U.K. to introduce mandatory ransomware reporting, raising risk of ‘box-ticking’ compliance

ransomware

The U.K. plans to force companies to notify the government of ransomware payments, and while its demands have been largely welcomed, experts warn there is a risk that corporations may focus on “box-tick” compliance instead of planning for effective cyber-resiliency because it is the more affordable option.

Critics add that mandatory reporting could also open companies up to potential sanctions from data protection authorities, as well as legal action from customers, consumers, and investors due to personal information being hacked. According to tech security firm Sophos’ most recent State of Ransomware report released in June, the average total cost of recovery for U.K. organizations rose to USD $2.58 million, compared to USD$2.07 million the previous year (though recovery times have improved). The U.K. government’s own figures suggest that ransomware attacks on U.K. businesses have doubled in the past year, affecting some 19,000 businesses.  

The U.K. proposals are part of a wider scheme called “Plan for Change,” which aims to bolster national security, provide crime agencies with better intelligence, and push companies to improve their cybersecurity and operational resilience.  

THIS IS MEMBERS-ONLY CONTENT

You are not logged in and do not have access to members-only content.

If you are already a registered user or a member, SIGN IN now.