Search and find what you need faster.

Dominic Holden discusses proposed ransomware ban in Law 360

Posted on: May 23rd, 2025 by Natasha Cox

Director Dominic Holden discusses the UK government’s proposals for a ransomware ban in Law 360.

Dominic’s article was published in Law 360, 22 May 2025, and can be found here. 

Ransomware ban move could push hackers to private sector

The government’s bid to crack down on ransomware payments could heap pressure on companies in crisis without any guarantee that it will pull the plug on the billion-pound cybercrime industry, lawyers say.

Proposals by the Home Office to ban public entities from making ransom payments and to require other bodies to consult with the authorities before they consider sending money to their attackers are intended to undermine the ransomware business model by making the U.K. a less profitable target.

But lawyers warn that the proposals, set out in a wide-ranging government consultation, appear to underestimate the opponents.

“Deceptively simple and undoubtedly well-intentioned, the proposal borders on the naive,” Julian Hayes, a partner at BCL Solicitors LLP said. “Even if it worked, it would simply drive ransomware attackers to softer targets.”

Ransomware pulled in more than £1 billion ($1.3 billion) from victims worldwide in 2023, according to the Home Office. It has become a lucrative source of cash for cybercriminals and state-sponsored actors able to infiltrate businesses and government agencies and take control of their networks and data.

Law enforcement agencies and the government see it as the biggest cyber risk facing businesses in Britain. But it is also perceived as a direct threat to national security because of the ability of criminals to shut down hospitals, energy suppliers and grocery chains.

The National Cyber Security Centre helped to manage 317 ransomware incidents in the 12 months to August 2024. They included 13 separate attacks deemed to be “nationally significant” that “posed serious harm to essential services or the wider economy.”

They include Russian hackers who stole private medical data in June 2024 in a ransomware attack on a medical testing company, Synnovis Services LLP, that disrupted London hospitals. And hackers demanded £600,000 from the British Library to prevent publication of stolen files, a demand it refused to pay, in October 2023.

What to do about the problem divides opinion. Some experts say that paying the ransom puts money in the pockets of organized crime, terrorists and sanctioned individuals — with no guarantee that the stolen data will be returned or services resumed. Paying helps to create a business model, encouraging more attacks.

Many organizations targeted do not pay. Most victims interviewed by the National Crime Agency said they did not want to reward their attackers.

But principles come at a cost.

Marks & Spencer the grocery and clothing chain, continues to lose money following a recent ransomware attack that has disrupted service and will cost it an estimated £300 million. And the Legal Aid Agency, which revealed in May that data dating back to 2010 had been stolen, warned anyone who had applied for legal support in criminal cases that they face the risk of being scammed.

But some companies see no other option. LockBit hackers hit Allen & Overy with a ransomware attack in 2023, but later retracted its threat to release the stolen data. Cyber-experts have interpreted this as a sign that A&O paid out to avoid sensitive client information from being released, although the firm never publicly commented.

Against this backdrop, the Home Office said in March that it was consulting on a range of proposals. They include a limited ban on publicly owned bodies and operators of critical national infrastructure making payments, mandatory reporting of all ransomware attacks by companies that meet thresholds and even approval by the government before they make any payment.

But lawyers warn that the proposals are risky. Payments are already widely viewed as the last resort, a drastic step for companies to take only when backup files restoring their operations fail or there is a risk that the stolen data is not encrypted.

James Longster, a partner in the technology and commercial transactions practice at Travers Smith LLP, said that private sector clients, particularly financial services firms, are concerned that putting restrictions on public-sector targets will simply push criminals to intensify their attacks on them.

“There isn’t a magic answer,” Longster said. “People want to do something because it’s a problem. It’s hard to work out exactly what that is.”

There was also doubt among observers about how the proposals would work in practice. When would companies, trying to get to grips with resuming service, be required to notify the government of the attack? How would a ban, if it was extended to the private sector, affect global companies in countries where there was no bar to payment?

The government has already introduced compulsory reporting of cyberattacks in the Cyber Security and Resilience Bill, which is making its way through Parliament. Victims would be required to report an incident only once. But lawyers say a lack of detail means it is unclear how the proposals would sit alongside existing notification requirements, potentially delaying payment during talks with authorities — and prolonging the disruption.

Business leaders fear the proposals might also lead to expensive red tape when they are already under pressure. Companies already face a race against the clock to disclose cyberattacks to their regulator, the Information Commissioner’s Office — and, potentially, to individuals if personal data was stolen.

Longster predicted that the ban on public sector bodies making payments might not make it into legislation if there was resistance during the consultation. But he said that the reporting obligations to the central government “could meaningfully turn the dial” by equipping law enforcement agencies with the best information possible.

Another proposal would require businesses to gain government clearance to ensure that money would not go to sanctioned individuals or terrorists. Christopher Whitehouse of Reynolds Porter Chamberlain LLP said that limited legislation introducing a reporting requirement – but not going as far as an outright ban – would be a good compromise.

