75% of UK Businesses Would Break a Ransomware Payment Ban to Save Their Company, Risking Criminal Charges

Rhea-AI Summary

Commvault (NASDAQ: CVLT) has released a revealing study about ransomware payment attitudes in the UK. The research shows that while 96% of UK business leaders support banning ransomware payments, 75% would still pay if it meant saving their organization, despite potential legal consequences.

The study, surveying 1,000 business leaders from companies with £100 million+ revenue, found strong support for payment bans in both public (94%) and private sectors (99%). However, only 10% would actually comply with such a ban if attacked. The research also revealed that 43% of UK businesses experienced cyber security breaches in the past year, with recovery taking an average of 24 days.

Notably, 98% of respondents identified cyber readiness and recovery as a top spending priority, recognizing that prevention and rapid recovery capabilities are more effective than reactive ransom payments.

Positive

• None.

Negative

• 75% would break ransomware payment ban despite legal risks
• Only 10% would comply with the ban if attacked
• 43% of UK businesses experienced cyber security breaches in the past year
• Average recovery time from cyberattacks is 24 days

Insights

Cybersecurity Strategist

Commvault's research reveals critical disconnect between theory and practice in ransomware policy, positioning them as thought leaders in cyber resilience.

This research from Commvault strategically positions the company as a thought leader in the cybersecurity space while highlighting a critical market reality: despite overwhelming theoretical support for ransomware payment bans (96%), 75% of UK business leaders would still pay ransoms to save their organizations if faced with an attack. This disconnect between principle and practice reveals the urgent market need for robust cyber resilience solutions — precisely what Commvault offers.

The timing is particularly relevant with 43% of UK businesses (approximately 612,000) reporting cyber breaches in the past year, according to government data. The finding that recovery takes an average of 24 days creates a compelling business case for Commvault's proactive recovery solutions versus reactive ransom payments.

Most significant is that 98% of respondents now consider cyber readiness and recovery a top spending priority. This represents an excellent market expansion opportunity for Commvault's cyber resilience and data protection portfolio, directly aligning with their business model and growth strategy. The company is using this research to drive home that prevention, detection, and rapid recovery capabilities — not ransom payments — are the true solution to ransomware threats.

For investors, this research demonstrates Commvault's understanding of market dynamics and positioning ahead of regulatory changes, while simultaneously educating potential customers about the necessity of their solutions. As cyber threats continue to proliferate and potential payment bans loom, Commvault is cleverly establishing itself as an essential partner in cyber resilience rather than just another security vendor.

Despite this, 99% of respondents supported a ban in the private sector, surpassing the 94% in favour of a public sector ban

READING, England, July 30, 2025 /PRNewswire/ -- Commvault (NASDAQ: CVLT), a leading provider of cyber resilience and data protection solutions for the hybrid cloud, today published new research revealing a sharp divide between principle and practice around the proposed ban on ransomware payments. While 96% of surveyed UK business leaders from £100 million+ companies believe payments should be banned across both public and private sectors, 75% admit that if a ban was extended to the private sector, they would still pay a ransom if it were the only way to save their organisation, regardless of whether civil or criminal penalties applied.

The proposed ban would legally prohibit ransom payments by public sector organizations and operators of critical national infrastructure (CNI), including schools, NHS trusts, local authorities, and transport, energy, and telecoms providers. All other businesses, including the private sector not covered by the ban, would be required to notify the government of any intent to pay a ransom.

Support for a ban is strong in both sectors, as is shown in the survey: 94% support limiting ransom payments for public entities and 99% for private organizations. However, the survey found that in real-world situations within the private sector, if a ban were to take hold, only 10% said they would comply if they were attacked. A further 15% said they would be neither likely nor unlikely to comply. This suggests that while respondents think the ban is a good idea on paper and makes sense for government agencies, if their own company's survival is at stake, all bets are off.

Of those who support a proposed payment ban, more than a third (34%) believe it would lead to increased government support and intervention to safeguard cyber resilience. Another third (33%) believe that it would decrease the prevalence of attacks by reducing the incentive for attackers – this is one of the central aims of the ban.

The latest Cyber Security Breaches Survey 2025 from the UK Government stated that over four in ten (43%) UK businesses (equating to approximately 612,000 UK businesses) reported having experienced any kind of cyber security breach or attack in the last 12 months.

Given the proliferation of attacks, almost all respondents (98%) said cyber readiness and recovery will be a top spending priority. This reflects growing recognition that the best way to beat ransomware is to focus on resilience and technologies that can enable rapid recoveries, rather than relying on reactive payments, which may or may not help enterprises get their data back.

Recovery from a cyberattack takes 24 days on average. For large organisations this means financial losses, but for smaller organisations this can lead to bankruptcy, underlining the urgency for greater investment in recovery readiness.

"Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again," said Darren Thomson, Field CTO (security), EMEA, at Commvault. "A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organisations could find themselves exposed at the worst possible moment, with no viable path to recovery."

"Ransomware and cyberattacks will be a concern for a long time, as international cyber gangs make huge profits from them and use these resources to continually develop their attack tools," says Jane Frankland MBE, CEO of Knewstart. "To break this cycle, companies must better prepare for emergencies and strengthen their cyber resilience. This will allow them to maintain operations and continue to serve customers during a cyber incident."

Research Methodology
This survey was conducted independently and exclusively for Commvault by Censuswide. It reveals the views of 1,000 UK business leaders, from companies with revenue of over £100 million.

The sample comprised of CEOs, COOs, CFOs, CTOs, CIOs, CISOs, CMOs, Chief People Officers (CPO), Chief Sustainability Officers (CSO), Chief Compliance Officers (CCO), Chief ESG Officers (CESGO) and Chief Trust Officers (CTrO). Data for this report was collected between June 4 and June 6, 2025.

Censuswide abides by and employs members of the Market Research Society, follows the MRS code of conduct and ESOMAR principles, and is also a member of the British Polling Council.

About Commvault
Commvault (NASDAQ: CVLT) is the gold standard in cyber resilience, helping more than 100,000 organisations keep data safe and businesses resilient and moving forward. Today, Commvault offers the only cyber resilience platform that combines the best data security and rapid recovery at enterprise scale across any workload, anywhere—at the lowest TCO.

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/75-of-uk-businesses-would-break-a-ransomware-payment-ban-to-save-their-company-risking-criminal-charges-302516590.html

SOURCE COMMVAULT

FAQ

What percentage of UK businesses would break the ransomware payment ban according to Commvault's study?

According to the study, 75% of UK business leaders would break the ransomware payment ban to save their organization, even if facing civil or criminal penalties.

How many UK businesses experienced cyber security breaches in 2025?

The UK Government's Cyber Security Breaches Survey 2025 reported that 43% of UK businesses (approximately 612,000) experienced cyber security breaches or attacks in the last 12 months.

What is the average recovery time from a cyberattack according to CVLT's research?

According to the research, the average recovery time from a cyberattack is 24 days, which can lead to significant financial losses for large organizations and potential bankruptcy for smaller ones.

How many UK business leaders support a ransomware payment ban?

96% of UK business leaders support banning ransomware payments across both public and private sectors, with 94% supporting public sector bans and 99% supporting private sector bans.

What percentage of companies plan to prioritize cyber readiness spending?

98% of respondents indicated that cyber readiness and recovery will be a top spending priority, recognizing the importance of prevention and rapid recovery capabilities.