Question to the Home Office:

To ask His Majesty's Government what consideration they are giving to exemptions to the proposed ban on ransomware payments for operators of critical national infrastructure.

Protecting the UK from cyber threats is a top priority for this Government. Ransomware measures are being considered as part of a wider all-of-Government approach to reduce cyber threats, alongside the Cyber Security and Resilience Bill by DSIT.

It is long-standing Government advice, and that of the National Cyber Security Centre, to not pay ransoms as there is no guarantee of a return to business-as-usual provision. .

We have consulted on this, and as published in the Government response to ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting (accessible) - GOV.UK, there was split feedback regarding whether a targeted ban should have an exceptions(/exemptions) process. 43% of respondents agreed, 40% disagreed, 17% didn’t know. Qualitative responses cited national security and public safety as reasons for the need.

As with all feedback provided in the consultation response, the Government is considering the most appropriate and proportionate course of action and developing the policy in collaboration with industry and the relevant Government departments. No final decision has yet been made, and the Government is looking very carefully at all options.