Coalition’s Response to the UK’s Ransomware Consultation: An Opportunity to Prioritise Resilience and Recovery
The UK Home Office recently held a public consultation on three ransomware-related policy proposals as part of a national strategy to reduce payments to criminal actors, and improve the quality of intelligence available to government agencies. Coalition submitted a formal response and is sharing its views publicly to promote transparency and facilitate a conversation on this important issue.
Ransomware poses a serious and growing threat to public and private institutions alike. We commend the UK Government for moving forward with efforts to address it. However, we also believe the path forward must first focus on improving cybersecurity resilience, rather than on restricting businesses’ ability to respond during a crisis. The goal should be to enhance organisations’ ability to prevent, survive, and recover from a ransomware event - not to inadvertently re-victimise them through inflexible or punitive regulations.
Below, we outline our perspective on each of the three proposals.
Proposal 1: Ban on Ransom Payments by Public and Critical Entities
Under this proposal, public sector bodies and owners or operators of critical national infrastructure (CNI) — including energy, healthcare, and telecommunications — would be prohibited from making ransomware payments using any funds, whether public or private.
We understand the rationale behind this idea. Banning ransom payments sends a strong message. Yet, a ban on payments is highly unlikely to reduce the volume of ransomware attacks, and may increase the harm caused to affected organisations and public services.
Ransomware actors are typically opportunistic.
Ransomware actors are typically opportunistic. They exploit known vulnerabilities, such as unpatched systems or stolen credentials, rather than targeting organisations based on whether they are legally allowed to pay. A payment ban is unlikely to serve as a deterrent and could leave critical entities with no viable recovery options, thereby increasing the likelihood of prolonged outages or damage to public and critical services.
A payment ban would likely be ineffective for other reasons, including that such a policy does not address the root cause of the ransomware problem: widespread digital insecurity. Today, end users of technology bear the responsibility for securing the technology we use. But those end users — people and businesses — are often the least suited to take on that burden.Â
Cyber insurance intermediaries like Coalition see this every day. We share that security burden with our insureds; we alert them to security vulnerabilities relevant to their business, and help them remediate those vulnerabilities to prevent incidents that may force a payment decision. But no security is perfect. A payment ban would only re-victimise those businesses, forcing them into an impossible situation where paying a ransom may be the only thing that prevents them from permanently closing their doors.
Instead of a ban, we encourage governments to implement policies aimed at improving digital resilience. Funding for cybersecurity, investment in public sector defense capabilities, and recognising the value of risk transfer mechanisms such as cyber insurance should all be part of a comprehensive strategy.
Proposal 2: Payment Prevention Regime
This proposal would require entities not covered under Proposal 1 to notify authorities within 72 hours of receiving a ransom demand, seek government approval before making any ransom payment, and submit a more detailed report within 28 days. The regime would also give the government authority to block payments under certain conditions.
While we understand the intent — to increase visibility into payments and enable more strategic intervention — this approach also raises serious concerns about its potential to delay recovery and harm victims.
Organisations facing ransomware attacks are already under extreme stress.
Organisations facing ransomware attacks are already under extreme stress. Their systems may be down, critical operations disrupted, and employees unable to work. Imposing rigid reporting obligations or requiring pre-approval during the early stages of incident response could slow decision-making at a time when speed and flexibility are critical. Worse, government intervention or delays in highly sensitive cases could hinder an organisation’s ability to resume operations, compromising public trust, economic stability, or national interests.
While this proposal appears less severe than a full ban, a payment prevention regime would still risk compounding harm to the public.
Proposal 3: Ransomware Incident Reporting Regime
This proposal would require all organisations affected by ransomware incidents to report the attack to relevant authorities, regardless of whether they decide to pay. Reporting obligations could apply broadly or be limited to businesses above a certain size, within certain sectors, or where ransom demands exceed a specific threshold.
We support this proposal in principle. Accurate and timely reporting is essential to building a national picture of ransomware threats and improving both public and private responses.Â
However, an effective policy must carefully balance intelligence needs with practical realities.
We recommend structuring the reporting regime as follows:
Scope: Apply reporting requirements to midsize and larger organisations, using sector-specific revenue thresholds to define applicability. This avoids placing additional burdens on smaller businesses that may lack the resources to comply.
Content: Limit reporting to essential information that can inform actionable threat intelligence, such as the nature of the incident, ransom amount, amount paid (if any), threat actor (if known), and for CNI organisations, operational impacts.
Confidentiality: Allow organisations to elect to submit certain report elements confidentially, particularly information that, if disclosed, could exacerbate the incident’s damaging effect — such as trade secrets or business-sensitive data.
Timing: Adjust tight timelines. The proposed 72-hour reporting deadline, with a final report due within 28 days, may be overly ambitious. Experience in other jurisdictions reinforces that view. For example, nearly 30% of mandatory reporting pursuant to Australia’s Security of Critical Infrastructure Act 2018 are late. We understand the proposed timeline may align with other complementary reporting requirements, however, our experience with incident recovery indicates that these timelines could be challenging for many organisations. Instead, we recommend requiring businesses to report only the fact of an incident within 72 hours, with all other known details submitted within 28 days. Importantly, victims should be required to report only the information known at the time of submission, eliminating the need for costly and burdensome re-filings as new details inevitably emerge over the course of what may be a months-long recovery process.
If implemented thoughtfully, a ransomware incident reporting regime can offer high value to both regulators and businesses while limiting administrative overhead and enabling a faster, more unified response to threats.
More on Ransomware
4 Tech Soft Spots Ransomware Gangs Regularly Exploit
Additional Recommendations
In addition to our responses to the three proposals, we encourage a broader policy framework aimed at supporting resilience and incident preparedness. We recommend the following:
Invest in Resilience: Policies should encourage proactive defense, not just reactive response. Tax credits or funding support for security improvements — especially within critical infrastructure sectors — can incentivise organisations to strengthen their defenses before attacks occur.
Clarify Responsibility: Reporting obligations should remain with the victimised entity, even if payments and recovery are facilitated by a third party, such as an incident response firm. This helps preserve accountability and avoids confusion in meeting legal obligations.
Victim Consideration: Policies should strike a careful balance between encouraging compliance and recognising the difficulties organisations face in the wake of an attack. We recommend an education-first approach to implementation and enforcement, particularly during the initial stages, to ensure that affected entities understand their reporting responsibilities and have the tools to meet them.
Conclusion
Ransomware continues to present a significant disruptive cybersecurity threat worldwide, and we commend the UK Government’s engagement with the community as part of this consultation process.
We believe that policies aimed at banning or restricting payments, especially without first addressing fundamental weaknesses in organisational cybersecurity, will not deter attackers, and may, in some cases, cause more harm to victims.
The path forward must prioritise resilience, incident preparedness, and fair, practical governance. With collaboration between government, industry, and cyber insurers, we can better manage ransomware risks, help victims recover more quickly, and build a more secure digital environment for the future. Coalition will continue to engage with policymakers and guide businesses as they navigate this evolving threat landscape.
Download our 2025 Cyber Threat Index Report for a deep dive on ransomware
