Bradley Thomas (Bromsgrove) (Con)

- View Speech - Hansard -

Copy Link

-

I beg to move,

That leave be given to bring in a Bill to require a company that meets a specified criteria to report any cyber extortion or ransomware attack on the company to the Government within a specified time after the attack; to make provision about the content of such reports, including a requirement to provide information about any payments made; and for connected purposes.

This is a timely and pressing matter. Illegal activity across the nation is on the rise, and cyber-attacks are no exception. The National Cyber Security Centre has reported a 50% increase in British cyber-incidents deemed “highly significant” over the past year. Furthermore, of the 429 incidents the NCSC was called upon to assist with, at least half were considered of “national importance”. Among the significant threats identified in the NCSC’s 2025 annual review are hostile states such as China, linked to a co-ordinated campaign involving three China-based companies targeting foreign Governments and critical networks, and Iran, which the NCSC assessed as a highly likely threat to UK entities.

UK IT leaders are understandably alarmed. Research from Armis has revealed that 74% of UK IT leaders cite China and 71% cite Russia as their top cyber-security concerns. If that is not enough, recent espionage trials have thrown a harsh spotlight on the scale and intent of state-sponsored cyber-operations. The threat is undeniable. We must act with urgency to safeguard UK-based companies and critical infrastructure before these escalating menaces begin to seriously disrupt the functioning of our nation.

Under current legislation, cyber-attacks need only be reported in limited circumstances: organisations handling personal data must report cyber-attacks that pose a likely risk to individual rights; essential service operators and relevant digital service providers must disclose incidents with “substantial” service impact; and a few regulated bodies, such as the Financial Conduct Authority and the Solicitors Regulation Authority, follow their own cyber-incident reporting requirements. Notably, there is no requirement for companies to disclose when a ransomware payment has been made, despite the significant financial burden such payments can impose.

Cohesity’s “Global cyber resilience report 2024” found that 59% of companies targeted by ransomware chose to pay, with an average cost of £870,000 and some reaching as high as £20 million. The reality is clear: cyber-crime, particularly extortion and ransomware, has outpaced existing legislation. It has allowed dangerous gaps to emerge in our intelligence gathering—gaps that criminals are likely to exploit—and has weakened the defences of our national critical infrastructure against these escalating threats.

The Cyber Extortion and Ransomware (Reporting) Bill seeks to close those gaps and reinforce the UK’s resilience against cyber-crime. Following Australia’s implementation of a mandatory ransomware payment reporting regime, which has so far been successful, it is imperative that the UK follows suit. The Bill would mandate any British company registered under the Companies Act 2006 that has an annual turnover above £25 million or is responsible for critical national infrastructure to inform the Government within 72 hours of becoming victim to a cyber-extortion or ransomware attack, with a further report being required if any payment is made by the company or a third party on its behalf, within 72 hours of the transaction taking place.

We have all witnessed the shocking headlines about major British companies under siege from cyber-attacks, resulting in severe disruption and millions in lost revenue. From M&S to the Co-op, Harrods to Jaguar Land Rover, these attacks have been crippling, and yet the Government currently have no legal right to know whether a ransom payment was made to restore their systems. What if that payment was made to a terrorist organisation? What if it was sent to a hostile state? It is not the fault of the companies who, under immense pressure and with limited options, choose to pay to regain control of their operations. The fault lies in the gaps in our legislation—gaps that allow ransom payments to go unreported, potentially fuelling even greater threats against our nation.

The proposed threshold of an annual turnover exceeding £25 million or those responsible for critical national infrastructure has been carefully considered. It captures approximately 78% of medium-sized businesses and all large corporations, while avoiding the overwhelming influx of reports that a lower threshold would trigger due to the high number of small and medium-sized enterprises in the UK. National critical infrastructure comprises all 13 sectors defined by the Government: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport and water. These criteria capture the vast majority of companies whose compromise through attack or ransom payment could pose a serious risk to the UK. It also reflects the volume of reports our resources can realistically manage, while establishing a clear, accessible threshold so that companies are not forced to navigate complex policy during the stress of an active attack.

Another imperative component of this approach is the inclusion of all payment types, whether monetary, intellectual property, exchanges of gifts or services or other forms of benefits. This broader scope will enable law enforcement to trace criminal networks, identify patterns and disrupt the flow of illicit funds. It will help to inform better resource allocation, as well as holding the potential to foster collaboration across sectors that would result in faster alerts and stronger resilience.

I understand that many companies may have reservations regarding the requirement to report incidents and ransom payments. It could leave them vulnerable to reputational damage from potential leaks, damaging their business further. This proposal is pro-business, and that is why robust legal protections would be established to ensure that any reports made to the Government remain strictly confidential, with no right of publication, unless it is deemed to be in the national interest. This will give companies the assurance they need to report without fear and the support they deserve to help their recovery.

What happens if a company fails to report within 72 hours of a cyber-extortion attack or neglects to submit a follow-up report within 72 hours of making a ransom payment? Quite simply, it will face a civil monetary penalty. Mandated reporting is essential to our national security and collective wellbeing. Non-compliance must be actively discouraged. It is in the company’s interest, the public’s interest and the Government’s interest.

The absence of mandatory reporting, especially for ransom payments, leaves a dangerous blind spot in our national security. When companies report these payments, our security agencies gain vital intelligence—intelligence that helps us to understand who is being targeted, how attacks are evolving and where our vulnerabilities lie before they are exploited. Espionage today is not confined to spies and stolen documents. It is digital, it is silent, and it is relentless. The grey zone exists. Cyber-extortion and ransomware attacks are fast becoming the preferred weapons of hostile actors seeking to destabilise our institutions and exploit our vulnerabilities. Their attacks are becoming progressively more complex, often leaving companies with no viable alternative but to make ransom payments. From individual hackers to organised criminal gangs and state-backed attacks from overseas, we cannot afford to fall behind in the race of technological defences and expose ourselves to increasingly sophisticated cyber-extortion attacks.

While I acknowledge that the Government referenced the introduction of a cyber-security Bill in the King’s Speech, it is deeply concerning that, despite the urgency of the threat, the Bill has yet to even be brought before Parliament. Cyber criminals are not slowing down, and their methods are not becoming simpler. On the contrary, attacks are growing in complexity, scale and impact. Although I recognise that sound policy requires time to develop, we cannot afford to proceed at our current glacial pace. Delay only deepens our vulnerability, particularly in the light of recent events. We must act decisively and without hesitation to safeguard British businesses and protect our national security.

The choice before us is stark: either we allow ourselves to become increasingly exposed as criminals outpace our outdated legislation and other nations fortify their defences, or we rise to meet the moment with urgency, resolve and the protections our country demands. It is time for us to send an important message: we will not allow cyber criminals to continue operating in the shadows, unchecked and unchallenged.

Question put and agreed to.

Ordered,

That Bradley Thomas, Tom Tugendhat, Alison Griffiths, Dr Neil Shastri-Hurst, Joy Morrissey, Saqib Bhatti, John Glen, Greg Smith, Ben Obese-Jecty, Lincoln Jopp, Sir John Hayes and Jim Shannon present the Bill.

Bradley Thomas accordingly presented the Bill.

Bill read the First time; to be read a Second time on Friday 29 May 2026, and to be printed (Bill 315).