“Save for those extreme cases, if there’s something companies could do to survive, but aren’t allowed, it’s going to be a tough sell,” Whitehouse said.

Britain would become one of few Western governments to introduce the ban – perhaps the only one – if it did so. Many countries have pledged not to pay ransomware, but none have actually made it illegal, even if it involves paying a sanctioned entity.

Some U.S. states have passed legislation banning public authorities from paying ransoms, but experts have warned that the results have been mixed.

Hayes of BCL Solicitors also said that the potential ban on government agencies making payments overlooks the fact that hackers, particularly those backed by hostile governments, are often more interested in causing chaos than making money.

Outlawing ransomware payments “risks making hostages of us all,” Hayes said.

“Such sophisticated threat actors are highly unlikely to surrender without a struggle,” Hayes continued. “Far from being deterred, such groups are more likely to fight tenaciously to protect their lucrative business models, with ‘big game’ ransomware groups intentionally targeting the U.K. essential services on which we all rely, both to break the government’s will and serve as a warning to like-minded countries not to follow suit.”

Some lawyers advocate for a more aggressive policy to help ensure that does not happen.

Dominic Holden of Lawrence Stephens said that hackers would look abroad if it was illegal for public and private sector entities to pay out.

Support for small and midsized businesses in the form of tax breaks or subsidized insurance premiums would also mean that the incentives to target the U.K. would vanish, Holden said.

“If the government is going to do this, I don’t think they should do it in half measures,” Holden said. “If you’re going to eradicate the problem, and disincentivize the hackers so they go overseas in jurisdictions where they can be paid, then grasp the nettle and ban all payments.”

Mark Jones, a partner at Paynes Hicks Beach LLP, said there were also concerns that the mandatory reporting requirement could then trigger regulatory scrutiny. The government would have to assure companies that the information would remain confidential if it wants to win support for legislation, Jones said.

“I would also hope to see measures to support those who are victims of ransomware, rather than simply add to the stress of the situation,” Jones added.

For more information on our cryptoassets expertise, please click here.

Crypto recovery – navigating the first 72 hours

Posted on: May 23rd, 2025 by Natasha Cox

When a person goes missing, the first 72-hours are mission critical.

The same urgency applies if you have been hacked, scammed or are the victim of a theft- even more so if the loss are crypto assets. Quick and decisive action in the immediate hours will significantly mitigate the risk of those assets being obfuscated and dissipated and assist with recovery.

Crypto scammers are particularly ruthless, often deploying all manner of sophisticated tactics. From straightforward account compromises and theft with no direct interaction, to elaborate social engineering, often gaining trust through dating websites, fake investment platforms, or social media, their ultimate aim is to deprive a rightful owner of crypto assets.

Discovering that you have been the victim, regardless of the methodology used, can be emotionally draining as well as financially devastating. Clarity of thought and rational action can often give way to absentmindedness. This can lead to victims continuing to pay the bad actors, or fake recovery firms who are one and the same.

In the circumstances this is entirely understandable.

The appropriate next steps can vary depending on the specific circumstances, however our recommended action plan is detailed below and applies to most scenarios:

  1. Secure your communications

Often, particularly in cases where victims have been socially engineered, your email addresses and social media accounts will likely have been compromised as the result of the hack.

Most mainstream email providers will allow you to see a log-in history which details the IP address and location of all log-in attempts. Consider if any are unrecognisable.

If there are any suspicious log-ins, it is likely that your email address has been compromised and your communications may be monitored by the scammers. This could also impact other personal and financial accounts linked to your email, such as online shopping accounts, bank accounts and social media profiles. Credit ratings and access to future baking facilities may also be affected.

In this case, it is vital that you immediately change the password for your email, and then for all other accounts held online.

In addition, we recommend that you set up a new, secure email address immediately and avoid logging into any accounts you suspect may have compromised. You should divert any personal and critical emails to your new account, and ensure that you update your email address across your online shopping, social media and bank accounts.

It is important that you notify your bank and or cryptocurrency exchange of your new email address, which replaces the old one, and ensure to communicate that no instructions are to be taken from the old email address.

  1. Cease communications strategically

In cases where scammers have maintained prolonged contact, they may continue to reach out to you. Let them remain unaware you know this is a fraudulent scheme. If they know that you are aware, there is a heightened risk that they will take steps to obfuscate their trail and dissipate assets, which can make asset recovery more complicated.

If you can, you should look to cease communication strategically without encouraging further interaction. One approach might be to indicate you will be unavailable or away for a few weeks. This will hopefully give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action.

In short, the longer the scammers believe that their scam is undetected, the better.

You should then immediately begin collating a detailed record of all previous communications, including requests for payments, emails, phone calls, text messages, social media interactions, transaction details, wallet addresses and transaction hashes etc. Accurate records are crucial for any subsequent legal action and investigations. If you have been directed to a webpage during your interactions with the scammers, you should ensure to take screenshots of these pages in case they disappear.

