Cybersecurity: Are you prepared to report ransom payments?

In this insight, we explore the UK’s proposed ransomware legislation and what it could mean for organisations. We look at three key proposals: a potential ban on ransom payments, a regime to prevent payments under certain conditions, and mandatory incident reporting. The article also considers how these changes could affect cyber response planning, legal risk, and business continuity.

The UK moved a step closer to introducing new ransomware payment law following the Home Office's consultation response published in July. The proposals are part of a wider approach to address cyber threats to the economy and national security, which include a pipeline of guidance from the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT) (see our insight on the NCSC's Cyber Governance Code of Practice).

The ransomware legislative proposals run alongside the hotly anticipated UK Cyber Security and Resilience Bill (CSRB) expected later this year (read more about the proposals). The Home Office has said it will seek to align the ransomware law proposals with the CSRB, especially where there are overlapping elements such as reporting obligations.

How does ransomware work?

1. Access: Cyber attackers gain access to an organisation's network, establish control and plant malicious encryption software. They may also take copies of data and threaten to release it.
2. Activation: The malware is activated, locking devices and causing the data across the network to be encrypted, meaning you can no longer access it.
3. Ransom demand: Usually you will then receive an on-screen notification from the threat actor, explaining the ransom and how to make the payment to unlock the computer or re-gain access to data. Payment is usually demanded via an anonymous web page and usually in cryptocurrency, such as Bitcoin.

Ransomware payments

During a cyberattack, the need for business continuity and the commercial value or sensitivity of compromised or exfiltrated data, can force organisations to decide there is no option but to make a ransomware payment to the threat actor. The pressure exerted on organisations by hackers at the time of an attack, where the business is under extreme stress and often in existential crisis, can compel a payment.

The making of ransom payments is already discouraged by the UK government, the Information Commissioner's Office (ICO), the NCSC and the Law Society. However, in the UK it is generally not illegal for an organisation to make a ransom payment using its own lawfully obtained funds. It is critical though to consider relevant financial sanctions regimes and counter-terrorist financing legislation when making a decision about paying a ransom (read more in our insight How to deal with a cyber incident).

Proposals for ransomware law

There are three proposals:

1. a ban on ransomware payments for owners and operators of regulated critical national infrastructure (CNI) and the public sector;
2. a payment prevention regime; and
3. a mandatory incident reporting regime.

When finalised, these would be the first specific measures in UK law to counter ransomware. The aim is to mitigate certain ransomware-related behaviours and threats to undermine the business model of threat actors orchestrating cyberattacks. Collaboration with industry will continue so that the proposals are now further developed.

Proposal one: Ransomware payment ban

If a ransomware payment ban is imposed, in-scope organisations would be unable to make a payment to a threat actor in the event of a ransomware attack.

Overall, 72% of respondents agreed that a targeted ban should be implemented. Less than a quarter of respondents disagreed. It is worth noting however that the consultation closed before the cyber attacks on the retail sector in the spring, and other recent incidents.

Is a ban the right approach?

Opponents argue that a ban may unintentionally worsen outcomes for victims. There are concerns that forcing victims not to pay (or delaying payments via regulatory "pause" rules) could prolong system outages, escalate operational, reputational or safety risks, and could potentially "re-victimise" already compromised organisations.

Further concerns about a ban shared in the consultation response arise in relation to:

• How the regulated scope will be defined. What counts as CNI? What about supply chains?
• Whether a disproportionate burden will be placed on smaller organisations.
• What the extra-territorial effect will be. Will an overseas company providing a critical service into the UK, but with no registered UK entity, be in scope? How can a UK legal ban be enforced against overseas entities?
• Liability risks - for example, for financial institutions instructed to process payments later discovered to be illegal.
• The risk that cyber criminals will simply shift attacks towards private entities or sectors outside the ban.
• Added pressure for stakeholders when a cyber attack hits, in the height of crisis. In addition to reporting considerations (likely to be tightened under the proposals), the consequences of non-compliance with a ban will need to be weighed up quickly.

Proposal 2: Payment prevention regime

The proposed payment prevention regime would require ransomware victims (not subject to the ban) to notify authorities of any intention to pay a ransom. Authorities would then check if there were any reasons to prevent such payment, such as sanctions.

Feedback on this proposal was mixed. The consultation presented a number of options for the payment prevention framework, such as an economy wide regime; a regime with thresholds; one excluding individuals or certain organisations. The most supported option is an economy-wide regime, due to the risk of displacement of attacks onto any entities not covered. Significant practical concerns were raised about how the regime will work in terms of timings, resources and its burden on smaller businesses.

The Home Office will continue to explore how to implement a payment prevention regime, but it seems likely that the outcome will bring obligation for more organisations to disclose ransom payments.

Proposal 3: Mandatory incident reporting

A 72 hour mandatory reporting regime for all ransomware victims, regardless of their intention to pay is proposed, with a detailed follow-up within 28 days. There was strong support for this in the consultation response. Reporting will aid real-time intelligence gathering, improve national awareness of the threat landscape and lead to greater alignment with law enforcement and the ICO.

The CSRB is expected to introduce a new 24 hours "early warning" reporting obligation for CNI, so it remains to be seen how this will tie in with the proposed ransomware payment reporting requirements.

Next steps

A criminal offence for non-compliance with the ban is under consideration, particularly in cases where an organisation is told by the authority not to make a payment and then proceeds in any event. Fines for non-compliance are likely in relation to all three proposals, as well as other civil sanctions, such as disqualification from board membership or other governance penalties.

Organisations must continue to prioritise investment in and development of cyber security and resilience measures, such incident response planning and testing, and cyber risk training for the workforce to build stronger cyber posture. This will have dual impact – response-ready amidst the current heightened cyber threat landscape, and well positioned for the tightening of cyber regulation on the horizon.

Need support navigating the UK’s evolving ransomware rules? Reach out to Patrick Arben or a member of our Cyber Security and Resilience team.