Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of MSP Channel Insights is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The MSP Channel Insights Video magazine contains the latest Zoom interviews with experts in the industry.
At present, making ransom payments in the case of a ransomware attack is not unlawful unless funds are directed to sanctioned or terrorist-linked groups, although making ransom payments is discouraged by UK authorities. As a result, many organisations still weigh the option of paying to mitigate disruption.
In January 2025, however, the UK government proposed prohibiting ransomware payments by public sector bodies and Critical National Infrastructure sectors, which includes Data Infrastructure as a sub-sector of Communications (a September 2024 development). This measure aims to deter attacks and clarify obligations for organisations and insurers, while removing the need for complex forensic checks on payment sources and destinations that would currently need to be made to avoid the risk of breaching sanctions law. Whilst there is currently no timeline imposed by the government for the implementation of these proposals, the government published its response to the public consultation in July 2025 and is giving every indication that it will continue to make progress with these reforms.
These developments will significantly impact data centres. Data centres have always been an attractive target for ransomware attackers, due to the valuable and sensitive materials they hold and a ransomware attack on a data centre has the potential to disrupt an entire supply chain.
Operators will need to prepare by adopting stronger compliance measures and maintaining closer transparency and collaboration with their customers, ensuring resilience. Cyber insurance will enable entities including data centres to transfer the risk of ransomware attacks effectively and account for the different types of loss which might be sustained where ransomware payments are prohibited. Cyber insurance policies also provide expertise in incident response, communication, and legal matters.
Cyber insurance cover for ransomware payments and other losses
Given the amount of sensitive and valuable data that they hold, data centres often find themselves exposed and in the crosshairs of cyber-attackers. The costs of handling a cyber incident such as a ransomware attack and of defending third-party liability data breach claims can be very high. Consequently, data centres will typically have significant cyber insurance limits.
Cyber coverage can protect a data centre against a wide range of significant losses arising from a ransomware attack. As well as covering first-party losses and third-party liability claims that might be brought against the data centre after an attack, insurance policies can also provide cover for general assistance with and management of cyber incidents before and after such attacks occur.
Specifically, a cyber policy can currently provide for indemnification in respect of both the ransom amount demanded and any fees incurred in the ransom negotiation process. Whilst this is not by any means universally included in cyber policies, it is not uncommon. Should the UK government proposals be implemented in respect of Critical National Infrastructure sectors, then cover that is currently included for ransom indemnification would have no value to a data centre which was prohibited from making any such payments.
Looking towards the future with those proposed changes in mind, data centre operators may want to look at revising their cyber insurance coverage to strengthen other elements of cover, and to address the different risk profile and potential losses in a ransomware attack scenario where the data centre does not have the option to pay the ransom.
For data centre operators, cyber insurance policies will likely already reach beyond ransom indemnification to cover the wider costs of an attack. This cover will become the focus of cover, should ransomware payments be prohibited. Key protections include IT forensics, system restoration, business interruption losses, and expenses linked to customer notifications or credit monitoring. Strong cyber insurance policies also provide for third-party liabilities, including legal defense and regulatory investigations, alongside access to expert services such as PR support and incident response teams. These features ensure operators are equipped to manage the financial, operational, and reputational damage caused by ransomware, even if ransom payments themselves are restricted.
How operators can prepare for increased compliance
To prepare for the UK’s proposed restrictions on ransomware payments by public sector bodies and critical infrastructure operators, data centre operators should take proactive steps to strengthen both compliance and resilience. Robust procedures should be established or refreshed for reporting incidents and documenting decision-making around ransomware response, while also working to reduce and redirect any reliance on ransom payments in a scenario where new legislation may prohibit such payments.
Close engagement with insurers and brokers will also be essential to confirm that cyber policies currently in place both reflect the current legal position and are prepared to adjust as appropriate, bearing in mind the government proposals. Providers should confirm the scope of the available cover and make any necessary adjustments with their insurers to prepare for such changes. If ransomware payment cover were not available in a scenario, then comprehensive protection for non-ransom costs such as IT forensics, breach notifications, PR advice, and legal support becomes even more important.
Data centre operators should maintain clear communication channels with regulators, insurers, and clients to ensure they are prepared to adapt to any such changes as they are made and maintain compliance, whilst avoiding the risk of a damaging attack without the necessary procedures and insurance protection in place during a period of transition.
Next steps
The evolving legislative landscape anticipates significant reform for Critical National Infrastructure sectors, including data centres. As key ransomware targets, data centres should be prepared to adapt to comply with these new government proposals when they are implemented. Part of that vital preparation will undoubtedly include reviewing and updating cyber insurance coverage, to bring it into alignment with any such changes. If ransomware payments are to be prohibited, data centre providers will need adequate cyber cover for a different scope of potential losses, and maintaining rapid response capabilities to safeguard operations will take on even greater importance.
