목차
Title page 1
Contents 2
Introduction and contact details 5
Introduction 5
Contact details 5
Complaints or comments 5
Freedom of information 5
Executive Summary 6
Overview 6
Consultation outcomes 7
Proposal 1 feedback 7
Proposal 2 feedback 8
Proposal 3 feedback 9
Cross-cutting themes 9
Scope of the proposals 9
Penalties 9
Guidance and support 10
Cyber awareness and resilience 10
Methodology 11
Summary of responses 13
Respondent characteristics 13
Proposal 1 15
Proposal summary 15
Analysis summary 15
Question 10 15
Questions 11 and 12 17
Question 13 19
Question 14 20
Question 15 22
Question 16 23
Question 17 25
Question 18 26
Government policy response 27
Proposal 2 29
Proposal summary 29
Analysis summary 29
Question 19 29
Questions 20 and 21 31
Question 22 33
Question 23 35
Question 24 36
Question 25 38
Question 26 39
Question 27 40
Question 28 40
Government policy response 41
Proposal 3 43
Proposal summary 43
Analysis summary 43
Question 29 43
Questions 30 and 31 45
Question 32 47
Question 33 49
Question 34 50
Question 35 51
Question 36 53
Question 37 54
Question 38 54
Question 39 56
Question 40 57
Government policy response 57
Additional Comments 60
Analysis summary 60
Question 41 60
Question 42 61
Question 43 61
Impact Assessment, Equalities and Welsh Language 62
Equality Impact Assessment 62
Section 1 - Name and outline of policy proposal, guidance, or operational activity 62
Section 2 - Summary of the evidence considered in demonstrating due regard to the Public-Sector Equality Duty (PSED) 62
Section 3 - Consideration of duty 63
Section 4 - Community Considerations 66
Section 5 - Summary of foreseeable impacts of policy proposal, guidance or operational activity on people who share protected characteristics 66
Section 6 - In light of the overall policy objective, are there any ways to avoid or mitigate any of the negative impacts that you have identified above? 68
Section 7 - Review date 68
Section 8 - Declaration 68
Equalities 69
Welsh Language Impact Test 69
Consultation principles 70
Annex A - Consultation Questions 71
Figures 13
Figure 1. Breakdown of formal consultation respondents 13
Figure 2. Breakdown of respondents by individual and organisation 14
Figure 3. Agreement levels for implementing a targeted ban on ransomware payments for CNI owners and operators and the public sector 16
Figure 4. Perceived effectiveness of a targeted ban on ransomware payments for CNI owners and operators and the public sector for reducing the amount of... 18
Figure 5. Views on measures for aiding compliance with a targeted ban 19
Figure 6. Respondents' views on appropriate measures for non-compliance with a targeted ban 21
Figure 7. Whether CNI/public sector organisations need additional guidance to support compliance with a ban on ransomware payments 22
Figure 8. Whether organisations within CNI and public sector supply chains should be included in the proposed targeted ban 24
Figure 9. Whether there should be any exceptions to the proposed ban 25
Figure 10. Whether there is a case for further widening the ban on ransomware payments or imposing a complete economy-wide ban 26
Figure 11. Agreement levels for implementing different legislative measures for a new ransomware payment prevention regime 30
Figure 12. Perceived effectiveness of a new ransomware payment prevention regime in reducing ransomware payments 32
Figure 13. Perceived effectiveness of a new ransomware payment prevention regime in increasing the ability of law enforcement agencies to intervene and... 33
Figure 14. Perceptions on best determining the threshold 34
Figure 15. Respondents' views on measures to aid compliance with a payment prevention regime 35
Figure 16. Whether compliance measures need to be tailored to different organisations and individuals 36
Figure 17. Respondents' views on appropriate measures for managing non-compliance with a payment prevention regime 38
Figure 18. Whether non-compliance measures need to be tailored to different organisations and individuals 39
Figure 19. Who should be legally responsible for complying with the regime 40
Figure 20. Whether non-compliance measures should be the same or different for both the organisation and a named individual responsible for ransomware payments 41
Figure 21. Agreement levels for implementing different legislative measures for a ransomware incident reporting regime 44
Figure 22. Perceived effectiveness of ransomware incident reporting regime for increasing the Government's ability to understand the ransomware threat to the UK 46
Figure 23. Perceived effectiveness of ransomware incident reporting regime for increasing the Government's ability to tackle and respond to the ransomware threat to the UK 47
Figure 24. Respondents' views on the best way to determine the threshold for inclusion 48
Figure 25. Respondents' views on what measures would aid compliance with a mandatory reporting regime 49
Figure 26. Respondents' views on whether compliance measures need to be tailored 51
Figure 27. Respondents' views on what measures would be appropriate for managing non-compliance with a mandatory reporting regime 52
Figure 28. Respondents' views on whether non-compliance measures need to be tailored 53
Figure 29. Respondents' views on whether the presence of a mandatory incident reporting regime will impact business decisions of foreign companies and investors 54
Figure 30. Respondents' views on whether 72 hours is a reasonable timeframe for a suspected ransomware victim to make an initial report 55
Figure 31. Respondents' views on the services to victims that should be offered by an incident reporting regime 56
Figure 32. Respondents' views on whether mandatory reporting should cover all cyber incidents 57
