Among the key takeaways of RPC’s recently published ‘Annual Insurance Review 2025’ was the deep dive it offered into the changing conversation about ransom payments as ransomware incidents reach record highs.
On January 14, 2025, the Home Office published its consultation into the future of ransom payments.
Richard Breavington (pictured right), partner and head of cyber & tech insurance at RPC, shared that one of the main goals is to reduce the amount of money flowing to criminals via ransom payments. “The consultation lists six key options which differ in severity,” he said. “For example, one option explores a complete ransom ban, whileanother explores making no change at all.
“It's impossible to predict the consultation's outcome at this stage and whilst we do not expect a blanket ban on ransom payments, we do not expect the recommendation following the consultation to be that no action at all should be taken or that no changes should be made. This means, in the not-so-distant future, we should expect stricter requirements in the UK's stance on ransom payments.”
Breavington highlighted that any attempt to examine how successful regulators have been in toughening the stance against payouts inevitably assumes that regulators are aiming to crack down on ransom payments. While self-evidently, anyone involved in cybersecurity would not want ransom payments to be paid if that can be avoided, he said, there are situations where organisations find themselves in an invidious position if payment is not made.
“The new consultation is aimed at assessing, as a matter of policy, what the approach in the UK should be to payment of ransoms in a cyber context,” he said. “This is to be welcomed. Once the policy is clear, regulators know what they should be aiming at and are best placed to take a clear stance.”
He noted that, at present, the UK's regulatory position on ransom payments is somewhat unclear. The NCSC is against making ransom payments, he said, and in 2022, it wrote to the Law Society asking them to remind lawyers they should not advise clients to pay ransomware demands. “However, the NCSC has been involved in producing guidance with the ABI, BIBA and IUA which lists key points that organisations should consider before making ransom payments.
“That guidance makes clear that ransom payments should not be made at all. However, it also accepts that this is ultimately a business decision and, if ransoms are to be made, having advice about the steps to be taken before doing so is helpful.”
As to whether he expects the conversation about ransom payouts to meaningfully change in 2025, Breavington said: “We expect that many businesses will respond to this with genuinely varying views, which may change from sector to sector and depending on the size of a business and the resources available to it.
“The consultation closes in April and whilst we think it will take some time before all responses are digested and a consultation response is produced, we think, in the interim, we can expect many articles and publications from various institutions which will provide their thoughts on the future of ransom payments.”
He added that it is also possible that the consultation will influence other jurisdictions.
Ransomware and the payment of ransoms is only one piece of the cyber insurance puzzle and at the heart of solving that puzzle is organisation’s own investments in their cybersecurity – and the support of the insurance industry in enabling them.
Breavington said RPC is seeing more and more organisations make investments in their security measures, both operationally and technologically. “Cyber incidents have increasingly become a board level concern,” he said.
Of course, larger organisations and certain industry sectors will invest more heavily as there is an increased level of risk. “However, we do think smaller organisations are becoming increasingly aware of the potential impact,” he added.
“We expect businesses' investment into cyber security will continue, especially with new legislation being introduced across the EU and UK which requires higher levels of compliance than ever before.”