UK Ransomware Policy: What Organisations Should Do Now
The end of the quiet-payment playbook — and what to do instead.
Ransomware has been the dominant cyber threat to UK organisations for several years, and the policy response has now caught up with the threat. The Home Office consultation that ran from January to April 2025, the Government response published in September 2025, and the alignment with the forthcoming Cyber Security and Resilience Bill together mark the most significant change to the UK's ransomware posture in a decade. The era of organisations quietly paying ransoms — sometimes on the advice of their cyber insurers — is ending.
This article sets out what is changing, why ransomware has become a governance issue rather than a purely operational one, and which controls materially reduce the impact of an incident regardless of the policy direction. It is written for boards, general counsel and security leaders who need to translate a moving policy picture into concrete preparation.
Why ransomware is now a governance issue
Ransomware decisions used to belong to the security team and the incident response retainer. They now belong to the board, the audit committee, general counsel and — increasingly — the regulator. Several forces have pushed ransomware up the governance agenda:
- Regulatory exposure. The Information Commissioner's Office (ICO) requires organisations to notify the regulator of personal‑data breaches without undue delay and within 72 hours of becoming aware of the incident. This obligation applies regardless of whether a ransom is paid.
- Sanctions risk. The National Cyber Security Centre notes that ransom payments may be unlawful if the funds go to an entity or region subject to UK sanctions. Payment to a designated person or jurisdiction is therefore a criminal offence.
- Insurance reality. Cyber insurers now scrutinise control posture before paying out. Cover for ransom payments specifically is being narrowed or excluded in many policies, and reinsurers are pushing the same direction.
- Operational severity. Recent high-profile incidents at UK retailers, NHS suppliers and local authorities have demonstrated that ransomware can suspend operations for weeks. Boards have noticed.
- Public scrutiny. Customers, suppliers and the press expect transparency. Incidents handled quietly tend to surface anyway, and the reputational cost of being seen to pay is rising.
The practical consequence is that ransomware preparation is now a board-level responsibility. The questions a board should be able to answer — without referring to the CISO in the room — are: do we know what would be encrypted? do we know what we would do? do we know what we cannot legally do? and have we tested the answer?
What is changing in the UK
The UK Government's three-part proposal, published in January 2025 and confirmed in the September 2025 response, represents the clearest policy direction the UK has issued on ransomware to date. The three elements are intended to work together.
1. Targeted ban on ransomware payments. The Government proposes a prohibition on ransom payments by all UK public sector bodies (local authorities, the NHS and other arms‑length bodies) and by owners and operators of regulated Critical National Infrastructure (CNI). This extends the existing convention (central government does not pay) into a statutory ban. Almost three‑quarters of consultation respondents supported this proposal.
2. Ransomware payment prevention regime. For organisations not within the scope of the ban, the consultation proposes a payment prevention regime under which any victim intending to pay must notify the National Crime Agency before making the payment. A short‑form notification is required within 72 hours of the ransom demand, followed by a full report within 28 days. The authorities will review the proposed payment for links to sanctions, terrorism financing or organised crime and may block it if such concerns exist. Private‑sector organisations outside the ban would therefore need to inform authorities before paying.
3. Mandatory incident reporting. The proposals include a broader requirement to report ransomware incidents so that law enforcement gains the intelligence needed to disrupt ransomware operations. The precise scope (economy‑wide versus threshold‑based) will be aligned with the forthcoming Cyber Security and Resilience Bill, but the direction of travel is towards mandatory reporting rather than voluntary disclosure.
The Government has committed to developing the detail of these proposals in collaboration with industry, with guidance and clarifying documents to follow. Organisations should expect legislation rather than voluntary measures, and should not wait for final wording before preparing.
For boards, the strategic implication is that the historic "negotiate quietly, pay if necessary, recover" playbook is no longer available to public sector and CNI organisations, and is becoming increasingly constrained for everyone else. Recovery capability — not payment capability — has to be the assumption.
Controls that materially reduce impact
The controls that determine the severity of a ransomware incident are well-established. They overlap heavily with the controls in the NCSC Cyber Assessment Framework and Cyber Essentials Plus, and with the proposed scope of the Cyber Security and Resilience Bill. The differentiator is operational maturity, not control selection. The controls that consistently move the needle:
- Tested, offline-capable backups. Backups isolated from the production identity boundary, immutable where possible, and tested by full restore rather than by integrity check. The most common cause of failed recovery is finding out, mid-incident, that backups were encrypted along with everything else.
- Identity hardening. Phishing-resistant MFA, privileged account tiering, LAPS and detection of Active Directory reconnaissance. Ransomware almost always traverses AD; making that traversal slower and noisier buys recovery time.
- Rapid patching of edge devices. Multiple reports show that exploitation of VPN and edge device flaws has surged; one study found that edge and VPN device vulnerabilities accounted for 22 % of ransomware exploitation cases in 2024, up from 3 % the year before. These internet‑facing devices remain the "soft underbelly" of enterprise defences and are often compromised before defenders are aware of a threat. Any CISA KEV‑listed vulnerability affecting an internet‑exposed appliance should be treated as an emergency and patched immediately.
- Network segmentation. Flat networks accelerate ransomware impact. Even basic segmentation between user, server and operational technology environments significantly slows lateral movement.
- Incident response retainer with tested playbooks. A signed retainer that has never been exercised provides false comfort. Annual tabletop exercises that include legal, communications and the board are the minimum.
- Documented decision-making. Pre-agreed decision authority during an incident, pre-drafted regulatory and customer communications, and a clear position on payment that the board has signed off in advance. The worst time to make a payment decision is at 02:00 with the production environment encrypted.
- Logging and detection that supports investigation. Without forensic-quality logs (Windows event logs at sufficient verbosity, EDR telemetry, network flow data), incidents are recovered without ever understanding what happened. That guarantees the same incident, twice.
A useful exercise for any board: ask the CISO to walk through the first 72 hours of a hypothetical ransomware incident, with reference to the controls above and the regulatory timeline. The gaps surface quickly.
Frequently asked questions
Is paying a ransomware ransom illegal in the UK?
Not in general — but payment to a sanctioned entity is illegal, and the proposed legislation would prohibit payments by public sector bodies and regulated CNI operators. A payment prevention regime will require notification and may allow payment to be blocked.
When will the new UK ransomware legislation take effect?
The Government published its response to the consultation in September 2025 and has committed to legislating, with detail to be developed in collaboration with industry. Specific commencement dates have not yet been confirmed.
Does cyber insurance still cover ransom payments?
In some cases, yes — but cover is being narrowed. Insurers increasingly require evidence of control posture, may exclude payment where sanctions risk exists, and reinsurers are pushing the market away from payment cover.
What is the UK Cyber Security and Resilience Bill?
A forthcoming Bill that updates the UK's cyber security legislation, including reporting obligations and protections for critical services. The ransomware proposals are intended to align with it.