The battle against cybercrime – new government proposals

The battle against cybercrime – new government proposals

In January 2025, the government announced it is proposing to introduce legislation attempting to limit the rising threat of ransomware attacks against organisations in the UK. The proposals include banning ransom payments to criminals by public sector bodies and the introduction of new mandatory reporting and payment prevention regimes for the private sector.

What is the problem?

Cybercrime is a sophisticated business, run by organised criminal gangs, many of which are based in Russia. In recent years there has been a dramatic increase in ransomware attacks globally. This type of attack is one where malicious software encrypts the victim’s data or locks them out of their systems. A copy of important client and proprietary data is also stolen. The attackers then demand ransom payments in return for access to the system or data, and for confidential data not to be published on the websites run by the criminals. Using this “double extortion” technique means that companies are at their mercy even if they can restore systems from back-ups.

A notable development has been the rise of ransomware as a service (RaaS), a business model where ransomware tools are sold on the black market to affiliates, who gain access to computers and often then, acting as lead generators, share the spoils with the more sophisticated players who negotiate the ransom payments. Payment demands run from hundreds of thousands to many millions of pounds.

Why do organisations pay the ransom demands?

These types of attack are the most frightening cyber incidents. A business can be brought to a standstill, face financial ruin, and have its client relationships and reputation wrecked. So the stakes are high. Decisions about the very survival of the business need to be taken quickly against a ticking clock. The ICO, law enforcement agencies and sector regulators have always discouraged payments on the grounds that they incentivise more of the same illegal activity. Despite this, it is hardly surprising that firms feel compelled to make payment in order to get their business functioning again and in an attempt to protect their clients.

So what is the government proposing now?

There are three main proposals.

1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure (“CNI”). This expands the existing ban on ransomware payments by government departments. The idea is to make these organisations, which the country relies upon, unattractive targets for ransomware criminals. 
2. A ransom payment prevention regime. This would include notifying an intention to pay the ransom before actually doing so. The idea is to allow law enforcement to review the proposed payment to see if there is a reason to block it, for example if it breached sanctions, as well as increasing the National Crime Agency’s awareness of live attacks and the financial demands. 
3. A mandatory reporting regime for ransomware incidents. The idea is to provide intelligence to law enforcement agencies to warn of emerging threats and target investigations into organised ransomware groups. 

Will it work?

These proposals are well intentioned. But cybercrime is sophisticated, organised and extremely lucrative. It is not going away. If there is a complete ban on payments by the public sector and CNI, it will need to be complied with. But regardless of whether a ransomware attack takes place against the public or private sector, the prevention of payment will not itself prevent criminal gangs from capitalising on data theft, for example by selling it on to facilitate other serious crime, such as card not present fraud, identity theft, breaking passwords or usernames to get into bank accounts, etc.

A complete ban on the public sector and CNI paying ransomware demands may result in the redirection of attacks against businesses in the private sector, with accountants being a prime target. Indeed, many researchers have already found evidence that ransomware gangs have become wary of the attention of law enforcement agencies (who save most of their resources for large infrastructure attacks) and have shifted their focus to small and medium sized organisations. They can be particularly vulnerable to attack because they often only rely on their external IT support companies, and therefore do not have the right protections in place. So although the headlines in the press feature the high profile attacks against public bodies, the reality is that the overwhelming majority of ransomware attacks are actually against businesses in the private sector.

The proposals to make it mandatory for the private sector to report ransomware incidents to the authorities and to notify an intention to pay a ransomware demand before doing so, would create an additional burden on the victim firm, on top of the stress of negotiating with the criminals over payment and trying to limit the damage and disruption to its business and client affairs. Of course it would still have reporting obligations to the ICO, ICAEW, clients (where appropriate) and supply chain.

And what if the payment is blocked? It could be the difference between the firm surviving or not. Firms decide to pay ransomware demands because commercially they feel forced to. Losing all client data and access to systems, could leave the firm permanently crippled. It should also be borne in mind that these proposals only relate to ransomware attacks. Cybercrime and cyber disruption involve a much fuller range of attacks which these proposals do not touch. For professional service firms, the most common form of attack is email account takeover, where the criminal gains access to the firms email, frequently resulting in data and financial loss.

What else is the government saying to businesses about cyber risk management?

In January 2025 the government confirmed it is issuing The Cyber Governance Code of Practice, which substantially follows the draft code issued in 2024. This formalises the government’s expectations regarding an organisation’s governance of cyber security and sets out clear actions that directors, non-executive directors and senior leaders need to take to meet their responsibilities in managing cyber risk. This highlights the fact that cyber risk should have the same prominence as financial or legal risks, and the responsibility and ownership of cyber resilience is a board level matter.

The code comprises five principles which are each underpinned by various actions. The principles are risk management, cyber strategy, people, incident planning and response, and assurance and oversight. It should be essential reading for all senior business leaders (and the ICO will take it into account if there is a data breach - see for example the judgement in the Interserve £4.4m fine case).

What should firms be doing?

The bottom line is that firms should prioritise the prevention of cyber breaches in the first place. Cyber risk management should be right at the top of every firm’s risk register and have the attention of senior leadership. Prudent management requires getting suitably qualified experts to provide visibility of your firm’s cyber risk and independent assurance that the right protective measures are in place, with periodic reviews to prove their continued effectiveness.