Ransomware ban won’t save councils or NHS without urgent cyber investment
The UK government’s recent ban on ransomware payments by the public sector is a pivotal moment in cybercrime policy.
While hailed as a decisive step, experts caution that without parallel investment in resilience, hospitals, councils, and schools remain dangerously exposed.
Announced on 22 June, the policy prohibits pay-outs by NHS trusts, local authorities, and other critical institutions.
Consultation found nearly 75 per cent support for the measure, aimed at deterring criminals by removing their financial incentives.
Private businesses aren’t banned outright, but must notify the government before paying ransomware demands to sanctioned groups.
Authorities promise guidance and legal warning if payment risks violating UK sanctions.
Security Minister Dan Jarvis said: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on”.
He added: “That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change”.
Industry reaction
Critics say banning ransom payments is only half the battle. “The government’s intent to ban ransomware payments across public sector and critical infrastructure is a bold but necessary step – one that signals to criminal groups that the UK will not be held hostage.”
“But policy alone isn’t protection. … Without investment in resilience … risks pushing breaches underground, rather than preventing them”, said Spencer Starkey, executive VP EMEA, SonicWall.
Similarly, James Moss, director of cyber investigations at Addleshaw Goddard, warns that banning payments may expose the misalignment between individual organisational needs and national interests:
“Paying a ransom often feels like the only way to avoid further disruption”, he said. “Given the reputational damage … many companies will pay quietly … there remains an asymmetry between what is best for any particular organisation and what is best for the economy as a whole”.
Mandatory reporting proposals aim to arm law enforcement with better intelligence – but reaction depends heavily on preparation and capacity.
Gareth Oldale of TLT notes: “If the discretion for organisations to make that choice is reduced, Boards will need to think differently about how to respond in these often devastating and business critical scenarios”.
Government is urging organisations to bolster cyber resilience with offline backups, tested recovery procedures, and rehearsed restoration strategies.
But others stress these steps require capital and training.
From Monzo’s recent £21m FCA fine for inadequate systems to the British Library’s 2023 attack – where they did not pay the ransom – these high-profile cases highlight that regulation without readiness is insufficient.
Taken together, the ban underscores government intent to disrupt ransomware economics.
But unless it’s matched with funding, guidance, and upgraded systems, the policy risks being symbolic – while frontline services remain exposed.