U.K. to introduce mandatory ransomware reporting, raising risk of ‘box-ticking’ compliance
By 
Neil Hodge2025-09-22T20:25:00
The U.K. plans to force companies to notify the government of ransomware payments, and while its demands have been largely welcomed, experts warn there is a risk that corporations may focus on “box-tick” compliance instead of planning for effective cyber-resiliency because it is the more affordable option.
Critics add that mandatory reporting could also open companies up to potential sanctions from data protection authorities, as well as legal action from customers, consumers, and investors due to personal information being hacked. According to tech security firm Sophos’ most recent State of Ransomware report released in June, the average total cost of recovery for U.K. organizations rose to USD $2.58 million, compared to USD$2.07 million the previous year (though recovery times have improved). The U.K. government’s own figures suggest that ransomware attacks on U.K. businesses have doubled in the past year, affecting some 19,000 businesses.
The U.K. proposals are part of a wider scheme called “Plan for Change,” which aims to bolster national security, provide crime agencies with better intelligence, and push companies to improve their cybersecurity and operational resilience.
Related articles
-
ArticleEmployee faith in whistleblowing programs wanes when companies act selectively
Whistleblowing hotlines are rightly championed as valuable tools for employees and even third parties to raise concerns about corporate conduct. But it seems some complaints may be acted upon more keenly than others, particularly if blame can be pinned to one individual and any potential fallout can be ring-fenced.
-
ArticleU.K. enforcement appetite over off-channel comms grows as U.S. wanes
The U.K’.s financial regulator has given a strong indication that financial firms’ use of unauthorized devices and apps is under scrutiny and that policies around off-channel communications need to be tightened up.
-
ArticleGeopolitical risks among compliance concerns for metals, mining companies
Companies working in the metals and mining sectors face increased compliance checks due to efforts to clamp down on abuses in the supply chain, while “volatile” geopolitical changes make sourcing and transporting raw materials more difficult and expensive.
More from Regulatory Policy
-
PremiumU.K. FCA establishes framework for unlisted companies to trade shares on a ‘buyer-beware’ basis
Private companies that are keen to trade their shares but do not wish to become listed have gained another way to trade their shares. The U.K. government completed its initial review and published rules for the system in June.
-
ArticleDOJ is ramping up, not ramping down, health care fraud enforcement
While the Trump administration may have shifted away from pursuing small, white-collar, financial crimes, its focus on health care fraud cases is as hot as ever.
-
ArticleFinCEN seeks to lighten the regulatory load on casinos
Regulatory relief from anti-money laundering rules is in the cards for casinos, insurance companies and other non-bank financial institutions, the U.S. Treasury Department’s Treasury’s Financial Crimes Enforcement Network (FinCEN) said Monday.