Evidence of what jurisdiction they may be in is also vital. For example, note of their telephone number and dialling code (e.g. +44 for UK) or mention of a registered office (even if untrue) will help dramatically.

  1. Report to law enforcement

As soon as possible, you should report the theft to the police and Action Fraud – or equivalent law enforcement agencies. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible, and obtain a direct liaison and contact details. Action Fraud is only a database, and your query will not progress unless the police investigate.

Try not be discouraged or frustrated if the police cannot offer much help. Police resources, expertise, and capacity to deal with crypto related crimes can vary considerably, and officers may lack immediate familiarity with blockchain technology, or the complexities involved

Even if the police are unable to offer much direct assistance, formally reporting the incident is a crucial step as it creates an official record that supports any subsequent legal and recovery actions you may take with the support of your legal team.

  1. Device management and evidence preservation

Given that so much of our lives are conducted online and contained within personal devices such as laptops and mobile phones, it is crucial to exercise heightened caution if these devices may have been compromised.

If you notice unusual behaviour or unexpected activity on your devices (for example, unprompted command prompt windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much) then this may be an indication your device may be compromised.

This is more likely if the scammers have previously taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

As tempting as it may be, avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets. Formatting or resetting the device risks destroying potentially valuable evidence which often indicates the attack vectors used by the scammers and can be a useful part of the puzzle in identifying who they may be.

If your budget permits, obtaining new, uncompromised devices for interim use is recommended.

  1. Secure remaining cryptoassets

It may be that the scammers have only targeted or been able to target specific parts of your crypto holdings. However, if your devices or email/social media accounts have been compromised, it is likely they know much more than you think – including what centralised exchange accounts and wallet addresses you have that they may wish to target next.

As such, you should immediately access and review all centralised exchange accounts you may hold online, and cold storage where applicable. Update your details held at these accounts, including email, contact information and passwords.

It is also crucial to strengthen your two-factor authentication and carefully review transactions to identify any activity you do not recognise which may be indicative of that account being compromised.

If you are holding any assets on these accounts, consider creating new, secure self custodial wallets on uncompromised devices and transferring remaining assets between multiple wallets.

If you have previously staked assets, check to see whether these remain staked or have been unstaked without your knowledge and are in any cooldown period. If unstaking has been initiated, try to take steps to ensure the unstaked assets can immediately be sent to your new, secure wallets as soon as possible.

  1. Engage with experts

Engaging promptly with specialist lawyers experienced in crypto asset disputes, particularly asset tracing on blockchains and recovery, can be vital ensuring the swift tracing and recovery of your assets.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets (such as statements) as well as relevant transaction hashes or addresses as this will form the basis of asserting your proprietary claim to those assets. This is essential in recovering such assets.

Scammers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. These exchanges will have established payment rails which allow them to enable the transfer of fiat funds and are crucial to their business operations. 

As these payment rails exist within a regulated environment, banks must be comfortable with the funds handled by these exchanges. Consequently, exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Once an investigator can identify exchanges which have received the stolen assets, your legal team should then enter into dialogue to place them on notice that they have received the proceeds of crime and request they take specific actions. These include freezing the relevant accounts to secure any assets held within, as well as requesting disclosure of any onward transfers and withdrawals from that account which can be used to further trace the stolen assets with a view to recovery.

This draws a line in the sand – the exchange is now aware of the issue and any funds held at or subsequently deposited at that account must now be frozen.

  1. Seek emotional support

Recognising that you have fallen victim to a scam can trigger intense emotional distress, anxiety, and feelings of isolation. It is important to recognise you are not alone and that these feelings, while overwhelming, are a common response to what can be a very personal breach of privacy, trust and security.

If you find yourself in such a position, consider reaching out to supportive friends and family. Whilst there are also online communities offering support to victims, you should treat these with caution, as these can present attractive hunting grounds for scammers seeking to exploit those at their most vulnerable.

If you find your emotional state severely impacted or you are feeling persistent low, anxious or overwhelmed, it is essential to seek professional medical or mental health support.

As outlined above, acting quickly and methodically within the immediate hours and days after discovering a scam or can significantly improve the prospects of recovery and limit the broader financial and emotional damage.

For more information on our services relating to technology disputes, please click here. For our cryptoassets services, please click here

Lawrence Stephens featured in PM Forum Magazine

Posted on: May 22nd, 2025 by Natasha Cox

Managing Director Steven Bernstein, Chief Operating Office Johnny Nichols and Head of Business Development and Marketing Daryl Atkinson feature in the latest edition of PM Forum Magazine talking about what makes the culture at Lawrence Stephens so special, and how this is powering our growth.

Founded in 1996, PM Forum is the world’s largest community of professional services marketers, with more than 3,000 members in over 40 countries. The Forum is dedicated to raising the standards of marketing across law, accountancy, property and other professional sectors.

