75% of UK Businesses Would Break a Ransomware Payment Ban to Save Their Company, Risking Criminal Charges 

READING, UK – 30 JULY 2025 – Commvault (NASDAQ: CVLT), a leading provider of cyber resilience and data protection solutions for the hybrid cloud, today published new research revealing a sharp divide between principle and practice around the proposed ban on ransomware payments. While 96% of surveyed UK business leaders from £100 million+ companies believe payments should be banned across both public and private sectors, 75% admit that if a ban was extended to the private sector, they would still pay a ransom if it were the only way to save their organisation, regardless of whether civil or criminal penalties applied. 

The proposed ban would legally prohibit ransom payments by public sector organizations and operators of critical national infrastructure (CNI), including schools, NHS trusts, local authorities, and transport, energy, and telecoms providers. All other businesses, including the private sector not covered by the ban, would be required to notify the government of any intent to pay a ransom. 

Support for a ban is strong in both sectors, as is shown in the survey: 94% support limiting ransom payments for public entities and 99% for private organizations. However, the survey found that in real-world situations within the private sector, if a ban were to take hold, only 10% said they would comply if they were attacked. A further 15% said they would be neither likely nor unlikely to comply. This suggests that while respondents think the ban is a good idea on paper and makes sense for government agencies, if their own company’s survival is at stake, all bets are off. 

Of those who support a proposed payment ban, more than a third (34%) believe it would lead to increased government support and intervention to safeguard cyber resilience. Another third (33%) believe that it would decrease the prevalence of attacks by reducing the incentive for attackers – this is one of the central aims of the ban.  

The latest Cyber Security Breaches Survey 2025 from the UK Government stated that over four in ten (43%) UK businesses (equating to approximately 612,000 UK businesses) reported having experienced any kind of cyber security breach or attack in the last 12 months. 

Given the proliferation of attacks, almost all respondents (98%) said cyber readiness and recovery will be a top spending priority. This reflects growing recognition that the best way to beat ransomware is to focus on resilience and technologies that can enable rapid recoveries, rather than relying on reactive payments, which may or may not help enterprises get their data back.  

Recovery from a cyberattack takes 24 days on average. For large organisations this means financial losses, but for smaller organisations this can lead to bankruptcy, underlining the urgency for greater investment in recovery readiness. 

“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, Field CTO (security), EMEA, at Commvault. “A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organisations could find themselves exposed at the worst possible moment, with no viable path to recovery.” 

“Ransomware and cyberattacks will be a concern for a long time, as international cyber gangs make huge profits from them and use these resources to continually develop their attack tools,” says Jane Frankland MBE, CEO of Knewstart. “To break this cycle, companies must better prepare for emergencies and strengthen their cyber resilience. This will allow them to maintain operations and continue to serve customers during a cyber incident.” 

Research Methodology 

This survey was conducted independently and exclusively for Commvault by Censuswide. It reveals the views of 1,000 UK business leaders, from companies with revenue of over £100 million.  

The sample comprised of CEOs, COOs, CFOs, CTOs, CIOs, CISOs, CMOs, Chief People Officers (CPO), Chief Sustainability Officers (CSO), Chief Compliance Officers (CCO), Chief ESG Officers (CESGO) and Chief Trust Officers (CTrO). Data for this report was collected between June 4 and June 6, 2025. 

Censuswide abides by and employs members of the Market Research Society, follows the MRS code of conduct and ESOMAR principles, and is also a member of the British Polling Council. 

About Commvault 

Commvault (NASDAQ: CVLT) is the gold standard in cyber resilience, helping more than 100,000 organisations keep data safe and businesses resilient and moving forward. Today, Commvault offers the only cyber resilience platform that combines the best data security and rapid recovery at enterprise scale across any workload, anywhere—at the lowest TCO.