Mandatory Ransomware Reporting: UK’s New Cyber Defense
The British government has introduced a new Cyber Security and Resilience Bill, aimed at updating existing cybersecurity regulations. The decision was announced in the King’s Speech at the opening of Parliament, in response to the increasing number of ransomware attacks on UK companies.
The bill mandates that companies report incidents of ransomware attacks. This measure aims to improve the government’s awareness of cyberattacks and facilitate timely responses. Officials assert that the new regulations will help close existing security gaps and prevent attacks on critical public services.
However, the proposed bill is less ambitious than the initial plans by the Home Office. Previously, it was suggested that all ransomware victims be required to report incidents and obtain government approval before paying ransoms. There were also plans to prohibit companies in the critical infrastructure sector from paying ransoms, thus depriving hackers of incentives to target such facilities.
The current version of the bill will apply only to “regulated entities,” not the entire private sector. These entities may include managed service providers (MSPs) that support IT infrastructure for small businesses. It remains unclear whether the new rules will extend to other third-party services involved in critical infrastructure supply chains.
Critical organizations in the UK have faced repeated cyberattacks. For instance, in June, an attack on Synnovis led to the cancellation of thousands of medical appointments and surgeries in London, including hundreds of cancer treatments.
The current cybersecurity laws, known as the Network and Information Systems (NIS) Regulations, were enacted in 2018 based on an EU directive. They establish security standards for critical infrastructure and digital service providers and mandate the reporting of cyberattacks.
However, the high threshold for mandatory incident reporting keeps the actual number of such reports low. For example, an NIS reportable incident for the electricity distribution network must involve an unscheduled loss of supply affecting fewer than 50,000 customers for more than three minutes. An incident affecting a nationally significant DNS resolver must result in a service bandwidth drop of more than 25% for at least 15 minutes.
The updated laws will review such thresholds and require companies to increase their reporting of cyberattacks, giving the government a more comprehensive understanding of existing threats and enabling timely responses to potential attacks. The bill will also empower industry regulators to enforce cybersecurity compliance, including cost recovery and the investigation of potential vulnerabilities.
The bill is being developed by the Department for Science, Innovation, and Technology. The exact timeline for its introduction to Parliament has not yet been announced.
In early June, London faced a severe healthcare crisis after Synnovis, which provides laboratory services to hospitals, was hit by a ransomware attack. Numerous surgeries had to be canceled, and several major London hospitals declared emergency status.
According to Sophos, the median amount paid to ransomware attackers last year reached a record $2.54 million, a 41-fold increase from the previous year’s $62,500. The study involved 275 critical infrastructure organizations, of which 86 disclosed financial details of incidents. The average ransom amount in 2024 rose to $3.225 million, six times higher than the previous year.