House Shouts

There will be very few law firms where the CEO knows the names of all 190 staff, and even fewer where those people are, like school, assigned a ‘house’. Alongside phenomenal growth, this is why Lawrence Stephens has been repeatedly tagged as the firm to watch.

Matt Baldwin speaks to Managing Director Steven Bernstein, Chief Operating Officer Johnny Nichols, and Head of Business Development and Marketing Daryl Atkinson.

Lawrence Stephens like to do things differently. It is a relative newcomer to the London legal market, founded in 1997, and, like many other firms, named after its founding directors.

But unlike its peers, the firm is strictly first names only. The ‘Lawrence’ is Lawrence Kelly and the ‘Stephens’ are Steven Bernstein and Stephen Messias. All are still involved in the firm.

It is a hint towards its difference.

The firm is a limited company, with directors instead of partners, focused on entrepreneurial owner-managed businesses, SMEs and financial institutions, particularly challenger banks.

“We know what we are good at, and we concentrate on that,” explains Managing Director Steven Bernstein. The firm does, however, provide the full service of legal advice for those clients and will, as it grows “stay in its lanes, acting for bigger clients”.

It is an approach that is clearly working, seeing revenue increase by 30% a year over the last five years, and its headcount growing from 50 to 190 people. It was named by The Lawyer as a ‘firm to watch’ in its December 2024 podcast.

It is, however, its culture that truly marks the firm out as different.

Bernstein spends 30 minutes every day walking the floors and talking to his colleagues. Remarkably, he knows them all by name. “I see it as part of my job description to walk the office, chat with people and ask them how they are doing, if everything’s OK. “I have to work at it, particularly with 40 new members of staff this quarter alone, but it is the easiest 30 minutes of my day.”

The firm’s Farringdon office is open plan with no allocated desks. It means staff quickly get to know each other.

“It creates a real buzz,” says Johnny Nichols, the firm’s Chief Operating Officer, “with conversations and discussions naturally occurring all the time. It means those who have recently joined us get to meet others and build relationships quickly. “Importantly,” he adds, “it fosters the kind of environment where everyone is nice, enjoying each other’s company, happy to collaborate and celebrate each other’s wins.”

And then there are the firm’s ‘houses’, named after locations of previous offices – Baker (Baker Street), Portland (Great Portland Street), Wigmore (Wigmore Street) and Morley (Morley House on Holborn Viaduct).

“The idea came from our trainees,” explains Bernstein, “with first-year trainees appointed ‘head of house’. Everyone in the firm is a member of one of the four houses. There are competitions throughout the year for ‘house points’ that at the end of each year are turned into charitable donations.”

Every summer, there is the firm’s sports day and BBQ where house members, joined by partners and families, compete for house glory. Other events include the ‘Bake-Off’ challenge and the annual house quiz.

“It empowers younger people, breaking down the hierarchy in the firm,” says Bernstein. “It means that as we grow, staff get to know each other much easier. Importantly, it’s fun, and we want everyone to enjoy what they do and where they work.”

Lawrence Stephens 3.0

Entrepreneurial businesses are never static. Just as its clients grow and change, so too is Lawrence Stephens. “We are currently Lawrence Stephens 2.0,” says Bernstein, “and quickly heading towards Lawrence Stephens 3.0”.

Part of that journey has been the investment in a strong business services team, supporting and guiding the legal teams.

Nichols joined the firm as its Chief Operating Officer in September 2022 having held senior roles in Allen & Overy and Bird & Bird. Daryl Atkinson joined in June 2024 as its Head of Business Development and Marketing. He leads a team of five.

“There are two aspects to the role,” explains Atkinson. “There is the execution piece, making things happen efficiently and effectively and without reinventing the wheel, and the advisory piece, trying to encourage the right kind of behaviours and activity that deliver results. “I strongly believe that to make waves, a firm of this size needs to be really clear about its future. We can’t be in every market – it is just not possible. It’s about bringing focus to the firm. We know what we are good at and what we should concentrate on. We are also clear on what we not going to do.”

Atkinson and his team have made an immediate impact.

“We are a people business,” explains Bernstein, “and that means the relationships we have with our clients are important. They like what we do and keep coming back to the firm. Daryl and his team are helping us to better leverage those relationships and to understand where we should focus our energy.

“We are now better known in the areas we work than ever before. The reputation change has been enormous, and the foundations are now in place for the firm to grow into Lawrence Stephens 3.0.”

Lawrence Stephens 3.0 will look and feel very similar to the firm today. Its culture will be jealously guarded and nurtured.

“We don’t want to lose our humanity,” says Nichols. “Our HR team is helping us to articulate what our culture means to people individually so we can find ways to hold on to that and sustain it as we grow.”

That growth might see the addition of new teams – it recently took a banking and real estate finance team from the collapsed Memery Crystal – and the addition of new expertise, but only if it fits the firm’s tight client profile.

