In an increasingly hostile world where societies can be destabilised by cyber-attacks launched by adversarial nations, we need to up our cyber security game as a country.
The National Cyber Security Centre has reported a 50% increase in British cyber incidents deemed ‘highly significant’ over the past year. Furthermore, of the 429 incidents the NCSC was called upon to assist with, at least half were considered of “national importance” .
Amongst the significant threats identified in the NCSC’s 2025 Annual Review are hostile states such as China – linked to a coordinated campaign involving three China-based companies targeting foreign governments and critical networks – and Iran, which the NCSC assessed as a highly likely threat to UK entities.
UK IT leaders are understandably alarmed. Research from Armis has revealed that 74% of UK IT leaders cite China and 71% cite Russia as their top cybersecurity concerns.
And if that is not enough, recent espionage trials have thrown a harsh spotlight on the scale and intent of state-sponsored cyber operations.
The threat is undeniable: we must act with urgency to safeguard UK-based companies and critical infrastructure before these escalating menaces begin to seriously disrupt the functioning of our nation.
Under current legislation, cyber-attacks need only be reported in limited circumstances, namely: Organisations handling personal data must report cyber-attacks that pose a likely risk to individual rights, essential Service Operators and Relevant Digital Service Providers must disclose incidents with “substantial service impact”, and a few regulated bodies, such as the FCA and SRA, follow their own cyber incident reporting requirements.
Notably, there is no requirement for companies to disclose when a ransomware payment has been made, despite the significant financial burden such payments can impose.
Cohesity’s 2024 Global Cyber Resilience Report found that 59% of companies targeted by ransomware chose to pay, with an average cost of £870,000 and some reaching as high as £20 million.
The reality is clear: cybercrime, particularly extortion and ransomware, has outpaced existing legislation.
It has allowed dangerous gaps to emerge in our intelligence gathering, gaps that criminals are likely to exploit and has weakened the defences of our national critical infrastructure against these escalating threats.
My Cyber Extortion and Ransomware (Reporting) Bill seeks to close these gaps and reinforce the UK’s resilience against cybercrime.
Following Australia’s successful implementation so far of a mandatory ransomware payment reporting regime, it is imperative that the UK follows suit.
My Bill will force any British company, registered under the Companies Act 2006, that has an annual turnover above £25 million per financial year or is responsible for a critical national infrastructure asset, to inform the Government, through the established reporting channel, within 72 hours of becoming victim to a cyber extortion or ransomware attack.
National critical infrastructure comprises all 13 sectors defined by the Government: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, and Water.
Any company that is victim of a cyber extortion or ransomware attack will have to submit a further report to Government if any payment – monetary, intellectual property, or otherwise, including an exchange of gifts, services, or other benefits – is made by the company or a third party on their behalf, within 72 hours of the transaction taking place.
All reports made to the Government via the established route will be subject to legal protection from publication without exception, unless deemed in the national interest.
Any company that fails to report an attack within the 72-hour window will be subject to a fine paid for by the company in question.
We have all witnessed the shocking headlines: major British companies under siege from cyber-attacks, resulting in severe disruption and millions lost in revenue. From M&S to the Co-op, Harrods to JLR – these attacks have been crippling.
And yet, the Government currently has no legal right to know whether a ransom payment was made to restore their systems.
But what if that payment was made to a terrorist organisation?
What if it was sent to a hostile state?
It is not the fault of the companies who, under immense pressure and with limited options, choose to pay to regain control of their operations.
The fault lies in the gaps within our legislation; gaps that allow ransom payments to go unreported, potentially fuelling even greater threats against our nation.
We must act decisively and without hesitation to safeguard British businesses and protect our national security.
The choice before us is stark: either we allow ourselves to become increasingly exposed as criminals outpace our outdated legislation and other nations fortify their defences,vor we rise to meet the moment with urgency, resolve, and the protections our country demands.
It is time for us to send an important message: we will not allow cyber criminals to continue operating in the shadows, unchecked and unchallenged.
Cyber Extortion and Ransomware (Reporting) Bill
