The Home Office have launched a consultation on legislative proposals for ransomware. Their proposals aim to introduce legislation to increase incident reporting and reduce payments to criminals.
About us
The Local Government Association (LGA) is the national voice of local government. We are a politically led, cross-party membership organisation, representing English councils. Our role is to support, promote and improve local government, and raise national awareness of the work of councils. Our ultimate ambition is to support councils to deliver local solutions to national problems.
The Society for Innovation, Technology and Modernisation (Socitm) is a membership organisation of more than 2,500 digital leaders engaged in innovation and modernisation of public services. Established for more than 30 years, our network combines to provide a strong voice, challenge convention, and inspire change in achieving better place-based outcomes for people, businesses, and communities.
The Society of Local Authority Chief Executive (Solace) is the UK’s leading membership network for public sector and local government professionals. We currently represent over 1600 members across the UK and have regional branches across the country which play host to a number of events such as regional development days, skills days, and networking opportunities.
iNetwork is a membership led partnership for local public sector-based organisations. Established 20 years ago, we currently have over 120 members across the North West and Yorkshire and Humber. We have a strong collective voice empowered to confront the most pressing challenges in the local public sector to drive innovation and change to enhance service delivery for our residents, patients, tenants and service users.
Key messages
- There is a critical need to bolster local government's cyber resilience against ransomware attacks. We strongly advocate for a mandatory ban on ransom payments. This would function as a powerful deterrent and ensure that resources are directed towards recovery.
- This ban must extend beyond local authorities to encompass their essential suppliers. Failure to do so risks simply shifting the target to the supply chain, creating a vulnerable "soft underbelly.” Currently, the inconsistent provision of detailed incident disclosure by some suppliers acting as data processors despite data protection obligations leaves councils, as data controllers, exposed to significant risk and lacking access to critical information. To mitigate this, councils require stronger levers than contract clauses to compel data processors to report details of incidents. Furthermore, effective implementation necessitates that legislation collaboratively defines 'essential supplier' with the sector and establishes a robust implementation and enforcement framework.
- A comprehensive payment prevention scheme, coupled with a mandatory and insightful reporting regime, would deliver strategic, ecosystem-wide support against escalating cyber threats. The reporting regime, in particular, would provide essential data for informed resilience strategies, while improved information sharing between local and central government would ensure swift and coordinated responses.
- Incentives for Vendors: To maximise its effectiveness and uptake, a certification for vendors that complete AIME should be explored. A central repository of certified organisations, similar to the ATRS records repository, could be established.
- Legislation alone is insufficient. A comprehensive approach requires proactive measures, including enhanced collaboration between sectors, adequate funding, and clear assurance mechanisms. This includes a unified approach to supplier assurance, and improvements to the cyber insurance market, which currently does not adequately serve local government needs.
- There is a pressing need for increased cyber security capacity and resourcing within local government. This includes better training, increased staffing, and crucially, more substantial, coordinated timely support from central government during cyber incidents, including supplier incidents. Without these complementary measures, the proposed legislation, while a positive step, will fall short of effectively addressing the growing cyber threats facing local government.
Introduction and Context
Local government forms a significant part of the public sector, with £121 billion annual spend and a workforce of 1.18 million – second only to the NHS. Local government is responsible for a range of vital services for people and businesses throughout the UK, interacting with every household in Britain at different points of the lifecycle. Services include support to the most vulnerable in our society through adult and children’s social care, and housing, as well as schools, licencing, business support, registrar services and planning.
At the beginning of 2025, the LGA published its State of Digital Local Government report. This work highlighted the significant challenges the sector is facing but also the immense opportunity for change and transformation. In it, the LGA highlighted how Councils hold a unique position within the public sector technological eco-system where they hold information on every resident, exchange data with nearly every branch of government, and enable the digital economy in the places they serve.
UK local government faces a significant and escalating cyber risk, as demonstrated by recent attacks on Redcar and Cleveland, the London Borough of Hackney in 2020 and Gloucester City Council. These incidents caused severe financial, operational, and reputational damage, putting sensitive data of vulnerable residents at risk. They resulted in substantial financial losses, critical service disruptions, and eroded public trust.
The LGA in its non-technical support offered to councils who experience a ransomware attack, has long advised against the payment of ransoms and has long supported a ban for the public sector on ransom payments. In written evidence to the Joint Committee on the National Security Strategy (JCNSS) inquiry on ransomware in 2022, the LGA outlined this support and the wider needs of the sector when responding to Ransomware attacks.
