An open letter last month from senior UK Government ministers and heads of enforcement agencies encouraged boards of UK companies to redouble their efforts to prepare for and respond effectively to ransomware attacks. Proposed changes to the law aimed at making it more difficult for businesses to make ransom payments and enhancing reporting requirements are expected to be brought forward soon.

What does the UK Government expect companies to do to prepare for ransomware attacks?

The UK Government has made three requests of the boards of UK companies:

1. If it is not already, make cyber risk a board level priority, including by considering and drawing from the Cyber Governance Code of Practice;
2. Sign up to the Early Warning Service run by the National Cyber Security Centre ("NCSC"); and
3. Assess cyber risk throughout supply chains, which it suggests will be most effectively done through the use of its Cyber Essentials scheme.

It indicates that these requests are based on learnings from previous attacks.

The letter sent last month to all FTSE 250 companies plus a number of other large UK based companies asked them to provide the name of a senior individual who is the point of contact for further communications concerning cyber security related issues. It is clear that the letter was intended as the starting point for dialogue with companies. Further events are promised over the coming months, at which it is likely that further details of the UK Government's expectations and approach will be released.

Why is the UK Government engaging with companies in this way?

The letter recognises that ransomware attacks are increasing in frequency, intensity and sophistication. Such attacks are not a new phenomenon, and many occur every week without attracting publicity. However, attacks this year on household name retailers and manufacturing companies have led to some of the most significant financial consequences (measured in hundreds of millions of pounds) and most extensive periods of operational paralysis (covering significant proportions of multiple financial years) to have arisen from incursions by threat actors into companies' systems in publicised cases to date.

The letter may be seen as an acknowledgment that the impact of attacks such as those seen this year on stalwarts of the UK economy transcends those companies' balance sheets. It is felt on a macro-economic level. GDP figures published during 2025 have shown that the high-profile attacks on household name companies have had a measurable impact on productivity at a national level. In the case of the recent attack on Jaguar Land Rover, the effect on the UK economy and taxpayers' funds has been particularly clearly illustrated by the necessity for the UK Government to step in to provide multi-billion pound loan guarantee support to shore up supply chains. The letter acknowledged this, stating that the number and scale of attacks is now such that they endanger the UK's economic security (in addition to raising national security concerns). For further details, see our Clifford Chance briefing.

The wider context: The legislative and enforcement landscape

Through its open letter, the UK Government offered positive encouragement to boards of UK companies of all sizes to take concrete steps to manage the risks associated with ransomware attacks. However, this is only one strand of its approach. Data protection and financial services enforcement authorities are periodically imposing ever more substantial penalties for inadequacies in cybersecurity arrangements.

New legislation is planned to create an environment that will actively discourage companies from making ransom payments. Together, these measures are directed towards depleting the resources available to and building up the barriers faced by threat actors.

Legislative measures: Banning and preventing ransomware payments and new reporting requirements

The UK Government consulted on three key proposed changes earlier this year:

1. A targeted ban on certain organisations making ransomware payments - a requirement for all public sector bodies and owners and operators of critical national infrastructure to make a "public and binding commitment" to non-payment of ransom demands;
2. A ransomware payment prevention regime – an obligation on businesses intending to make ransom payments to report their intention to do so to relevant authorities, leading to dialogue and ultimately possible steps by those authorities to block those payments;
3. A ransomware incident reporting regime – rules requiring businesses falling victim to ransomware attacks to report the fact of the attack, any demands made and other details including their ability to cope with the attack within 72 hours, and to follow up with a full report within 28 days.

Full details of these proposals and how they may interact with other financial crime and regulatory considerations are included in our RIFC Insights blog post published shortly after the release of the consultation paper in January 2025. The consultation exercise ended in April 2025.