“We can imagine ourselves with an office a little further north… a kind of hub for clients in Birmingham, Manchester or Leeds,” adds Bernstein. “But there is no intention of having an office in every town or a large international footprint.”

There is an energy inside Lawrence Stephens, a sense of urgency and mission that is shared by its 190 people. It is a little less like a law firm and more like its entrepreneurial clients. And that should leave the more traditional mid-tier firms looking nervously over their shoulders.

Emma Cocker comments on the role of AI in legal services in City AM

Posted on: May 15th, 2025 by Natasha Cox

Senior Associate Emma Cocker comments in City AM on the future of AI within law firms, arguing that it can be a useful tool, however lawyers and employers must act cautiously as improper use can have serious legal implications. 

Emma’s comments were published in City AM, 15 May 2025, and can be found here.

“AI undoubtedly plays a huge role in the future of legal services. It will make them more accessible and affordable, which is a huge benefit, given that so many people and small businesses struggle to access legal services. It can also speed up output, with the automation of repetitive and time-consuming tasks helping lawyers to work more efficiently, which also translates to costs savings for clients.

“However AI must be used with caution. Remember that it should be used as a starting point and that the output is only ever as good as the input, which may be vulnerable to online misinformation. As such, AI content must always be reviewed for accuracy and subject to ultimate approval by a human being. We know that AI ‘hallucinates’ and we have already seen lawyers over relying on AI coming unstuck. As well as the professional embarrassment factor, AI could deskill junior lawyers who may not be practicing legal researching and drafting to the same degree as previous generations of lawyers. It may also contribute to a decline in the development of other key skills, such as critical and independent thinking.

“In authorising the first AI-driven law firm, the Solicitors Regulation Authority made it clear that lawyers relying on AI output will be ultimately responsible for the consequences and that professional standards must always be maintained to ensure public trust and confidence in the sector. Those who do use AI improperly may find themselves facing disciplinary proceedings by their employer and the regulator and in cases of ‘AI gone wrong’ there is scope for negligence claims by clients, as well as costs applications by opponents.”

For more information on our Employment services, please click here.

Matt Green interviewed by Commercial Dispute Resolution

Posted on: May 14th, 2025 by Natasha Cox

Head of Blockchain and Digital Assets and Technology Disputes, Matt Green, speaks with Commercial Dispute Resolution (CDR) about his career in the crypto asset space and how some of the notable cases he has worked on have influenced legal precedent around blockchain and digital assets. 

Matt’s interview was published online in Commercial Dispute Resolution (CDR), 12 May 2025 and can be found here.

Discussing the first crypto case he was involved with, the landmark AA v Persons Unknown, Matt explains “I was enormously opportunistic, and I just rode with it… I was in the right place at the right time.”

He notes how there was “a big gap in the market” at the time, with many in the blockchain and digital asset space not knowing that there were legal routes to trace and recover their stolen or hacked assets.

Speaking on lessons learned during his career, Matt comments:“It is attrition, staying in the game, not overreaching. Being very aware that you don’t know everything. I don’t think anybody could say they did have all the answers, on the basis that the judiciary and the industry are trying to figure it out.”

Discussing the evolution of both his practice and the digital asset space itself, Matt explains that “there will be huge intellectual property battles about a variety of different things that we probably can’t even imagine yet, it’s almost unknowable.”

With many of Matt’s cases showing the “grizzly places” of the crypto world – from pig butchering scams on Facebook groups for grieving widows to tracing stolen assets to an organ farm in Southeast Asia, and the high-profile disputes over the identity of Satoshi Nakamoto.

Yet despite this, Matt encourages people to see the wider utility of this technology, telling CDR that he would like to see the “wider adoption and understanding of the applications of blockchain tech and digital assets.”

For junior lawyers looking to get into the constantly evolving world of digital assets and blockchain, Matt explains that there are plenty of ways: “set up a blog, write articles, start a podcast, join groups. If you get involved with the industry that you choose, you’re going to be much more valuable to a law firm than if you don’t, and there is no date by which you should start doing this.”

For more on our Blockchain, Digital Assets and Technology Disputes services, click here

The Renters’ Rights Bill – What it could mean for lenders?

Posted on: May 8th, 2025 by Natasha Cox

The Renters’ Rights Bill (‘the Bill’) is currently making its way through the House of Lords. While there has been growing opposition to the Bill, with over 300 amendments being proposed, the Bill could still prove to be a welcome change for lenders.

Purpose of the Bill

The Bill has been introduced to:

  • give greater rights and protections to people renting their homes
  • provide tenants with the flexibility to leave substandard properties

In short, it is intended to:

  • Reform tenancies
  • Strengthen tenants’ rights
  • Create a landlord redress scheme
  • Create a private rented sector database
  • Create a legal standard for property conditions
  • Expand enforcement powers


The potential impact of the Bill on lenders

Currently, there are two options available to recover vacant possession of a property subject to an assured shorthold tenancy, namely:

  • Serving a notice under section 21 of the Housing Act 1988 (‘HA 1988’)
  • Serving a notice under section 8 of the HA 1988

Section 21 Notice

Also known as a ‘no-fault’ eviction, this is used where a tenancy is coming up to expiry or has already expired.

