UK Government Issues Response to Public Ransomware Consultation
On 22 July, the UK government published its official response to the recent public consultation on proposed ransomware legislation. These proposals aim to reduce payments to cyber criminals and improve incident reporting. The government received 273 submissions, with Coalition among the respondents. Notably, the public comment period ended before the recent wave of ransomware attacks targeting retailers.
The UK government concluded that there is enough support to proceed with mandatory incident reporting and restrictions on ransomware payments. While the specific details are still under development, it appears likely that the government will impose a ban on ransomware payments by public sector and critical infrastructure organisations, except in cases that meet specific exceptions. We also anticipate a more comprehensive reporting regime for both incidents and payments.
We support the UK government’s objectives to reduce payments within the ransomware ecosystem and to improve reporting. However, as we explain in our submission, we continue to have concerns that a payment ban is not an effective policy and may limit victim options while increasing harm to the public. Government-imposed delays, particularly in highly sensitive cases, risk hindering an organisation’s ability to resume operations quickly, which may compromise public trust, economic stability, and national interests.
Our experience shows that ransomware is a complex challenge that requires nuanced policy responses. Strengthening resilience across businesses and critical infrastructure should take priority over restricting payments. A focus on resilience better equips organisations to prevent, withstand, and recover from ransomware events without increasing risk to those who have already been victimised.
Cyber insurance providers play a key role in addressing this challenge. The underwriting process helps UK companies improve their resilience, and policies help fund incident response support, which may include everything from guidance during and after a cyber attack to negotiations with threat actors and ensuring compliance with sanctions checks.
We will continue to share our experience and expertise with the goal of helping shape pragmatic policy that achieves the UK government’s policy objectives, which we share.
Overview of proposals and consultative responses
Proposal 1
The government proposes a targeted ban on ransomware payments for all public sector bodies, including local government, as well as for owners and operators of regulated critical national infrastructure. Nearly three-quarters (72%) of respondents supported implementing this ban. Most respondents believed such a ban would reduce the flow of money to ransomware criminals and would deter attacks against these organisations. Many agreed that the ban should include supply chain organisations, though some flagged challenges with defining and enforcing the scope. Respondents stressed the need for clear guidance, tailored support, and proportionate penalties to avoid further penalising victims. This formalises the current HMG guidance to public sector firms not to pay ransomware extortion demands.
Proposal 2
This proposal describes permutations of a ransomware payment prevention regime. The most supported option would require all organisations and individuals not covered by any targeted ban to report their intention to pay a ransom and pause for government review. About 47% supported an economy-wide payment prevention regime, while opinions were mixed on other, threshold-based approaches. Respondents raised concerns about the potential for attackers to shift targets and about the need for clear, timely processes. Most agree that any compliance or enforcement measures must be accessible, proportionate, and tailored to the organisation or individual.
Proposal 3
This proposal describes a threshold-based, mandatory ransomware incident reporting regime, moving away from voluntary reporting. About 63% of respondents supported an economy-wide reporting requirement for all organisations and individuals. Most respondents saw this as an effective way to improve the government’s ability to understand and respond to the ransomware threat. Support for civil penalties outweighed support for criminal penalties for non-compliance, and most called for additional guidance and assistance to support compliance.
Future-proofing your cyber risk management
The news provides the ideal opportunity to review the potential impact of the proposals while assessing your cyber risk.
Cybersecurity
According to Coalition’s data, the three most common technologies to be exploited for ransomware are virtual private networks (VPNs), remote desktop software, and email. Coalition’s cyber risk assessments are a helpful tool for guiding cybersecurity discussions around ransomware, as they can identify potential vulnerabilities related to these technologies.
Read more about understanding and protecting against ransomware risks in Coalition’s Cyber Threat Index 2025.
Data security and backups
In a ransomware attack, the threat actor will typically encrypt an organisation’s data, effectively holding it to ransom. This is just one reason why regular data back-ups are important, and why they should be tested often and stored securely.
Reliable backups can be the last thing standing between an organisation and a ransom payment. Ransomware gangs use this to their advantage — 94% of organisations hit by ransomware in the past year said threat actors targeted their backups during an attack.
Threat actors also target backups that live within a network. Small businesses should implement cloud-based backups to protect their data if they ever get locked out or it gets erased.
One way to ensure backups aren’t all compromised at once is to follow the 3-2-1 rule. This includes three copies of critical business data (one original, two copies), with both backups stored on two different types of devices, and one copy stored at an off-site location.
Incident response planning
Even with the best preventive measures, no organisation is immune to an attack. However, when adequately prepared, a business can minimise the damage and bounce back faster from an incident.
Every organisation should consider creating a robust cyber incident response plan that includes how they would respond to a ransomware attack. With the government proposals in the news, it’s a great time to review your security posture, and it provides a useful driver for creating, updating, and testing an incident response plan. Tabletop practices with senior executives are critical for testing the plan. This process should include an assessment of where your sensitive data currently lives and how that would be impacted if you were to experience an incident.
Information on how to meet government requirements should now also be part of every plan. Most cyber insurance policies include resources to secure breach counsel and other experts to help businesses understand and comply with legal obligations.
Cyber insurance
If you have a cyber insurance policy, check the ransomware coverage to determine what is included in the cover. During a claim with Coalition, our expert team will take steps to diagnose and eradicate the threat, remediate the systems and work with stakeholders to get the policyholder up and running again. Our experienced claims team will support you in managing the changing legal requirements of an incident, including providing Coalition Incident Response* ransomware specialists.
Discover how we have handled ransomware incidents for our policyholders in our case studies.
SMALL BUSINESS CYBERSECURITY STUDY
Misunderstanding of risk leads to a lack of preparedness
Explore SME cybersecurity practices and perspectives >
