The UK government has released plans to outlaw ransomware payments by public sector bodies and critical national infrastructure (CNI) operators. This forms part of a broader three-pronged strategy to curb cybercrime and bolster national cyber resilience. First, a targeted ban will prohibit ransomware payments by public sector entities. Second, a ransomware payment prevention regime will require victims to engage with authorities and report their intention to make a payment. Third, mandatory reporting of ransomware incidents and payments will be introduced across sectors.
The finer details of these proposals are still in development, including which organisations will be covered by the ban and how the new reporting obligations will affect supply chains and operational workflows. But the direction of travel is clear. This marks a shift in how cyber risk is expected to be managed.
Strengthening cyber resilience and transparency
Ransomware attacks continue to cause widespread disruption across the UK, with public services, businesses and critical infrastructure frequently targeted by increasingly sophisticated threat actors. By banning payments from public sector organisations and requiring victims to engage with authorities before making any payment, the government is aiming to disrupt the financial opportunity that fuels these attacks. This shift not only makes public bodies less attractive targets, but also encourages earlier intervention and support – potentially reducing the overall impact of attacks.
Mandatory reporting of both ransomware incidents and payments could also lead to a more transparent and collaborative cyber landscape. Organisations have historically been reluctant to disclose attacks due to reputational concerns, but these proposals may help destigmatise victims and foster a culture of openness. Over time, this could boost collaboration between the government and UK businesses, empowering victims with better information in critical moments.
Complex risks and unintended consequences
While the proposals aim to disrupt the ransomware economy, they also introduce new risks – especially for organisations caught in the crosshairs of an attack. A ban on ransom payments, even if initially limited to the public sector, could leave victims with no viable recovery option. Few smaller organisations have the resource and expertise to mitigate threats effectively, and the inability to pay could result in permanent data loss or even business failure. This is especially concerning in cases where attacks exploit zero-day vulnerabilities or third-party weaknesses beyond the victim’s control. Moreover, as threat actors increasingly rely on data theft and extortion rather than encryption alone, banning payments may simply encourage cybercriminals to shift tactics and monetise stolen data in other ways, rather than eliminate the threat.
There are also concerns that mandatory reporting and payment restrictions could drive ransomware responses underground. Organisations may fear reputational damage or regulatory scrutiny, prompting them to mislabel incidents. This risks undermining the very transparency the legislation seeks to promote. Without robust support systems – such as state-backed prevention measures, clear guidance, and well-resourced incident response planning – victims may be left navigating high-stakes crises alone. For the legislation to succeed, it must be accompanied by practical tools and protections that help organisations respond ethically and effectively when under attack.
Next steps for UK businesses
The cultural change needed to improve cyber risk mitigation takes time. With the legislation still in development, UK businesses must begin preparing now. The proposed removal of ransom payments as a recovery option means a swift, well-coordinated response is more vital than ever. That starts with understanding the proposed legislation and taking a proactive approach to cyber resilience – developing robust incident response plans, ensuring regulatory compliance and exploring alternative recovery strategies. A well-prepared response plan can contain damage, support recovery and help meet legal obligations, especially when ransom payments are off the table.
Cyber insurance is another critical tool. It not only provides financial protection but also gives businesses access to specialist support during an attack. Experienced incident response teams – often included in comprehensive cyber policies – can assess the situation, identify the root cause and determine whether recovery is possible without paying a ransom. They can also advise on legal and regulatory implications, such as whether the threat actor is a sanctioned entity. For public sector bodies and SMEs alike, having the right insurance in place means being equipped to explore every recovery route, from data restoration to recreation. Ultimately, these steps align with the government’s broader mission: to disrupt cybercrime while safeguarding the resilience of UK businesses.
Stay safe online with the cyber security practices in this infographic, and gain a complete understanding of proactive cyber services and data security in Cyber Masterclass, module four.