These measures do not currently feature the Government's Cyber Security and Resilience (Network and Information Systems) Bill ("the Cyber Security Bill"), which has recently commenced its journey through Parliament and whose provisions, if passed, are due to enter into force by the end of 2026. For further details of the Cyber Security Bill, including how it may increase the penalties the Information Commissioner's Office is able to impose in connection with cyber attacks, see our detailed post on our Talking Tech blog. However, despite their absence from the Cyber Security Bill, moves are afoot to bring the ransomware proposals mooted in the UK Government's consultation paper earlier this year into law. A group of MPs is seeking to do so through a separate Private Members' Bill (the Cyber Extortion and Ransomware (Reporting) Bill). It is to be expected that they will seek to unify these legislative developments as the Cyber Security Bill progresses, and that there will be broad political consensus on the proposals in relation to ransomware.

Enforcement measures: Increasing financial penalties and possible focus on individual accountability

The Information Commissioner's Office ("ICO") remains committed to taking robust enforcement action where it identifies weaknesses in cyber security arrangements. Its decision earlier this month to fine Capita plc and Capita Pension Solutions Limited £14 million for UK GDPR infringements which it found led to the data of over 6.6 million individuals being compromised is the latest in a line of significant penalties imposed by it in respect of failures by companies to protect personal data and/or to respond appropriately to cyber incidents. Further details of the ICO's action in this case and associated litigation are included in our Talking Tech blog post. The ICO remains committed to making frequent and effective use of its enforcement powers. For analysis of how it proposes to do so, see our RIFC Insights blog post on its recently released draft enforcement guidance. Further substantial enforcement outcomes are expected to flow from ongoing ICO investigations concerning companies' responses to cyber incidents.

Cyber resilience is not the exclusive preserve of the ICO. The requests made in the letter from the UK Government are significantly less onerous than those which already apply to financial services firms falling within the regulatory remits of the Financial Conduct Authority ("FCA") and the Prudential Regulation Authority ("PRA") (and individuals within them covered by the Senior Managers and Certification Regimes). Although the total numbers of enforcement cases pursued by both regulators is falling, cyber resilience remains a priority area. Both regulators are likely to show a keen interest in the steps taken by firms to manage cyber related risk, including through dialogue with the UK Government and embedding the measures suggested in the letter in their cyber resilience plans. As a practical point, firms will also wish to ensure consistency between the individual(s) named as point(s) of contact when replying to the UK Government's open letter and those Senior Managers whose Statements of Responsibilities cover aspects of those firms' cyber resilience arrangements.

Practical points: What should companies be doing to prepare for and respond effectively to ransomware attacks?

The UK Government's letter does not set out in detail the specific steps boards should be taking beyond recommending the resources maintained by the NCSC and encouraging boards to actively discuss their arrangements with the NCSC and other relevant authorities. This is consistent with the concerted efforts made by these authorities over a period of years preceding this letter to engage with businesses about their risk management and incident response arrangements.

The support required by boards to embed appropriate risk management measures, and in particular to put in place arrangements likely to be regarded as adequate by an enforcement authority looking back over an incident with the benefit of hindsight will go beyond the relatively high level engagement and minimum standards envisaged in the UK Government's letter. Although what will be appropriate will vary according to companies' risk profile and the nature of their business, and specialist advice is likely to be required in most cases, essential practical steps to put in place will include:

1. Implementing appropriate preventative measures – including, for example, conducting data and risk mapping, assessing core third party risks and reviewing due diligence processes, maintaining appropriate anti-spam software, implementing multi-factor authentication, assessing the adequacy of managed detection and response software and reviewing backup and payment systems and processes;
2. Putting in place and maintaining an appropriately tailored cyber response plan – including identifying the right individuals able to act decisively in the event of a cyber incident, ensuring that appropriate types and amounts of IT and other technical resources are available to assist immediately and that decision making and notification processes are well understood and rehearsed;
   
3. Ensuring that the correct specialist external resources are available at a moment's notice – including identifying appropriate technical and legal support and discussing preferences as to which specialists will provide assistance, both internally and with insurers (where companies have relevant policies in place) to enable that support to be quickly and effectively accessed when an incident occurs.

For further details of practical steps for boards to take to prepare for and respond effectively to ransomware attacks, see our separate post on our Clifford Chance briefing.