On April 8, 2025, the IIF submitted its response to the UK Home Office's consultation on proposed ransomware legislation .

While the IIF supports the government's objective to reduce criminal funding and improve incident reporting, the response raises significant concerns about unintended consequences of the proposed measures, particularly the proposed ban on ransomware payments for critical national infrastructure (CNI) operators, which could create substantial challenges for financial institutions and their customers.

The IIF emphasized that ransomware payments are typically made only as a last resort after careful risk assessment when no viable alternatives exist to recover critical systems or protect sensitive data. The response cautions that overly restrictive policies might inadvertently create greater operational risks by removing options for organizations facing sophisticated attacks.

The submission outlines several alternative approaches that could prove more effective, including enhanced cybersecurity capabilities, supportive compliance frameworks, and international harmonization of ransomware response protocols.

The complete consultation response, including detailed survey answers and policy recommendations, is available in the IIF's letter and appendix.