A new UK government policy banning public sector bodies from paying ransomware demands is reshaping the cyber risk landscape for education, healthcare, and local services. The stated goal is clear: deter cyber criminals by removing the financial incentive. But another, arguably moral, objective is to prevent public funds from indirectly supporting organised crime. But as cyber specialist Ethan Godlieb (pictured) warns, the reality on the ground is far more complex.
"The government is hoping that, by saying 'we will not pay,' public bodies become less attractive targets," said Godlieb, associate partner for cyber, tech & fintech at Consilium. "But in practice, we're creating a very real gap in the protection available to schools and similar institutions."
Schools, universities and local authorities have long been prime targets for ransomware gangs due to the combination of highly sensitive data and chronically underfunded IT infrastructure. "If you're vulnerable, you're valuable," Godlieb said. "It doesn't matter if you're a small shop or a major university – if you have data, you're a target."
The ban applies to entities such as the NHS, councils and educational institutions, many of which lack the budget to invest in enterprise-grade systems. While the primary intent is deterrence, the risk remains. Criminals may still strike in the hope of extracting payment before the message reaches the global cyber underground.
"Attackers aren’t necessarily rational actors following UK policy announcements," Godlieb said. "In the meantime, schools may be hit repeatedly, without the option of paying to restore access."
Removing ransom payments shifts the emphasis to other aspects of cyber insurance: incident response, business interruption, legal support, and data recovery. But the effectiveness of these depends on the insured organisation's basic cyber hygiene.
"If your backups are poor, insurance can't just step in and pay the ransom anymore," Godlieb said. "You still need workable recovery systems, segmentation, and people controls. Insurance is designed to complement cyber hygiene and resilience, not replace it entirely."
The misconception that cyber insurance is primarily about covering the ransom also creates a false sense of security. In reality, ransomware is just one event type – albeit a severe one – that can trigger nearly every insuring clause in a policy. Godlieb uses a helpful analogy: "Think of a cyber policy as a switchboard. A ransomware attack lights up almost every switch. Remove the ransom cover, and you're still covered, but you're missing a major recovery tool."
Recent attacks on UK schools highlight the sector's digital fragility. Godlieb points to the high dependence on digital platforms – from online learning systems to student records – combined with the need for accessibility. "There’s always a tension in education: how do you balance openness with security?"
Meanwhile, the sensitivity of student data raises ethical stakes. Rules like “no photos at school plays” exist to protect vulnerable children, yet many schools hold far more sensitive data than a photograph. When that information is compromised, it’s more than a data breach – it’s a safeguarding issue.
Insurance remains valuable, especially for post-incident response, but it cannot fix deep structural problems. As Godlieb put it: "The sector needs better baseline security, not just risk transfer."
There are signs of progress. The UK government recently pledged £210 million to bolster cyber resilience across public services. But Godlieb believes the challenge goes deeper than funding. Many decision-makers still see cyberattacks as "just an IT issue" rather than a critical business or even personal liability risk.
"If you're a school governor or council leader, and you don't do what you're legally required to protect data, you could be personally liable," he warned.
Ultimately, the ransom payment ban forces a reframing of both risk management and insurance expectations. It may strengthen the moral stance against cyber crime, but it also raises the stakes for underprepared institutions.
“Cyber Insurance exists not in case the window breaks, but in case the house burns down. It’s there for catastrophe scenarios,”. said Godlieb. "If you exclude what is often the biggest single cyber risk to organisations – ransomware – you're undermining the whole point of the product."
For public sector bodies, a post‑ransom era raises difficult questions. Security must improve, but funding remains limited. With one of the most powerful recovery tools off the table, the pressure is growing to close resilience gaps before the next attack hits.
