The UK Home Office has announced ransomware legislative proposals aimed at reducing payments to cybercriminals and increasing incident reporting requirements. A public consultation on the proposal is currently open for feedback.
The NCSC reported an increased number of 317 Ransomware incidents that occurred in 2024.[1] This highlights the rising threat of ransomware attacks and the financial burden they place on businesses and individuals.
A key element of the proposal isa threshold-based mandatory reporting requirement for suspected victims of ransomware. This could be compared to the mandatory data breach reporting requirement (of which over 20,000 incidents were reported to the ICO between 2023-2024).[2] Compelling organisations to report ransomware incidents within a specified timeframe, could improve transparency and intelligence, allowing authorities to assess the scale of cyber threats more accurately.
Another significant aspect is the potential introduction of a payment prevention regime, which would restrict or regulate the payment of ransoms to cybercriminals. It seems the rationale behind this is to disrupt the financial incentives driving ransomware attacks, thereby deterring cybercriminals from targeting the UK organisations in scope.
These proposals signal a shift towards stricter cybersecurity governance. Mandatory reporting ensures that businesses are more accountable for their cybersecurity practices, while also fostering a collaborative environment for threat intelligence sharing. This is likely to encourage organisations to enhance their incident response strategies and invest in robust cybersecurity measures to mitigate potential regulatory penalties and reputational damage.
The implications for deterrence are notable. By mandating incident reporting and restricting ransom payments, the government seemingly aims to reduce the profitability of ransomware attacks, making them less attractive to cybercriminals. This shift aligns with existing data protection legislative frameworks and emphasises the importance of proactive cybersecurity measures.
For more details, refer to the full consultation information here. For support with information security policies and training get in touch today for a friendly no obligation chat.
[1]https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024/chapter-01
[2]https://ico.org.uk/action-weve-taken/data-security-incident-trends/
