To Pay or Not to Pay: UK poised to consult on new regulatory restrictions on ransomware payments?

Introduction

Ransomware attacks have become a pervasive threat in today's digital landscape, incapacitating organisations with sometimes devastating consequences. Meanwhile, governments worldwide are grappling with the conundrum of how far they should seek to legislate to ban, or at least dissuade, the payment of ransoms, which ultimately fuel this widespread criminal enterprise.

According to anonymous sources cited by The Record the UK Government intended, at the time of publication, to seek views, via an upcoming public consultation due to be published next month, on mandatory ransomware attack reporting in the UK. The Record's article was published before the announcement of a UK general election on 4 July.

Further, on 28 May 2024, Stephen McPartland MP published the McPartland Review of Cyber Security and Economic Growth (https://www.stephen-mcpartland.com/images/stories/News24/240528_McPartland_Review.pdf) following a "Call for Views" on the Government website and a series of 26 evidence sessions with industry participants including business organisations, academics, law firms, IT (including forensics) providers, and insurers. This included specific recommendations that the Government "tighten the rules" on ransom payments, by increasing reporting obligations and potentially seeking market driven "rewards" for organisations which resist extortion attempts, such as lower insurance premiums.

Currently in the UK, the payment of a ransom (in and of itself) is not illegal; but there are number of other elements (such as terrorist financing, sanctions) that may nevertheless render this option illegal, as well as associated AML considerations.

The reported proposals, which may be included in a future public consultation, go further and include a scheme whereby victims would need to seek a license to make any ransom payment, as well as a complete ban on ransom payments for organizations involved with critical national infrastructure.

The proposals being discussed

It is understood that the current proposals include a more comprehensive mandatory reporting regime (there is currently no obligation to report ransom payments separate to more general incident reporting obligations under GDPR or sector specific regulation, or as part of AML reporting or where sanctions issues arise), licensing schemes, and a complete ban.

It is thought that mandatory reporting (as has been recommended in the McPartland review) would provide a more comprehensive understanding of the ransomware threat landscape facing the UK; with the ICO confirming that 2023 was a record year of ransomware reports, and various other statistics having been published highlighting the significant year on year increase in the volume of attacks and overall amount paid in ransom payments.[1] Gaining further insight into this type of cybercrime could help develop more effective counter-ransomware strategies. A 2022 report by a US government agency, the Cybersecurity and Infrastructure Security Agency (CISA), emphasised the importance of collaboration and cooperation between victims and law enforcement.

There is little detail yet as to how a ransom payment licensing scheme might work, and observers may well note that ransom decisions are often time sensitive; any scheme which requires consent from a public licensing body may have the effect, practically speaking, of making the "don't pay" decision for an organisation. Of course, dissuasion may be part of the intention, especially as one of the other ideas feted for inclusion is a complete ban on payments.

On the one hand, proponents of a ban on ransomware payments argue that such a measure would undercut the financial ecosystem that fuels these cyberattacks. Ransomware thrives on the profitability of extorting victims. By eliminating the financial incentive, the argument goes, cybercriminals would be deterred from launching these attacks in the first place.

A 2020 report by the Royal United Services Institute (RUSI), a leading British defence and security think tank, underscored this point. The report highlighted the need to disrupt the ransomware economy, advocating for measures that "target the financial infrastructure used by ransomware actors, making it more difficult for them to collect and launder ransom payments". This was more recently revisited in a RUSI debate featuring Ciaran Martin (ex-head of the UK NCSC and who recently advocated for a total ban in a Times OpEd) and Jen Ellis (co-chair of the Institute for Security and Technology's Ransomware Task Force)[2].

Opponents of a ban on ransomware payments argue (amongst other things) that such a policy could have unintended consequences; including potentially encouraging threat actors to design their attacks around the criteria for granting a license as well as pushing desperate victims towards even more dangerous and/or illegal avenues to recover their data. Additionally, a complete ban could disincentivise victims from cooperating with law enforcement investigations, proving counterintuitive to the intelligence gathering aspect of the mandatory reporting element. It could also have wider destabilising national and indeed international impacts, if the option of paying a ransom was removed for all entities, including critical parts of the economic, defence or utility infrastructure which fall victim to ransomware attacks.

Politics intervenes

The UK government publishes public consultations relating to future policy development on a semi-regular basis, and there is no guarantee that proposals put out to consultation will be taken up in legislation. However, consultations do at least demonstrate the areas that the government of the day is focused upon and the approaches under consideration; in the medium term, such consultations may demonstrate a "direction of travel" even if individual proposals are not taken up.

However, on 22 May 2024 the UK prime minister, Rishi Sunak, announced a general election to take place on 4 July 2024. In doing so, any future UK legislative initiatives, whether via a public consultation and/or on the back of the McPartland Review, are likely on ice until the outcome of the election is known and a future parliament sworn in.