As cyber threats grow in scale and sophistication, the UK’s economic resilience increasingly depends on how well businesses can prepare for, withstand, and recover from digital attacks.
We know the threat is escalating. ABI members reported a 230% increase in the amount paid out to help businesses recover from cyber incidents in 2024, totalling a record £197 million. Ransomware alone accounted for a fifth of all claims underscoring the scale and severity of the challenge.
Against this backdrop, the government's decision to press ahead with new ransomware proposals marks a pivotal moment in its cyber strategy. The measures aim to curb payments to cyber-criminals and improve incident reporting. Both are important steps in tackling the threat.
But while the intent is sound, the reality is more complex. By restricting how critical national infrastructure (CNI) can respond to ransomware attacks, the proposals risk prolonging recovery times. In turn this could drive up costs and compound the damage caused by operational disruption. They also increase vulnerability across the wider supply chain – much of which is made up of small businesses, the backbone of Britain’s economy.
There are an estimated 5.6 million small businesses in the UK, accounting for 99% of the total business population. While the proposed restrictions target critical infrastructure, there are concerns over how a broad definition of CNI could impact large swathes of the economy, and the ripple effects could be severe. If providers of essential services in the finance, telecommunications, or technology industries were unable to pay a ransom, small firms, often lacking the operational resilience of larger companies, may struggle to survive.
To be effective, the government’s ransomware proposals must be part of a broader, integrated strategy that strengthens cyber resilience across the economy. This includes refreshing the National Cyber Strategy, accelerating the Cyber Resilience Bill, and supporting initiatives like the NCSC Early Warning System. Put simply, the strategic focus must remain on building cyber resilience and pursuing the criminals, not penalising the victims of crime.
Policy must reflect reality. Businesses are often caught in the crosshairs of cyber-crime through no fault of their own, and attacks rarely unfold in predictable ways. Under pressure, organisations often face difficult trade-offs and not all are equally equipped to respond.
One-size-fits-all solutions risk overlooking the operational realities that businesses contend with every day. Resilience strategies must be flexible and responsive, reflecting the varied threats, sectors, and structures that shape how businesses prepare for and recover from cyber-attacks. That includes retaining the option to pay ransoms.
The insurance industry doesn’t encourage ransomware payments. But we recognise that, in some cases, paying may be the only viable option to restore critical systems, protect sensitive data, and minimise harm to customers and employees.
Ultimately, the decision should rest with the victim organisation. It should be made carefully, lawfully, and only as a last resort. This is where cyber insurance can play a critical role. Policies often include access to specialist advisors who can guide businesses through complex decisions, ensuring any action taken is compliant and strategically sound. But even before this decision needs to be made, cyber insurance can be a powerful ally in identifying organisational vulnerabilities and strengthening cyber defences to mitigate these threats.
This is only one part of the solution. Cyber resilience must be woven into the DNA of all organisations. It is no longer just the responsibility of an IT team. It requires proper cyber hygiene across the workforce, an assessment of cyber risk across the entire value chain, and buy-in from senior leadership.
This kind of preparedness signals operational maturity to investors and partners, while reinforcing trust with customers and suppliers. It also supports the government’s pro-growth agenda by fostering a more resilient, secure, and investment-ready economy.
If the UK is serious about building a secure, pro-growth economy, policies must empower businesses and not constrain them. That means backing the tools that work.