As a result of Trecarrell v Rouncefield [2020], if the landlord is unable to evidence compliance with the various prescribed requirements, then simply put, they will not be granted a possession order.

Section 8 Notice

A notice under this section can be used in two situations:

– where the tenant has breached the terms of the tenancy, or

– where a lender requires vacant possession of the property for the purpose of exercising their power of sale and is bound by a tenancy postdates the loan.

Notices under Section 8 of the HA 1988 are restrictive for lenders requiring vacant possession. Many grounds under this section can be remedied and it is otherwise limited to tenancies which postdate the loan. In addition, a landlord (borrower) should have also served a notice on the tenant confirming they can rely on this ground to obtain vacant possession (albeit the court has discretion to dispense with this requirement).

 

What the reform could mean for lender’s enforcement

The reform will essentially simplify a lender’s ability to take possession of a property subject to a tenancy.

The intention is to abolish assured shorthold tenancies (and as a consequence, ‘no-fault’ eviction notices) under Section 21 of the HA 1988, and to amend Ground 2 of Schedule 2 of the HA 1988 so that it reads as follows:

The dwelling-house is subject to a mortgage and –

(a) the mortgagee is entitled to exercise a power of sale conferred on him by the mortgage or by section 101 of the Law of Property Act 1925; and

(b) the mortgagee requires possession of the dwelling-house for the purpose of disposing of it with vacant possession in exercise of that power.

For the purposes of this ground “mortgage” includes a charge and “mortgagee” shall be construed accordingly.

This means that lenders will be able to rely on this section whether the tenancy predates or postdates the loan, provided the lender requires vacant possession for the purpose of exercising their power of sale. They need no longer be concerned about evicting a tenant when they are unable to comply with the requirements for prescribed information for tenant deposits and the Deregulation Act 2015, viz. the provision of the How to Rent Guide, EPC, Gas and Electrical Safety Certificates. The main contention under the reform is that tenants will be afforded a four-month notice period, which some lenders may accept as a small quid pro quo.

It is recommended that lenders continue to ask the right questions and continue to carry out their due diligence in respect of tenancies. In terms of lending in the short term/alternative lending space, which is often time critical, such potentially arduous and frustrating requirements need no longer be so. Lenders will now have the flexibility to take a view, knowing that it will not compromise their ability to secure vacant possession should they need to enforce the terms of their loan.

For more information on our Real Estate Disputes services, please click here.

Angélique Richardson discusses the legal and reputation risks of doping in City AM

Posted on: May 7th, 2025 by Natasha Cox

Writing in City AM, Associate Angélique Richardson discusses the return of tennis star Jannik Sinner following his three-month suspension for failing two “in-competition” drug tests and analyses the legal and reputational risks arising from anti-doping violations.

Angélique’s article was published in City AM, 7 May 2025, and can be found here.

Jannik Sinner and anti-doping bans in tennis: how players can mitigate risks

Jannik Sinner’s re-appearance at the Italian Open guarantees attention, following his three-month suspension for failing two “in-competition” drug tests during and eight days after Indian Wells last year, for the banned anabolic steroid clostebol.

Ranked world No1, the three-time Grand Slam winner’s return to competitive tennis at his home tournament this week is a reminder of the legal and reputational risks arising from anti-doping violations.

Sinner was charged with an anti-doping rule violation by the International Tennis Integrity Agency, which enforces the World Anti-Doping Code 2015 through the Tennis Anti-Doping Programme (“TAPD”).

According to the TAPD, a first in-competition rule violation carries a four-year ban, reduced to two if proven unintentional. The ban could be eliminated if the player proves “no fault or negligence”, meaning that they couldn’t have reasonably known or suspected they had used a prohibited substance.

Sinner and his team never denied the substance was in his system. Thei argument was that his fitness coach purchased an antiseptic spray which contained clostebol.

While Sinner was at Indian Wells, his physio accidentally cut his hand and used the fitness coach’s antiseptic spray daily to treat the cut. The physio massaged Sinner without wearing gloves or washing his hands, and the substance entered Sinner’s system through the cut. They claimed Sinner bore no fault or negligence.

Initially, this version of events was accepted by the independent tribunal. The World Anti-Doping Agency (WADA) appealed the decision to the Court of Arbitration for Sport in Switzerland and reached a case resolution agreement with Sinner for a three-month ban, which elapsed on Sunday.

This case, while resolved, highlighted numerous issues faced by professional athletes.

Sinner’s reputation and integrity have been called into question, including by fellow player Novak Djokovic, and future potential sponsors and partners may be wary.

Many commercial deals with brands contain anti-doping clauses which enable them to terminate the agreements when an athlete is alleged to have committed an doping violation. Sinner may find some of these clauses triggered.

