UK Regulators Urge Boards to Plan for Ransomware — April 24, 2023

Executive briefing: On 24 April 2023 the UK National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) issued a joint open letter to corporate leaders. The regulators cautioned that paying ransomware demands does not reduce regulatory penalties and urged boards to invest in resilience, planning, and timely reporting.

Key messages for boards

• No leniency for payments. The ICO reiterated that ransom payments will not reduce potential fines under the UK GDPR or DPA 2018.
• Preparedness expectations. Boards should test incident response plans, maintain offline backups, and ensure rapid engagement with law enforcement and the ICO.
• Transparency. The NCSC encouraged early contact with the agency for technical support and stressed the importance of sharing indicators with the wider community.

Recommended actions

• Review board-level cyber risk reporting and ensure ransomware scenarios are covered in exercises and tabletop drills.
• Document decision-making processes for incident response, highlighting why ransom payments are discouraged and how regulatory reporting will be handled.
• Align breach notification procedures with UK GDPR timelines and maintain evidence of security controls to support any regulatory investigation.

Strategic considerations

• Stakeholder communication. Prepare clear messaging for customers and partners explaining post-incident remediation and cooperation with authorities.
• Insurance reviews. Confirm cyber insurance policies do not create incentives to pay ransoms and ensure coverage for forensic support and recovery.
• Supply chain. Extend preparedness expectations to suppliers and managed service providers, including breach notification clauses and joint exercises.

Zeph Tech is facilitating ransomware tabletop workshops for UK clients to demonstrate compliance with NCSC and ICO expectations.