Ransom Payment Ban on Public Sector
While many councils operate under the assumption that ransom payments are unacceptable, formalising this stance through a legal ban would significantly reinforce the sector's cyber resilience. The proposed ransomware payment ban would support local government's cybersecurity in two key ways. Firstly, a well-communicated ban would act as a powerful deterrent for ransomware actors. If local government is clearly understood to be a non-paying target, it would reduce its perceived financial value, thereby discouraging attacks. Secondly, at a time of crisis it can ensure that efforts and resources are focussed on recovery. The ban would remove the contentious decision on whether to pay a ransom. As seen in the experiences of councils such as the London Borough of Hackney 2020 cyber-attack, the council is still addressing the impact of the attack in 2025. The Redcar and Cleveland cyber-attack in the same year is reported to have cost the council £11.3 million. These examples showcase the significant impact ransomware attacks can have on resources and long-term capacity and decision for councils.
Oral evidence from Councillor Mary Lanigan at the National Security Strategy (Joint Committee) on Ransomware highlighted how much time and energy in response to a cyber-attack goes into discussion of whether a ransom payment should be paid, particularly in discussions with Central Government. Councillor Lanigan’s evidence also showcases how the impact of a cyber-attack is not just fiscally damaging and impactful on the council in the long-term but also significantly impacts citizens. The cyberattack directly affected vulnerable children, hindering social care services, and caused financial hardship by delaying crucial benefit payments to residents. This highlights the socio-economic imperative there is to ban public sector ransom payments and support the local government sector in cyber resilience.
If legislation is adopted, it is essential that there is clear guidance on the implementation of the proposed ban including, clear guidance on enforcement. Guidance should clearly outline who is responsible for the payment of a ransom, a council as an organisation or an individual within the workforce such as the Section 151 Officer or Chief Executive. This should be consulted on with the sector.
Ransom Payment Ban on Public Sector Suppliers
It is crucial that the suppliers of local government are included in a sector ransom payment ban. If suppliers to the sector are not included, there is a significant risk that ransomware demands could be displaced into the supply chain creating a “soft under belly.”
The sector is intrinsically linked to private sector suppliers. Suppliers are crucial to the day-to-day delivery of local services, which includes the sharing of data. Due to this interdependence and data sharing relationship, it is crucial to note that the data that would be targeted in any local government supplier ransomware attack would be local government data and data of vulnerable citizens it supports and provides services for. Not including suppliers could result in the same devastating consequences for services and vulnerable citizens, and the legal consequences for authorities we continue to see in cyber incidents across the country.
Across the sector we are seeing an increase in supplier incidents. Supplier incidents can create specific challenges for councils in delivering their statutory duties to the most vulnerable residents. This includes a lack of clear communication, consistent collaboration, and timely sharing of information. LGA research into four supply chain incidents1 in 2023 identified a number of challenges that exacerbated challenges when dealing with a cyber-attack in council supply chains. Firstly, it was identified that there was a lack of regulatory certainty on responsibility and legal power in incidences of a supplier attack. Due to the limited number of alternative suppliers, councils are often constrained to working with existing providers, even when there are challenges with service delivery. Further challenges arise from a lack of assurance in investigation processes in supplier incidents and concerns that contract management and cyber security contract clauses have limited impact in power imbalanced private vs public sector relationships. Further to this it was identified that there was an apparent lack of support from central government or the National Cyber Security Centre (NCSC) in many cyber incidents, and responses are often un-coordinated from a central level with a lack of incident response plans in place with a clear understanding of local government. A lack of timely communication and cooperation limits council abilities to respond to attacks and continue to deliver their vital, statutory duties.
Should a proposed ban on ransom payments apply solely to public sector organisations, and not to their suppliers, the issues caused by ransomware attacks will continue. Cybercriminals could simply target the suppliers, knowing they might still pay a ransom, effectively circumventing the ban. This creates an inconsistent legal framework, where suppliers operate under different rules than the public sector bodies they serve, potentially exacerbating the situation.
Recognising that many local government suppliers are under-resourced Voluntary, Community, and Social Enterprises (VCSEs), any legislation aimed at bolstering cybersecurity within the sector must be accompanied by substantial, targeted support. These organisations often operate on tight budgets, relying heavily on volunteer labour and limited grant funding, making it difficult to invest in robust cybersecurity measures. Comprehensive support for VCSE cyber resilience is crucial, not only to protect sensitive data and service delivery, but also to maintain the vital role they play in local communities. Imposing unfunded mandates would strain councils' relationships with these vital partners, potentially undermining the essential services they provide. Councils, who frequently work in close collaboration with VCSEs to deliver crucial community services, understand the financial pressures these organisations face. Expecting them to meet stringent cybersecurity standards without providing adequate resources risks alienating them and disrupting essential local services
The enforcement of any potential supplier ban will need to be carefully considered, particularly with consideration given to how the ransomware ban will affect international companies who are not based in the UK but are part of the local government supply chain. Local government has limited capacity to enforce a supplier ban on ransom payments, and in some circumstances may lack the levers to compel a supplier to effectively respond to supplier cyber incidents. To be successfully implemented any public sector wide ban including suppliers, must be managed and monitored by government given capability and capacity challenges within the sector as outlined in the LGA State of Local Digital Government report.
