Currently, while the UK authorities strongly discourage the payment (as opposed to receipt) of ransoms, such payments are not illegal under English or international law (unless they involve the transfer of funds to entities or individuals with links to terrorism or subject to sanctions). Although records show that ransomware payments have, for a number of reasons, decreased over the last year, many companies would opt to make a ransomware payment when taking into account the potential consequences to their business of not doing so.
In January 2025, the UK government launched a consultation about legislative proposals on ransomware payments, including a ban on making ransomware payments for all public sector bodies. This would encompass local government and owners and operators of critical national infrastructure. The motivation is to make UK public entities and essential infrastructure unattractive to ransomware gangs by sending a very clear message that they will not get paid.
Although the government has long been clear about its opposition to paying ransomware demands, the proposed reforms will bring clarity for both those entities affected and their insurers. The ban on any ransomware payments by the affected entities will relieve their insurers of the need for forensic due diligence to identify the origin of the ransomware demand and the destination of any payments, to avoid violating laws against payments to entities or individuals with links to terrorism or subject to sanctions.
Cyber coverage in a ransomware attack
The costs of handling a cyber incident such as a ransomware attack and of defending third-party liability data breach claims can be very high. As a result, data centers will typically have significant cyber insurance limits, taking into account the amount of sensitive or non-public data they are holding.
Cyber coverage can protect a data center against a wide range of significant losses in the case of a ransomware attack, including first-party losses and third-party liability claims that might be brought against the data center after an attack. The policy can also provide cover for general assistance with and management of cyber incidents before and after such incidents take place.
Specifically in the case of a ransomware attack, a cyber policy can Indemnify both the ransom amount demanded and any fees incurred in the ransom negotiation process.
Changes for public sector data centers
The effect of a ban on public sector policyholders making ransomware payments would be a reduction in the scope of coverage for any policyholder with ransom cover in place. However, aside from that specific aspect, such a ban does not invalidate the need for data centers to have cyber coverage in place as an essential component of their insurance program, whether in the public or private sector.
In the case of a ransomware attack, even if the organization cannot be covered for the ransom payment, another key provision in a cyber policy covers costs arising from dealing with an attack. In these circumstances, coverage for the costs of notifying customers, public relations advice, IT forensics, legal fees arising in connection with any threatened claims or inquiries, and other associated costs would still be extremely valuable to a policyholder.
Any public sector data center would need to be aware of when such changes are due to come into effect. This is the case even if the policyholder currently has ransomware payment coverage under a policy in place at the time that legislation comes into force. Discussions should be had in advance with brokers and insurers to ensure premiums are only charged for coverage in place, even if the premium was agreed on different terms.
Potential future impact for private sector data centers
While private sector data centers increasingly work with expert coordinated incident response teams, which seek to avoid or minimize any payment, they are unlikely to voluntarily agree with insurers to implement a non-payment policy without further legislation. The government’s motivation for seeking to disrupt and dissuade ransomware gangs from targeting public sector bodies and infrastructure does not apply in the same way to the private sector.
Instead, the government is seeking to require ransomware attack victims to engage with authorities, report attacks and confirm any intention to make a ransomware payment. This would enable the government to collect data and offer support. The immediate consequence for private sector data centers is likely to be a need to demonstrate compliance with government requirements. Any contemplated payments should in any event have been notified to insurers, regardless of whether the policy covers such payments.
The new legislation risks changing no more than the point at which insurance disputes arise, and we may see an increase in disagreements between policyholders and insurers as to which entities are banned from making payments. The Home Office is already seeking views as to whether essential suppliers to these sectors should be included within the new rules, for example, when a private sector data center is working for or with a public sector body. It may be that the ransomware attacks and the disputes about payment simply move further down the supply chain, and the differing impact between the public and private sectors may become more pronounced.
