Will the UK legislate to curb ransomware payments?

The Government proposes to extend the ban on ransomware payments so that it applies to all public sector bodies, including local government, and owners/operators of critical national infrastructure (CNI) that are regulated or that have competent authorities.  The ban in respect of CNI covers thirteen sectors.

All victims of ransomware attacks not covered by the ban would be required to report their intention to make a ransomware payment before doing so.  Authorities would then review and potentially block payments, providing support and influencing victim behaviour.  Breaches of sanctions and terrorism finance laws are given as examples of reasons for the Government blocking payments.  

Suspected victims of ransomware would be subject to a mandatory reporting requirement, regardless of payment intentions.  The Government's aim here is to improve its understanding and response capabilities.  The report would be made to "relevant parts of Government", with an initial report of the incident within 72 hours (specifying whether a ransom demand has been received, if the organisation can recover using existing resilience measures, and if the ransomware group is identifiable), followed by a full report within 28 days (including the means of access, if resilience measures have been implemented, and any further details on the attack).

Information around the process for reporting (and Government interventions) is scant at this stage.  While the aims behind the consultation are commendable, organisations may worry about the additional burden that these measures impose at a critical time for the business.  Key points to consider include:   

• Increased notification burden. Under existing rules, many organisations already face a race against the clock to make multiple notifications in multiple jurisdictions in respect of cyber incidents. These measures will add to that pressure.  Pre-empting concerns, the Government promises a proportionate approach. Its intention is for UK victims only to be required to report an individual ransomware incident once, "as far as possible" – so, for example, these proposals and those in the Cyber Security and Resilience Bill (which is yet to emerge) would be aligned, to avoid duplication. However, streamlining notifications more widely may be difficult. It is not clear whether these requirements would sit alongside existing notification requirements under data protection laws and sector-specific rules, such as reporting to the FCA etc..
  
  
• Timing. Engagement with authorities before making a payment will delay resolution efforts and prolong business disruption. There is little information on the process, including the timescales for the Government to respond to confirm whether a payment is blocked or not.  In this time-critical situation, a delay can have the same effect as a block (and government resourcing is likely to be a factor here).  Moreover, the trigger for the 72-hour reporting deadline for "suspected" ransomware victims is unclear and businesses are unlikely to be able to provide particularly "full" information within 28 days.
  
  
• Punishing the victim?  Criminalising payments and reporting failures may be perceived to be a shift away from persuading and educating, to punishing, victims – while the cybercriminals often elude law enforcement. 
  
  
• Layering of penalties.  Organisations which make ransomware payments in breach of legislation related to sanctions, money laundering and terrorist financing already risk severe penalties.  Will the threat of further penalties make a significant difference?
  
  
• These measures assume that cybercriminals are purely financially motivated.  Other motives may exist to make an organisation an attractive target, which would not be undermined by non-payment e.g. disrupting a business to make a statement, political motivations, espionage etc.
  
  
• Downstream impacts of a ban. Could a targeted ban, which encourages cybercriminals to focus elsewhere, cause ransomware attacks to balloon in sectors not subject to that ban?  The consultation paper discusses the substantial costs resulting from a scenario involving an attack on an electricity distribution network.  But if attacks are reduced but not eliminated (which seems likely), the additional costs and impact of a prolonged attack, if the option to pay a ransom is removed, for the power company and its many customers which are reliant on the network, are less clear.
  
  
• Smaller businesses are particularly vulnerable as they are less able to withstand prolonged disruption. Could the payment prevention regime push desperate victims underground to find other (illicit) ways to recover their data?
  
  
• Reputational risk. Businesses will be concerned about the disclosure of sensitive information to the authorities and its impact on reputational risk. What will be the implications from an insurance perspective and, if a payment is not blocked but the business pays the ransom against advice, for its future relationship with regulators?
  
  
• Geopolitical backdrop. The consultation refers to the UK's collaboration with global partners to coordinate policies and discourage ransomware payments, through the Counter Ransomware Initiative. However, relatively few jurisdictions have implemented bans or a specific reporting regime in relation to ransomware payments. For an example of a dramatic divergence in approach, we only need look to the Trump administration, which has recently frozen the US cyber offensive against Russia and reduced the headcount at the US Cybersecurity and Infrastructure Security Agency. Businesses will be concerned about UK competitiveness and investment if UK regulations are stricter compared to other jurisdictions, particularly in a climate of deregulation.