The LGA is currently finalising contract clauses for councils to use as templates to support cyber security conditions for supplier council relationships, data sharing and joint service delivery, particularly for adult and children’s social care. While this offers some support to councils, this approach places the onus on councils to manage a significant amount of the risk for supplier cyber incidents, with limited capacity and power. A central government support and wider eco-system approach would be the most constructive and effective way to implement supply chain bans.
A key concern revolves around the ambiguous definition of ‘essential suppliers’ and its practical implementation. The sector worries that excluding certain providers could leave councils exposed to significant risks through contracts with those deemed ‘non-essential.’ Alarmingly, substantial vulnerabilities often reside within these suppliers, which may possess limited cybersecurity resources and resilience. For example, the substantial cyber-attack affecting Gloucester City Council in 2021, originated from a small regional provider of disabled facilities products. It is likely that suppliers of this nature would not be classified as ‘essential’ under current definitions, despite the risk they can pose. The sector has already experienced challenges with central government's supplier thresholds; for instance, the CCS strategic supplier framework excludes numerous local government suppliers due to financial thresholds, even though they handle substantial risk and data. If a supplier ban is enacted, the legislation must provide a clear and precise definition of 'essential supplier,' informed and endorsed by local government, to accurately reflect the sector's risk landscape. Crucially, it must also address the practical support and legislative mechanisms required for councils to effectively manage contracts and mitigate risks associated with non-essential suppliers.
Other proposed measures
Paying a ransom not only impacts individual organisations but also puts the wider sector at risk and increases the chance of the sector being seen as a lucrative target. This is why we are supportive of both the sector ban and why we support the payment prevention regime.
A payment prevention regime would enhance the National Crime Agency's (NCA) real-time awareness of ransomware attacks and ransom demands, providing victims with timely NCA guidance on response strategies and enabling the blocking of payments to known criminal groups and sanctioned entities, thereby disrupting financial incentives. Furthermore, this regime would compel organisations to strengthen their security posture. This could lead to improved incident reporting and a clearer understanding of attack patterns. If information is shared the enhanced visibility could reveal how, when, and which entities are targeted, potentially fostering better information sharing and collaborative efforts to combat cyber threats.
This would be further supported by a reporting regime; it is essential for sector wide resilience that there is a clear understanding of the scale and scope of ransomware attacks. Currently the reporting landscape is patchy and inconsistent, as the Home Office have noted in their proposal impacted assessment it is understood that there is an under-reporting of cyber incidents. Specifically for local government it would be supportive to both their resilience and response to cyber-attacks if there is rich data to draw on, to understand the risks in the cyber environment and be able to respond and plan for threats.
While establishing a comprehensive reporting regime is vital, it is important to acknowledge the existing challenges of under-reporting cyber incidents, including ransomware attacks, within the local government sector. Overcoming this requires fostering a security culture that actively encourages the reporting of all incidents and near misses. Addressing these cultural and procedural aspects is fundamental to ensuring the effectiveness of any mandatory reporting requirements and to achieving a more accurate understanding of the ransomware threat landscape across the sector.
Beyond establishing effective reporting mechanisms, the timely sharing of cyber risk information is equally critical. Currently councils are often excluded from much of the cyber risk information sharing due to the need for higher levels of security clearance. This limits their ability to both respond to ongoing attacks in the local government sector, supply chain, wider public-sector eco-system, and plan resilience for future threats. We are supportive of initiatives by NCSC and MHCLG’s Defend as One programme to address this challenge and improve information sharing. For local government to fully realise the resilience benefits of reporting and information sharing, legislation should ensure they have access to the gathered data. Timely information dissemination is vital, and its effectiveness depends on local authorities being able to use it.
Existing networks such as Warning, Advice and Reporting Points (WARPs), the Cyber Technical Advisory Group (CTAG), and Socitm’s Nations & Regions Forum (SNRF) play a significant role in facilitating the sharing of cyber security information and best practices. Leveraging and further supporting these collaborative structures can significantly improve the dissemination of intelligence regarding ransomware threats and effective mitigation strategies. Developing initiatives such as local cyber fusion cells, supporting regional Security Operations Centres (SOCs), such as the Cymru SOC and the Cymru Cyber Fusion Cell as part of the Wales WARP, would further enhance regional and national coordination in responding to and preventing ransomware attacks. Following advocacy and commissioned research by the LGA on the feasibility of a national SOC for local government, we are highly supportive of MHCLG’s newly launched pilot with ten councils exploring how it could work for the sector.
