Businesses must report ransom payments to government

In a significant move to combat ransomware attacks, the Home Office has announced new proposals requiring businesses to inform the government if they intend to pay a ransom to cyber criminals. This initiative aims to curb ransom demands directed at public sector entities like the NHS, local councils, and schools. The announcement follows recent concerns sparked by high-profile incidents, including a severe cyber-attack on Marks & Spencer, which has not confirmed whether it paid a ransom to hackers.

Mark Jones, a partner in the dispute resolution team at Payne Hicks Beach, emphasised that public sector bodies would be outright banned from paying ransoms. He said “By banning the payment of ransoms, the government hopes that it will cut off the funding relied upon by the cyber criminals." Notably, the proposals also call for other organisations not covered by this ban to notify the government when considering ransom payments. This move towards mandatory reporting is designed to build a more robust body of intelligence regarding cybercrimes.

However, the proposals have raised concerns regarding both financial and reputational repercussions for businesses. Jones pointed out an unusual aspect of the legislation, stating that “it is also unusual for victims of a crime to be required by law to report that they have been a victim." Critics argue that banning ransom payments may inadvertently criminalise victims, pushing ransomware operations into darker corners of the web. A concerning statistic from Italy reveals that despite existing laws prohibiting ransom payments, 43% of surveyed organisations have admitted to doing so.

One of the key challenges in tackling cyber crime remains the ability to hold perpetrators accountable. As Jones noted, “Tracking down the cyber criminals is both time-consuming and expensive and law enforcement is already over-stretched.” Given that many cyber criminals operate from foreign jurisdictions, the lack of international cooperation complicates efforts to bring them to justice. Additionally, political considerations can further obstruct these efforts.