The UK’s ransomware crackdown could reshape cyber risk and reporting duties for payments firms.
The UK government has announced it’s moving ahead with plans to combat the growing threat of ransomware by introducing measures that could reshape how organisations respond to attacks, including new obligations for businesses that choose to pay ransom demands.
Following a public consultation, the Home Office revealed on July 22 proposals to ban public sector bodies and operators of critical national infrastructure from paying ransomware demands and require private businesses to report any intent to do so.
Security Minister Dan Jarvis said the new measures will “smash the cyber criminal business model” and protect essential services from disruption.
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” he said.
While public sector bodies like the NHS, schools and local councils would be banned from paying ransoms entirely, private sector companies would be required to notify the government before doing so.
The government believes this would allow the authorities to offer guidance, particularly in cases where a ransom payment might inadvertently fund sanctioned entities, many of which are believed to operate from Russia.
Mandatory reporting of ransomware incidents, another proposal backed by consultation respondents, would give law enforcement greater visibility over the threat landscape and improve national cyber resilience.
Past examples
Although payments firms are typically prepared for cyber threats, recent incidents show even the most sophisticated companies remain vulnerable.
One of the most high-profile examples came on New Year’s Eve 2019, when global payments and foreign exchange provider Travelex was hit by the Sodinokibi/REvil ransomware gang.
Online currency-exchange kiosks, card issuing and reconciliation systems were taken offline, leaving Travelex unable to serve customers across its UK high-street locations and partner banks.
The company reportedly paid around $2.3m in Bitcoin to get its systems back, but the damage didn’t stop there. According to reports, the incident, combined with the pressures of the COVID-19 pandemic, forced Travelex into administration, resulting in the loss of over 1,300 jobs.
Backers of the rules
The British Library, which suffered a serious ransomware attack in 2023, publicly supported the government’s move. Chief Executive Rebecca Lawrence said the institution “did not engage with the attackers or pay the ransom” and is committed to sharing its experience to help build collective resilience.
The National Cyber Security Centre (NCSC) has welcomed the new approach, warning that ransomware “remains a serious and evolving threat.” Director of National Resilience Jonathon Ellison said all organisations should use frameworks like Cyber Essentials and Early Warning services to build readiness.
Retailer Co-op also backed the announcement, with CEO Shirine Khoury-Haq noting the “damage and disruption” cyber attacks have caused across the sector.
While these new measures may help improve the UK’s overall defence against ransomware attacks, payments companies can expect tougher compliance and reporting rules. Firms will need to notify the government before making any ransom payments and submit detailed reports after an incident.
One potential challenge is that waiting for government approval before paying a ransom could cause delays, leading to longer service disruptions.
