UK unveils bold plan to tackle cybercrime with new rules

The UK Government has introduced new proposals targeting cybercrime, aiming to alter how businesses manage ransomware incidents.

The Home Office is spearheading a consultation focusing on three central proposals. Firstly, it suggests implementing a total ban on ransomware payments for all public sector entities and operators of critical national infrastructure.

Secondly, a broader "ransomware payment prevention regime" is being proposed to offer guidance to ransomware victims before deciding on their course of action. Lastly, a mandatory reporting framework for ransomware incidents is also under consideration.

The initiative is described by the Home Office as "world-leading," with an ambition to undermine the core of the cybercriminal business model. Edward Lewis, Chief Executive Officer of global cybersecurity consultancy CyXcel, shared his insights on these proposals.

"To some extent the regulation of ransom payments to cyber criminals is not a new topic. Giving in to ransom demands is already actively discouraged by Government, regulators and law enforcement, since it is perceived to incentivise further criminal activity and does not guarantee the return of stolen data. However, an outright ban of the sort proposed by the Home Office is a bold step and one that could dramatically change how businesses respond to ransomware incidents in the future," stated Lewis.

Lewis noted several potential benefits of the proposals, such as raising awareness around ransomware, sending a clear deterrent message to cybercriminals, and shifting industry focus towards more preventative cybersecurity measures.

"There is no doubt that there are lots of positives that could come from these new proposals, including an increased spotlight on ransomware generally; a clear message to ransomware gangs that the UK is not an easy target for cybercrime; and a refocus within industry on the importance of having robust cyber security controls and implementing proactive defence measures, as opposed to businesses being too reliant on cyber insurance as something of a 'safety net' in the event of an incident," he commented.

However, Lewis also warned of potential "unintended consequences" arising from these changes. "For example, there is a risk that a ban on ransomware payments ends up penalising the wrong people, with some smaller organisations who may lack the resources to respond effectively ending up going out of business without the option of paying ransoms," he pointed out.

He further expressed concerns over mandatory reporting requirements, which could lead to reputational harm if sensitive information becomes public knowledge. "Equally, a mandatory reporting regime could expose victims to reputational damage if matters are not handled confidentially and information about intended payments becomes public knowledge," Lewis added.

The proposals are now open for public and industry consultations, and their impact will likely depend heavily on responses and adjustments made during this period.

"It will therefore be interesting to see how industry responds to these proposals and whether the Government continues to refine the proposals as a result," concluded Lewis.