Following on from the consultation in the Spring, Ransomware: proposals to increase incident reporting and reduce payments to criminals, the Home Office has published an overview of submissions and its response. Overall, the feedback on the proposals was “positive and constructive”, and the Government intends to move forward with all three of its proposals, brining in legislation around this.
- Proposal 1: targeted ban on CNI operators: CNI operators would be banned from making ransomware payments.
- Proposal 2: a new ransomware payment prevention regime: for businesses not included in the CNI ban.
- Proposal 3: an incident reporting regime: a new mandatory, threshold-based incident reporting regime.
At this stage, it is currently unclear whether CCUK members would fall under the scope of the CNI ban, or the implications around other measures, such as dual reporting. The Government has promised to publish “detailed guidance” before new reporting obligations come into force, as concerns from the NCA and other groups remain that these proposals may not have the deterrent effect the Government is hoping for.
In addition, the Home Office is also reviewing the Computer Misuse Act (1990) and an update to this may be introduced alongside ransomware legislation.