The UK government has set out plans to ban public-sector bodies from paying ransomware demands — and to introduce new rules that touch private businesses too. It's a significant shift in how the country responds to ransomware.
What's proposed
As reported by Reuters, public-sector organisations and operators of critical national infrastructure — including the NHS, local councils and schools — would be banned from paying ransoms to cyber criminals, with the aim of removing the financial incentive to attack them. For businesses not covered by the ban, the plans include a "payment prevention" regime requiring them to notify the government before paying a ransom (so authorities can advise and flag any sanctions risk), plus a mandatory incident-reporting regime. The proposals followed a public consultation in which most respondents backed the approach.
Why it matters to you
Even if your business wouldn't be covered by an outright ban, the direction of travel is clear: more reporting, more scrutiny, and a strong official steer against paying. Paying a ransom was never a reliable fix anyway — there's no guarantee of getting data back, and it may breach sanctions if the money reaches certain groups.
What this means in practice
- Don't rely on paying your way out. Build the ability to recover without the attacker's cooperation.
- Invest in offline, tested backups and a rehearsed plan to operate without IT for an extended period.
- Know your reporting obligations and have a simple incident-response plan ready.
- Focus on prevention — MFA, patching, staff awareness — so you never face the decision.
This is general information, not legal advice.
Want to understand your own supplier and cyber risk? Get in touch and we'll help you make sense of it.
Source: UK plans to ban public sector bodies from paying ransom to cyber criminals — Reuters