Stars like Jannik Sinner ‘must be proactive’

The ease of cross-contamination is clear. Sinner was contaminated by his physio, but the same could happen when sharing equipment with others who have used a prohibited substance, touching friends and family who have used a prohibited substance or using untested supplements.

A recent study commissioned by Sport Integrity Australia showed that, of the 200 supplements tested, 35 per cent contained WADA-prohibited substances. Athletes assume the ingredients listed in supplements are accurate, but this is not always true.

So, what can be done? Better education is needed about the risks associated with supplements, including via seminars, clubs, online resources and support teams.

Athletes can further mitigate risks by using Informed-Sport Certified supplements, staying up-to-date with substances on the prohibited list, and ensuring that nutritionists and staff members are fully trained. Instructing a sports lawyer with a specialism in doping is a no-brainer.

In the event of an anti-doping rule violation notice or charge, athletes should talk to a legal specialist. Sinner and WADA reaching an agreement on a three-month ban came thanks to the specialist anti-doping knowledge of his lawyers, who will also be working hard to ensure as few commercial deals are impacted as possible.

Athletes and their teams need to proactively reduce risks. An apology won’t get you out of trouble. Regardless, Sinner will hope that it is his tennis, rather than his lawyers, doing the talking at the Italian Open.

For more information on our expert services for athletes and sportspeople, please click hereanti-doping.

Matt Green discusses UK crypto innovation and regulation in The Times

Posted on: April 24th, 2025 by Natasha Cox

Writing in The Times, Director and Head of Blockchain and Digital Assets, Matt Green, argues that the UK government needs to adopt a clear big picture strategy on implementing blockchain technology if it is to maintain parity with competitors.
 
Matt’s article follows a recent letter he co-signed as chair of techUK’s Blockchain and Digital Assets working group, alongside a coalition of leading UK and global trade bodies in the crypto sector to the UK government urging them to advance its digital asset and blockchain policy.

Matt’s article was published in The Times, 24 April 2025, and can be found here.

Government must urgently delivery regulatory clarity for cryptoassets

It is roughly six months since the digital assets industry called on the Labour government to provide urgent “regulatory clarity” at the party’s annual conference. The then economic secretary to the Treasury, Tulip Siddiq, responded by confirming the government’s commitment to fostering innovation in financial services, but there is little meat on the bone.

It has also been three years since the previous government’s plan to make the UK a global cryptoasset technology hub. This ambiguity serves no one.

Helpfully, the Financial Conduct Authority (FCA) has since published key dates in a ‘crypto roadmap’ that details the development of comprehensive regulatory framework for the UK. Draft legal provisions are expected soon, with a series of consultation papers examining how the future regime will work and its content – such as stronger regulation for capital, liquidity and risk management of cryptoassets – to come. The roadmap anticipates that the rules will take effect late next year.

While that is welcome, the UK needs clarity and momentum to boost investment, growth and jobs, and to avoid falling behind competitors such as Singapore, the UAE or the US in technology investment and innovation. If the government is serious about making crypto a strategic priority, it should mirror the US by appointing a crypto special envoy – President Trump has appointed David Sacks, the former senior executive at PayPal, to that role.

The UK desperately needs a comparable appointee who can drive policy alignment, assimilate industry innovation and ensure that regulation and legislation are formulated and drafted with the UK’s best interests.

Our government also needs a plan that will focus on identifying opportunities and attracting investment. These could include an incentivisation programme to attract businesses with significant potential, explore elements of public sector integration and create a competitive tax and investment landscape.

Recognising the symbiosis of blockchain, artificial intelligence and quantum computing and their potential value is vital, both for preparing future regulatory frameworks, and considering use in daily life. Ultimately, this will improve efficiency for a swathe of crucial public services. Consider how the Land Registry and Companies House could hold important documents on the blockchain to simplify and accelerate property and share transfers. Key government procurement contracts and transmission of NHS data could also be transformed. 

According to the FCA, 12 per cent of UK adults – about 7 million people – owned cryptoassets last year. In contrast, according to the most recent data, only 8 per cent of global venture capital funding went into UK firms that specialise in that field, while the US dominates with 76%.

A clear direction, guided by a singular politically and sector agnostic driver, and with clear regulatory framework, could transform the UK economy for decades to come.

 

 

‘Gender critical’ belief discrimination – where are we now?

Posted on: April 24th, 2025 by Natasha Cox

Four years ago, the concept of discrimination based on ‘gender critical’ beliefs was unheard of. However, the 2021 decision of Forstater v CGD Europe & Ors paved the way for protection under the Equality Act 2010 for individuals holding gender critical beliefs.  

Despite Forstater, there has been a slew of employment tribunal cases brought by individuals claiming their belief that sex is biological and immutable led their employers to subject them to less favourable treatment. These claimants worked in areas including the NHS, local government, charities, the education sector and even the legal profession. With trans rights supporters claiming that such beliefs are transphobic and hateful, many employers have been confused as to their obligations and fearful of ‘getting it wrong’.

