Regulating the Cyber Battlefield: The Impact of Mandatory Ransomware Reporting and Licensing for Payments

Reports have surfaced recently that officials in the UK are set to propose the requirement for all victims of ransomware attacks to report incidents to the government, compelling those victims to request a licence before making ransomware payments. As part of the proposal, these payments would be banned entirely for critical national infrastructure (CNI) companies.

The reasoning provided thus far for this mandatory reporting is a number-driven one: how do we truly quantify the scale and spread of ransomware attacks when not everyone is reporting them?

The critical factor

From my experience of working in incident response, the decision to report a cyber breach or not usually boils down to risk. What did the threat actor take? The standard approach in the threat actor’s handbook seems to be double extortion as a minimum, often running scripts to specifically target sensitive data to exfiltrate before encrypting everything they can.

Personally identifiable information (PII) is always centre stage when investigating and reporting to victims, especially where cyber breach lawyers are engaged. Currently, the requirement to report is largely to the Information Commissioner’s Office (ICO), regulatory bodies with whom organisations have contractual agreements to report and recommendations to report to the National Cyber Security Centre (NCSC).

The UK government has acknowledged that the lack of statistics creates challenges for the policy response and looked to the U.S. and their approach for this same issue. The U.S. signed into law the Cyber Incident Reporting for Critical Infrastructure Act 2022, which requires covered entities to report covered cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). This policy has only been developed based on typically large entities whose threat profiles are going to be more aligned to nation state actors than low-level ransomware operators.

Why ransomware and why now?

So, why the consideration for mandatory reporting of ransomware when other types of crime do not have mandatory reporting imposed on them? What makes ransomware so special?

Ransomware is an ongoing situation likened to hostage taking – you must pay up if you want your systems back. The vast and devastating impact on a company coupled with the moral dilemma of making the ransom payment could be part of what sets it apart. The government recognises the ransomware payment issue in the Joint Committee on the National Security Strategy report, “A hostage to fortune”, where victims can choose either to pay the ransom in the hope of regaining control of their data and systems, or to resist paying money to criminals and risk having to rebuild their systems from scratch, or finding sensitive data leaked or sold on the dark web. While the government maintains that UK victims should not pay ransoms, it is the only viable option for many of those directly affected, enabling them to keep their businesses afloat and prevent damaging leaks of personal data.

In my colleague Mark Cunningham-Dickie’s article “Maybe let’s negotiate with terrorists”, he talks in detail about how both the UK and US have negotiated numerous times previously whilst still trying to maintain the narrative that they in fact, do not. He also pays homage to the benefits of negotiating with threat actors even when payment is not the only resolution – this vital source of threat intelligence would be lost if the communication channel is closed.

How can organisations stop incentivising criminals?

The NCSC jointly developed with the insurance industry a guide for organisations considering payment in ransomware incidents, which is a step away from the no negotiation stance and a more pragmatic approach when sometimes, that’s all a company can do.

One of the key arguments for not paying ransoms is to not incentivise the threat actors into making more attacks. If companies are banned from making ransomware payments, then the hope is this will remove the incentive for hackers as they know they won’t get paid. This is currently only being considered in the proposal for CNI companies, but what if this was their only way to get back to business as usual?

It will be interesting to see what the proposal stipulates for obtaining licences to make ransomware payments for non-CNI companies. During what can be one of the most stressful and most financially impactful times for a company, with the added requirement to apply for a licence, to make payment on top of mandatory reporting in whatever guise that is will require a lot of support for victims of crime during their darkest hour.

Explore our Incident Response services

Visit our Services page to learn more about our Incident Response service, or contact us via [email protected] . If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on +44 333 444 0041 and we’ll help you right away.