ICAS response to UK government ransomware legislative proposals

ICAS supports UK government efforts to make the UK an unattractive location for ransomware demands. We also support efforts to increase intelligence of the threats to inform future intervention, including incident reporting to the Home Office.

We believe that the UK needs to keep pace with international developments to avoid appearing vulnerable to criminal threats. We look forward to assisting with the evaluation of the government’s proposals as these develop.

We support the proposals for:

1. A targeted ban on ransomware payments for all public sector bodies and owners and operators of Critical National Infrastructure.
2. A new ransomware payment prevention regime for other organisations not within the scope above (including businesses). This would require victims to engage with the authorities and report their intention to make a ransomware payment before paying. This includes support, guidance and discussion to explore non-payment resolution options. Ultimately the final decision to proceed with payment or not would be for the victim – we believe this is appropriate. Engagement with the authorities, their support and guidance is helpful for the victims and to strengthen both intelligence and the UK’s response to attacks. To be effective, communication and government response needs to be treated as urgent and actioned promptly.
3. A ransomware incident reporting regime - we agree that incident reporting can usefully feed into intelligence and inform future government interventions or other actions. Further information is required before setting a mandatory reporting requirement for other organisations. In particular, how it is targeted (e.g. thresholds, impact risk), how to avoid criminal work-arounds and ensuring reporting is proportionate, especially for smaller organisations. We would like to see how the targeted ban (proposal 1) functions in practice and any learning points before expanding to other organisations.

We would also encourage organisations to review and invest in their security arrangements to strengthen their protection against potential ransomware attacks.

Read the consultation