Ransomware laws: is the UK risking resilience for rhetoric?

Si West at Resilience considers the UK’s proposed ransomware regulation

 

In recent months, ransomware attacks have reached a crisis point in the UK, with major retail brands such as Marks & Spencer, the Co-Op, Harrods, and, more recently, North Face and Cartier disclosing devastating breaches. The cost to M&S alone is estimated at £300 million. These incidents have renewed focus on the UK Government’s proposed ban on ransomware payments.

 

But would this ban truly make businesses more resilient, or could it unintentionally weaken our collective cyber-defences?

 

The Government’s aim is clear: to cut off criminals’ funding and reduce ransomware’s appeal. However, having worked closely with organisations battling these threats, I believe the proposal, if applied too broadly or without carefully considered safeguards, risks doing more harm than good.

 

As someone who has worked on the cyber-security insurance frontlines with organisations across sectors, I welcome efforts to deter ransomware. Reducing the incentive to pay ransoms aligns with wider efforts to make attacks less profitable. However, ransomware response is a complex operational challenge, not a simple moral calculus. In practice, payments are rarely the first or preferred option for these types of cyber-attacks.

 

Ransomware today is a sophisticated, evolving threat. The attacks are carried out by highly organised criminal groups who operate like well-funded enterprises, targeting everything from private companies to critical national infrastructure. When an organisation is breached, they follow a rigorous incident response plan: restoring from clean backups, rebuilding affected systems, negotiating with attackers, and only then considering payment as an absolute last resort to preserve critical services and data integrity.

 

The Government’s proposed ban would remove that last option entirely.

 

The reality is that paying a ransom may sometimes be the only viable way to prevent greater damage. In sectors that underpin public safety, particularly in regulated Critical National Infrastructure (CNI) and public sector bodies including healthcare and utilities, downtime can have grave consequences. The US Colonial Pipeline attack showed how ransomware disruptions can ripple far beyond the immediate victim. The negotiation phase often buys crucial time for recovery and coordination with law enforcement.

 

Denying this option may lead attackers to escalate their tactics, including immediate destruction or leaking of sensitive data.

 

In addition, extending the ban to the private sector presents further challenges. The cyber-insurance industry has developed mature processes for assessing ransom payments, ensuring they are lawful, carefully considered, and used only when no viable alternatives exist. Specialist negotiators and legal teams use real-time intelligence and forensic insights to advise on response strategy, safeguarding minimal impact and exposure to follow-on attacks. Introducing government approval steps risks delaying critical decisions, potentially increasing damage, and costs.

 

Government intervention must strive to complement these capabilities, rather than delay decisions during tight attacker-imposed deadlines.

 

Instead of a blanket ban, a phased, flexible, and targeted approach would be more beneficial. Restrictions should initially focus on ransom payments in the public sector and critical infrastructure, with clear protocols allowing for exceptions when public safety is at stake. For the broader private sector, the focus should be on enhancing existing procedures and response mechanisms with mandatory due diligence checklists and effective incident reporting that delivers actionable intelligence without overwhelming victims during crises.

 

Effective ransomware policy demands practicality. Cyber-threats evolve rapidly, and our collective response must balance deterrence with operational realities. The insurance market has already raised the bar on security practices, embedding behavioural change that governments can build on. The goal should be to integrate legislative efforts with existing industry expertise to create a resilient ecosystem, one that disrupts criminals while enabling organisations to recover swiftly when attacked.

 

As the UK formulates its ransomware strategy, it must prioritise practical impact. A flexible, collaborative approach will better protect businesses, critical services, and citizens alike. The future of cyber-resilience depends on policies grounded in experience, agility, and mutual trust, not rigid bans that may inadvertently hand the advantage back to cyber-adversaries. 

 

---

 

Si West is Director of Customer Engagement at Resilience

 

Main image courtesy of iStockPhoto and Just_Super