Assessing UK Ransomware Policy: Workshop Report

After several years of development, the UK government has launched a consultation on a set of legislative proposals that aim to reduce the impact of ransomware on the UK and increase the amount of intelligence available to operational agencies on incidents and payments. The consultation has three main proposals:

• A targeted ban on ransomware payments for regulated critical national infrastructure (CNI) sectors and the public sector.
• A new ransomware payment prevention regime, which would require victims to acquire authorisation from the government before they can proceed with a ransom payment.
• A mandatory ransomware incident reporting regime. 

The consultation on these proposals closes in April 2025. If legislated in their current form, the proposals would significantly change the experience of UK ransomware victims and arguably represent the most consequential intervention by any national government on ransomware to date. 

On 25 February 2025, RUSI convened a half-day workshop to assess the strengths and weaknesses of the government’s proposals. 38 participants took part in the workshop. Most were senior stakeholders from industry, including chief information security officers representing CNI sectors, and senior managers and practitioners from law firms, incident response firms, cyber security vendors and cyber insurers. Additional participants were drawn from regulators, civil society, UK government and UK law enforcement. This conference reports summarises the discussions at the workshop.