The Cybersecurity Coalition submitted comments to the Home Office’s open consultation on Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting.  

The consultation sought feedback on three distinct, but complementary, proposals designed to disrupt the ransomware business model: 

1. A targeted ban on ransomware payments, applicable to all public sector bodies and Critical National Infrastructure (CNI) owners and operators.
2. A ransomware payment prevention regime, requiring any victim not covered by the payment ban described in Proposal 1 to notify authorities and report their intent to make a ransomware payment before any money is transferred to cybercriminals.
3. A ransomware incident reporting regime, mandating that all suspected ransomware victims – regardless of whether they are prohibited from making a payment – report the incident to the relevant government entities. This includes an initial report within 72 hours and a full report within 28 days.

Moving forward, the Home Office may decide to introduce legislation based on the consultation. The Home Office provided assurances that it would work with the Department for Science, Innovation and Technology (DSIT) to harmonise any new legislation with the upcoming Cyber Security & Resilience Bill (CSRB), which also contains incident reporting requirements. 

This consultation is part of the United Kingdom’s larger effort to lead and coordinate the global response to ransomware crime through the Counter Ransomware Initiative (CRI), a multilateral forum focused on developing new approaches and processes to combat ransomware. As co-lead for CRI policy development alongside Singapore, the United Kingdom played a key role in the November 2023 joint statement condemning ransomware payments and opposing the use of central government funds to pay cyber criminals. The United Kingdom also led the development of the October 2024 CRI guidance for organizations during ransomware incidents, which provides a holistic overview of the steps organisations should explore before considering paying a ransomware criminal. 

While the Coalition is broadly supportive of the United Kingdom’s proposals, comments highlighted several concerns, including: 

• The Home Office’s foundational assumptions about ransomware actors’ motivations.
• The scope of entities to which the proposals would apply.
• The limited resources available to UK government bodies to effectively implement and manage the proposals.
• The penalties for non-compliance.
• The adequacy of legal protections for organisations covered by the proposed measures.

The Coalition also urged the United Kingdom to provide clearer guidance and operational support to help entities prevent and mitigate ransomware incidents. Specifically, we recommend that the United Kingdom expand educational programs to help organisations – especially small and medium-sized enterprises (SMEs) – adopt existing cybersecurity best practices since many are currently under-implemented. We suggested that these efforts could align with the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme.  

Additionally, we proposed the creation of a centralized service to negotiate with ransomware actors on behalf of victims. Leveraging professional negotiators would ease the burden on affected organisations, improve outcomes, and potentially deter attackers by removing opportunities to exploit inexperienced victims.