Mandatory ban on councils making ransomware payments would be “powerful deterrent”: Local Government Association
The Local Government Association has backed Home Office proposals to ban local authorities from making ransomware payments, noting that the move would act as a "powerful deterrent".
However, the organisation warned that any legislation must be accompanied by stronger supplier obligations, improved information sharing and better resourcing if it is to be effective.
Ransomware attacks are a type of cyber-attack where malicious software prevents a user or organisation from using its device and accessing any files stored on the device.
The attackers then demand payment in order to restore the victim's device to working order.
The consultation, which closed on 8 April, proposed new legislation that would introduce a targeted ban on ransomware payments for the public sector, a ransomware payment prevention regime and a ransomware incident reporting regime.
The Home Office also sought views on encouraging compliance with the ban, ranging from criminal penalties (such as making non-compliance with the ban a criminal offence) to civil penalties (such as a monetary penalty or a ban on being a member of a board).
The consultation also suggested banning essential public sector suppliers from making payments.
Local government has been the target of numerous cyber-attacks, with attacks on Redcar and Cleveland, the London Borough of Hackney and Gloucester City Council taking place over the last five years.
The attack on Redcar and Cleveland is reported to have cost the council £11.3m, while Hackney Council said it still was addressing its attack five years after its occurrence.
In its response to the consultation published on Thursday (16 April), the LGA said the proposed ransomware payment ban "would support local government's cybersecurity in two key ways".
"Firstly, a well-communicated ban would act as a powerful deterrent for ransomware actors", it said.
It added: "If local government is clearly understood to be a non-paying target, it would reduce its perceived financial value, thereby discouraging attacks.
"Secondly, at a time of crisis it can ensure that efforts and resources are focussed on recovery."
The LGA also supported extending the ban to essential suppliers and warned that failure to do so would risk simply shifting the target to the supply chain, creating a vulnerable "soft underbelly".
It also called on the Government to give councils "stronger levers than contract clauses" to compel data processors for suppliers to report details of incidents.
It said this would address inconsistent provision of detailed incident disclosure by some suppliers, which have exposed some councils "to significant risk".
Elsewhere, the response urged the Government to collaborate with the sector in order to define 'essential supplier' and detailed support for a comprehensive payment prevention scheme, coupled with a "mandatory and insightful" reporting regime.
It said: "The reporting regime, in particular, would provide essential data for informed resilience strategies, while improved information sharing between local and central government would ensure swift and coordinated responses."
However, the response added that legislation alone "is insufficient", adding that a "comprehensive approach requires proactive measures, including enhanced collaboration between sectors, adequate funding, and clear assurance mechanisms".
"This includes a unified approach to supplier assurance, and improvements to the cyber insurance market, which currently does not adequately serve local government needs", it said.
The LGA also called for better training, increased staffing, and more substantial, coordinated, timely support from the central government during cyber incidents, including supplier incidents.
"Without these complementary measures, the proposed legislation, while a positive step, will fall short of effectively addressing the growing cyber threats facing local government", it warned.
Adam Carey