questions about thresholds, who should report, what qualifies as a ransomware attack, and where the reports should go.
Johnstone-Hulse agreed that mandatory reporting could help shape smarter policy over time. “Do we need a ransomware-specific mechanism or something broader for cybercrime generally? Threats evolve quickly,” she said.
The government’s challenge will be ensuring that any new reporting framework is both credible and user-friendly. The panel also called for assurances that law enforcement can turn the resulting data into actionable intelligence.
International alignment—or isolation?
The UK’s proposals come at a time when international cooperation is key. Lewis noted that although the UK is attempting to lead, it risks going it alone. “It’s great the UK is leading the charge, but we don’t want to be an army of one,” he said, pointing to Australia’s recent reversal of a similar ban. He emphasised the need for coordination and mutual support among like-minded nations.
Should the UK ban ransomware or follow Australia’s lead?
The Record’s Martin, however, argued there’s value in the UK taking the first step. “We’re the most cyber-attacked country per capita in the world,” he said. “Something has to change.”
What’s likely to become law?
While some elements of the consultation may prove too complex or controversial to implement in the short term, mandatory reporting appears likely to move forward. Speaking to TechInformed after the event, Lewis argued that It offered a tangible way to gather much-needed data and lays the groundwork for more ambitious reforms in the future.
“Is ransomware getting worse? The NCSC wants mandatory reporting to get a clearer picture—right now, it only sees data from [UK data watchdog] ICO, which doesn’t reflect the full scale of ransomware.
“About 2,500 UK companies reported that they were hit last year, which is low compared to the total number of businesses. But first, we need accurate data—then decide if stronger measures are needed.”
Lewis warned that pushing through legislation prematurely could backfire. “If firms are prevented from paying but aren’t supported, it could lead to job losses and public backlash,” he said. “This can’t be half-baked.”
The government is now reviewing responses from the consultation and is expected to announce its legislative intentions later this year. For businesses, the message is clear: prepare now. Build resilience, invest in off-site backups, and consider incident response strategies. Whatever form the new regulations take, change is coming.
Four key takeaways:
- Mandatory reporting is the most widely supported proposal and likely to be introduced first, enabling better data collection on ransomware incidents
- A targeted ban on ransom payments could reduce criminal incentives but risks harming unprepared organisations without sufficient support
- Authorisation regimes aim to slow payments but face criticism over feasibility, timing, and a lack of transparency
- International coordination is crucial—UK leadership on ransomware is welcomed, but risks being undermined if allies don’t follow suit
