Government launches consultation on new approach to Ransomware

What happened

• The Government has launched a consultation which proposes a completely new approach to Ransomware
• The consultation ends on 8 April 2025 and its aim is to ‘disrupt the business model of the ransomware gangs’
• Ransomware occurs (i) where threat actors use malware to prevent victims from accessing data/systems (ii) where the use of data/systems is impaired (iii) where threat actors enable the theft of data from victims’ systems
• A ransom is then demanded for the return, or non-publication or non-destruction of this data
• Paying the ransom does not guarantee the promised outcome and many businesses have a policy of not paying ransoms

The consultation asks for feedback in 3 areas; (i) a targeted ban on ransomware payments for public sector bodies and owners of critical national infrastructure.  It also asks whether this ban should be extended to ‘essential suppliers’ to these sectors and whether a breach should be classed as a criminal or civil offence (ii) a ransomware payment prevention regime – which would mean that all victims outside the ban must engage with authorities and report their intention to make a ransomware payment before doing so (iii) a ransomware incident reporting regime – victims would have to report within 72 hours if a demand has been received and state whether their organisation is able to recover based on its current resilience measures and state whether the ransomware group is identifiable. Also a full report would need to be submitted within 28 days

Why it matters

• Ransomware is big news and is thought to be the biggest serious and organised cybercrime threat and the largest cybersecurity threat
• The consultation is a pragmatic approach in that it (i) streamlines reporting obligations (ii) looks to discourage ransomware payments and (iii) creates a hierarchy within criminal enterprises in attempting to stop payments to the worst offenders
• If a ransomware attack involves personal data, victims would need to report the incident to the ICO within 72 hours, as well as notifying data subjects without undue delay
• It is likely that victims of complex attacks, in crisis mode, might not fully understand all the background details to the attack to be able to provide the ‘full report’ within 28 days. They might not therefore be able to identify or implement resilience measures during this timeframe.  This needs to be raised in the consultation

Next steps

The aim of the consultation is to disincentivise expensive and potentially devastating attacks on public bodies. 

It remains to be seen how effective this is, particularly as some threat actors do not have financial motives.  It could also lead to more attacks on private organisations. 

Details of the consultation can be found at Ransomware: proposals to increase incident reporting and reduce payments to criminals – GOV.UK

What happened

• The ICO has issued new guidance to help employers understand their obligations relating to employee records, under data protection law
• The guidance outlines the type of records that employers need to keep about their workers (such as training records, health records and pension information)
• It explains that employers must identify a lawful basis under which they can retain their employees’ personal information
• It also identifies the particular lawful bases that are relevant in an employment records context 
• These include contract, legal obligation, legitimate interest and vital interests
• The guidance also outlines the need for employers to identify the minimum amount of personal data they need to hold for their workers, and not to exceed that amount
• The guidance emphasises that the employer is responsible for taking reasonable steps to ensure that the personal data is accurate and up to date
• Finally, guidance is given on how employers should determine how long to hold onto their employees’ personal data to uphold the storage limitation principle, what must be done to keep this data secure, and what rights employees have in relation to their personal data

Why it matters

• Employee records contain some of the most sensitive types of personal data, such as sickness and injury records and occupational health information. It is important that these records are handled carefully and in compliance with data protection laws
• All of the data protection principles apply, but an extra level of care is needed for this more sensitive personal data
• Records held by Human Resources departments should only be accessed by those who need to view them and they should be segregated accordingly

Further information

The ICO’s article can be found at Employment information | ICO

What happened

• The Department for Science, Innovation and Technology has published a new Code of Practice for AI Cyber Security
• Its aim is to protect artificial intelligence (AI) systems from cyber threats
• The Code is voluntary and applies to AI systems incorporating deep neural networks
• It provides guidelines for securing these AI systems over their entire lifecycle
• The Code describes how organisations using AI can protect themselves from cyber threats including AI attacks and system failures
• The Code recommends cyber security training programmes focused on AI vulnerabilities
• An implementation guide has also been created to support organisations in adhering to the Code
• The Code does not apply to AI systems that are developed in relation to academic research, which won’t be deployed
• The Code has 13 principles and sets out standards for each principle along with more detailed guidance for their implementation

Why it matters

• AI is transforming our daily lives and as technology continues to evolve, it is important that we protect AI systems from growing cyber security threats
• The new Code of Practice contains baseline cyber security principles to make sure AI systems are secure
• Protecting AI systems is crucial in protecting UK citizens and the UK’s digital economy

Further information

The Government’s policy paper can be found at

AI Cyber Security Code of Practice – GOV.UK