Supermarkets and food businesses will be required to notify the government of any intent to pay a ransom to cyberattackers, under proposed new legislation.
While public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, will be outright banned from paying ransom demands to criminals under the measures, businesses would have to report their intention to do so.
The government “could then provide those businesses with advice and support” it said, as well as warning them “if any such payment would risk breaking the law by sending money to sanctioned cyber criminal groups, many of whom are based in Russia”.
The government is also developing a new “mandatory incident reporting regime” for businesses above a certain size, which would have to alert authorities to any cyber incidents. The move would “equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities”.
The move comes after a spate of devastating attacks on British retailers, including M&S, Co-op and Harrods, which “have brutally exposed the alarming vulnerability at the core of our public and private institutions” the government said.
“Cyber criminals have not only cost the nation billions of pounds, but in some cases have brought essential services to a standstill,” it added.
The new measures were welcomed by Co-op CEO Shirine Khoury-Haq, who last week revealed that all 6.5 million of the convenience retailer’s members had their data stolen in the punishing attack.
“We know first-hand the damage and disruption cyberattacks cause to businesses and communities. That’s why we welcome the government’s focus on cyber crime,” she said.
“What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”
Similar legislation was passed into law in Australia in November. When a business above a certain size is extorted through ransomware there, it must inform the Department of Home Affairs and the Australian Signals Directorate within 72 hours. Those businesses making ransom payments in secret or not meeting its reporting obligations faces fines of around £45,000.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said UK security minister Dan Jarvis.
“That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” he added.
No comments yet