The UK government has announced a ban on ransom payments by public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools. Under the measures, private sector organisations not covered by the ban will be required to notify the government if they intend to pay a ransom.

The measures follow a public consultation and mark a significant shift in policy. While ransom payments are not currently illegal under English law, except in cases involving terrorist demands, the move could reshape the kidnap and ransom insurance market in London and place greater scrutiny on cyber underwriting practices. Legal uncertainties already exist over payments made to sanctioned entities or jurisdictions, and the ICO has made clear that paying a ransom does not count as mitigation for the purposes of regulatory penalties.

Matthew Geyman, managing director at Intersys, commented: “Ransomware is probably the most serious organised cyber crime threat likely to impact an organisation. Following public consultation, the UK government’s proposal to ban ransom payments by public sector bodies – and mandate reporting – is a defining moment in the fight against this fraudulent scourge, and begins to define a more rigorous approach to an escalating systemic problem.

“It also places fresh scrutiny on how the insurance sector approaches cyber risk. As attackers – often serious organised crime – shift focus to the private sector, insurers must reassess underwriting strategies to ensure organisations demonstrate robust cyber hygiene before cover is issued. This isn’t just about setting premiums – it’s about avoiding policy wordings or claims processes that could inadvertently facilitate ransom payments or be seen to endorse them. Clear boundaries are now essential.”

---