Government launches consultation on proposed legislation to tackle the threat of ransomware

The UK government is consulting on proposals to introduce legislation that attempts to address the threat of cybercrime. The aim of the legislation is to reduce payments to criminals by all public sector bodies alongside increasing incident reporting.

The rationale behind the proposals is to make public sector and infrastructure organisations less appealing targets for ransomware attacks. However, these proposals may result in a redirection in criminals’ efforts to the private sector including the accountancy profession. 

While ICAS supports tackling the increasing ransomware threat to organisations in the UK, any legislation needs to be fit for purpose and not have any unintended consequences impacting other sectors of the economy. 

What is ransomware? 

Ransomware is malicious software (malware) that infects a victim’s computer system. It is a financially motivated crime that is largely committed by cyber criminals based overseas.  A ransomware attack can:

•  Prevent the victim from accessing IT systems or severely impair their use.
•  Facilitate the theft of personal or other sensitive data held on the victim’s networked systems of devices. 

A ransom is demanded (usually payment of cryptocurrency) from the victim to regain access to the system, for the data to be restored or for confidential data not to be published on websites run by criminals. 

The targets of ransomware can range from ordinary individuals using their own personal devices to major companies and public bodies whose entire systems and networks are put under attack. 

The government proposals and objectives 

The consultation will consider three main proposals: 

1.  Targeted ban on ransomware payments for all public sector bodies and critical national infrastructure – expanding the existing ban on ransomware payments by government departments and making the essential services the country relies on the most unattractive targets for ransomware crime.

2.  A new ransomware payment prevention regime – increasing the National Crime Agency’s awareness of live attacks and criminal ransom demands, providing victims with advice and guidance before they decide how to respond, and enabling payments to known criminal groups and sanctioned entities to be blocked. 

3.  A mandatory reporting regime for ransomware incidents – bringing ransomware out of the shadows and maximising the intelligence used by UK law enforcement agencies to warn of emerging ransomware threats and target their investigations on the most prolific and damaging organised ransomware groups. 

The legislation is intended to meet three main objectives:

•  To reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations.
•  To increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape.
•  To enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.

Potential impact on the accountancy profession

The professional services sector is high-risk when it comes to cyber security. Criminals have found a variety of methods to be particularly profitable in a profession where data protection and client confidentiality are crucial. Failing to protect your firm and your clients may result in a breach of your legal and regulatory obligations, substantial fines in addition to business disruption and reputational damage. 

The proposals should therefore be a reminder that prevention of a cyber breach in the first place is crucial. 

Lindsay Hill, Chief Executive of Mitigo, ICAS’ cybersecurity partner, said 

“These proposals are a well intentioned attempt to tackle the rising frequency, cost and disruption to organisations of all shapes and sizes across the UK as a result of ransomware attacks by organised criminals, many of which are based in Russia. They follow on from the Government's draft Code of Practice on cyber security governance.

"However, a number of points should be born in mind. ‘The proposal for a complete ban on the public sector and critical national infrastructure paying ransom demands, intended to deter these types of attacks against them, may result in the redirection of attacks against businesses in the private sector, with accountancy firms being a prime target.

"Although the headlines in the press feature the high profile attacks against public bodies, the reality is that the overwhelming majority of ransomware attacks are against businesses in the private sector.

"The proposals in relation to the private sector would make it mandatory to report ransomware incidents to the authorities, and also to notify an intention to pay the ransom before actually doing so. Law enforcement would then review the proposed payment to see if there is a reason to block it, for example if it breached sanctions. This would create an additional burden on the victim firm, on top of the stress of negotiating with the criminals over payment and trying to limit the damage and disruption to its business and client affairs.

"And what if the payment is blocked? It could be the difference between the firm surviving or not. Firms decide to pay ransom demands because commercially they feel forced to. Losing all client data and access to systems could leave the firm permanently crippled.

"The prevention of a payment will not itself prevent criminal gangs from capitalising on data theft, for example by selling it on to facilitate other serious crime, such as card not present fraud, identity theft, breaking passwords or user names to get into bank accounts etc.

"Also bear in mind that these proposals relate to ransomware attacks. Cyber crime and cyber disruption involve a much fuller range of attacks which these proposals do not touch. For accountancy firms, the most common form of attack is email account takeover, where the criminal gains access to the firm’s email, frequently resulting in data and financial loss.

"The bottom line is that firms should prioritise prevention of a cyber breach in the first place. Cyber risk management should be right at the top of any firm’s risk register and a board level responsibility." 

The consultation can be accessed via GOV.UK and will close at 5pm on 8 April 2025.

ICAS have partnered with Mitigo to offer cybersecurity management services for Evolve members. To book a free no-obligation consultation or for more information, you can contact Mitigo via the Mitigo website, call  0131 564 3131 or by email.