Beyond Regulation
While the proposed legislation is a step forward, it alone will not adequately address the growing cyber risks facing councils. Regulation must be complemented by proactive measures, including strong collaboration between the sector, central government, law enforcement, regulators, and the private sector, to enhance overall cyber resilience. Furthermore, a council is most resilient when there is a clear understanding that cyber security is everyone’s responsibility – not just IT teams. In the context of demands on council services and reducing budgets, any support provided to councils must be holistic and a adopt a whole organisational approach.
Funding
In consideration of a holistic support for local government cyber security, it is essential that the immense financial pressure on local government is recognised. Any comprehensive approach to cybersecurity must include funding considerations and support sector-led improvements. Cyber security demands continuous investment to address vulnerabilities associated with legacy IT and manage and mitigate new vulnerabilities that may arise from increasing digitalisation. If the investment is not continuously prioritised, there are concerns that councils will fall under the ‘cyber poverty line’ and no longer invest in what should be regarded as essential security measures.
Cyber Assessment Frameworks
The government must adopt a coordinated approach to cyber assurance in local government, avoiding unnecessary duplication. Numerous standards for local government not only increase the workload but may also increase the cyber threat, making it more complicated to comply with cyber-resilient best practices. This is why we strongly support the Cyber Assessment Framework for Local Government, launched by the MHCLG in 2024, as a tool for improving governance and mitigating cyber vulnerabilities. Making the Cyber Assessment Framework for Local Government mandatory is essential to standardise cybersecurity practices and avoiding unnecessary duplication in the sector.
Supplier Assurance
There are currently multiple voluntary codes suppliers can use to evidence assurance, with no single security standard existing across the public sector. This has resulted in the proliferation of different cyber security questionnaire as councils produce their own to meet differing standards. These must be completed individually by suppliers, creating barriers to entry for SMEs, and processed and analysed by individual councils, creating duplication and inefficiencies. These assurance questionnaires rely solely on self-assessment by the supplier which can be challenging to verify and relies on trust risking some of the most vulnerable people’s data in the UK. Often due to power imbalances that exist between councils and major suppliers, it can be challenging for councils to drive compliance assurance with council’s preferred security controls. There are also challenges faced in driving compliance from suppliers with accessibility legislation. Often suppliers will ‘tick the box’ but not undertake the subsequent changes to the system required leaving a council accountable for their non-compliance, and perpetuating exclusion of vulnerable residents.
The sector currently faces a number of challenges when attempting to conduct supplier assurance and the current landscape of voluntary codes and standards lacks clarity and coherence, making it more difficult. It hinders compliance and weakens council purchasing power. A unified, simple, and strengthened approach for both vendors and buyers are essential to streamline the process and improve overall cyber security.
Cyber insurance market
There is an insufficiently effective cyber insurance market for local government. A survey of councils in England the LGA carried out in 2023 identified that 81% of 121 respondents did not have any cyber insurance. Citing specific challenges with cyber insurance coverage for local government as the reason. The majority of respondents cited that they had considered cyber insurance but that there was a lack of suitable policies, the costs were too high, or the coverage of policies were not suitable. These findings highlight the difficult situation councils find themselves in where they do not have the cyber insurance to respond to and support cyber incidents. There needs to be support for a more effective cyber insurance market for local government. Currently it is not worth the investment and funding is best spent on prevention and resilience.
Capacity building and resourcing
Councils are experiencing significant challenges when it comes to the capacity and resourcing of technical teams in digital and IT services. Across England the workforce that exists in local government is also struggling with digital skills, FutureDotNow research shows that 59 per cent of the workforce are unable to do all basic digital tasks hampering any organisational ability to respond to cyber incidents.
The LGA and its partners have and continue to build communities of practice and opportunities to facilitate knowledge sharing and capacity building within the sector but more needs to be done. At a local level there are significant inconsistencies in political and organisational support for cyber security. It is essential that there is long-term workforce planning and investment in digital and technology practitioners and skills within the public sector.
Finally, there must be more support for councils in responding to cyber incidents we have seen through the case studies mentioned above, including Redcar and Cleveland the significant resources that go into cyber incidents, which significantly hamper council abilities to provide every day and vital services to vulnerable residents. The MHCLG Local Digital team are about to start trialling centralised a Security Operations Centre which the LGA has been calling for the past two years, and we are looking forward to seeing the impact and results of the trial. As the frontline of government, it is vital that the sector is appropriately supported with the weight of government powers and resources in times of severe cyber incidents.