The UK government has proposed legislation that would ban public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, from paying ransom demands to cybercriminals.
Under the plans, businesses outside the ban’s scope would be required to notify the government if they intend to make a ransom payment.
While paying a ransom is not currently prohibited under English law – except when linked to terrorist demands under the Terrorism Act 2000 – the proposals represent a shift in policy that could affect Kidnap & Ransom (K&R) insurance, including in the London Market.
Existing legal complexities remain over payments to sanctioned entities or jurisdictions, as noted by the National Cyber Security Centre (NCSC). The Information Commissioner’s Office has also stated that such payments are not regarded as risk mitigation and will not reduce regulatory penalties.
The proposals follow a government consultation in which approximately three-quarters of respondents supported an outright ban on ransomware payments by public sector organisations and critical national infrastructure operators.
Supporters cited the potential to deter attackers from targeting these entities, although some feedback indicated concern over operational impacts in high-stakes scenarios.
The consultation also revealed differing views on whether the measures should be extended beyond public bodies, with around a quarter of respondents calling for a wider, economy-wide scope.
Advocates of expansion argued that leaving certain sectors outside the ban could encourage attackers to shift focus, while others emphasised the need for clear implementation guidance and consideration of impacts on supply chains.
Matthew Geyman (pictured above), managing director at Intersys, said the move signals a more rigorous approach to tackling ransomware and could reshape the insurance sector’s handling of cyber risk.
“As attackers - often serious organised crime - shift focus to the private sector, insurers must reassess underwriting strategies to ensure organisations demonstrate robust cyber hygiene before cover is issued,” he said.
This, he noted, should include ensuring that organisations demonstrate strong cyber hygiene before cover is issued and avoiding policy terms that could facilitate ransom payments.
“Critically, there is no guarantee that paying a ransom will successfully unencrypt data. The decryption tools may not work as intended, and once the ransom has been paid, the attackers have no real incentive to offer assistance,” he said.
Legal and insurance specialists have warned that the inability to pay ransoms in some cases may lead to higher claims exposure for insurers. Without the option of payment to quickly end an incident, certain attacks could result in prolonged operational disruption, higher recovery costs, and potentially greater financial losses – factors that may influence underwriting decisions and premium pricing.
Insurers are also expected to reassess their risk models in light of the proposed restrictions. This could include revising policy wordings, raising resilience requirements for clients, and ensuring claims processes do not conflict with new legislative requirements.
The proposals could also set a precedent for other insurance sectors where ransom payments have previously been accepted. Similar debates arose over piracy ransoms in the shipping industry, particularly during incidents off the coast of Somalia in 2010.
The government’s consultation outcome and the scope of the final legislation may determine whether insurers will need to overhaul cyber policies, tighten resilience-based underwriting, and apply clearer boundaries on cover for extortion events.
What are your thoughts on this story? Please feel free to share your comments below.