Most recently, in For Women Scotland v The Scottish Ministers it was held that ‘sex’ within the Equality Act 2010 means biological sex, reigniting tensions about the interplay between the rights of trans people and the rights of biological men and women. With the Supreme Court’s decision hot off the press, this article summarises some of the key cases and legal principles that have emerged in recent years, helping employers to be confident in their decisions about balancing the rights of all parties to be treated in a way compliant with the Equality Act 2010 and help them to ensure everyone enjoys dignity and respect at work.

Forstater v CGD Europe & Ors (2022)

Maya Forstater’s consulting contract with the Centre for Global Development was not renewed after she published a series of social media messages describing transgender women as men. She brought claims of discrimination, with the employment tribunal initially ruling against her. However the Employment Appeal Tribunal later found that her beliefs were protected under the Equality Act 2010 because they were “worthy of respect in a democratic society“. At a subsequent hearing, the tribunal concluded Ms Forstater had suffered direct discrimination on the basis of her gender-critical beliefs and she was awarded compensation of over £105,500 including for loss of earnings, injury to feelings, aggravated damages and interest.

Bailey v Stonewall Equality Limited Garden Court Chambers & Ors (2022)

Barrister Allison Bailey claimed she was discriminated against for her gender-critical views after Garden Court chambers concluded that two of her personal tweets, which included gender critical views, potentially breached her professional obligations as a barrister. Bailey had co-founded LGB Alliance, an advocacy group for the rights of lesbian, gay and bisexual people, which opposed the ‘trans extremism’ it said Stonewall promulgated. Ms Bailey complained to colleagues about Garden Chambers becoming a Stonewall Diversity Champion, saying that Stonewall was complicit in a campaign of intimidation of those who questioned gender self-identity. The tribunal found that Garden Court had discriminated against Ms Bailey and she was awarded £22,000 compensation for injury to feelings, plus interest.

Fahmy v Arts Council England (2023)

Denise Fahmy attended an internal teams meeting where hostile comments were made about people who hold gender critical beliefs. This was in the context of a discussion about the award and removal of a grant to LGB Alliance. A petition was later circulated in which further hostile and intimidating comments were made, leading Ms Fahmy to raise a Dignity at Work complaint, which was not upheld. Leeds Employment Tribunal found in favour of Ms Fahmy, concluding that she had been harassed for her gender-critical beliefs, and shortly afterwards, the parties reached settlement for an undisclosed sum.

Phoenix v Open University (2024)

Joanna Phoenix, a professor, co-signed a letter to the Sunday Times in 2019 in which she made her gender critical beliefs known. She, with others, then established the Gender Critical Research Network, an academic research group promoting research into sex and gender from a gender critical perspective. As a result, she was harassed and discriminated against by colleagues, including in one instance the Deputy Head of Department likening her to “the racist uncle at the Christmas dinner table“. The employment tribunal found that her complaints of direct discrimination and harassment were well-founded and that she had been constructively unfairly (and wrongfully) dismissed. Shortly afterwards the parties reached settlement for an undisclosed sum.

Adams v Edinburgh Rape Crisis Centre (2024)

Roz Adams worked as a counsellor at Edinburgh Rape Crisis Centre. Ms Adams held gender critical beliefs and believed that victims of male sexual violence should be able to choose whether to engage with male or female counsellors. In 2021, the centre appointed a trans woman to the post of CEO. Ms Adams warned that giving ambiguous answers to victims who wanted to know the sex of their counsellor could mislead them or lead them to self-exclude from the service. The issue escalated when a colleague announced they were non-binary and changed their name to one that sounded male. Ms Adams asked her manager for clarity on how she should respond if service users asked if the colleague was male, which along with her observations about language used regarding gender critical people (including ‘terf’, bigot and fascist’) led to a deeply flawed disciplinary process against Ms Adams. She resigned, alleging constructive dismissal and discrimination. Delivering a scathing judgment, the tribunal concluded that Ms Adams had been discriminated against and constructively dismissed due to her gender-critical beliefs. Ms Adams was awarded compensation of £68,990 and Edinburgh Rape Crisis Centre was ordered to publish a statement apologising.

Meade v Westminster City Counsel and Social Work England (2024)

Rachel Meade, a social worker, posted on a Facebook profile (that was set to private with approximately 40 friends) expressing her gender critical beliefs. One of Ms Meade’s colleagues complained to the regulator about these posts, alleging that they were transphobic and that Ms Meade had deliberately shared posts containing misinformation about the trans community. Following an investigation into the complaint, Ms Meade was told that there was a reasonable prospect that her Fitness to Practise would be found currently impaired because of her ‘discriminatory activity’ on Facebook. She was told that she could either accept the report and a sanction of a one-year warning or have her case referred to a hearing. She chose the former. Ms Meade’s immediate managers confirmed they had no concerns about her practice but she was subsequently suspended on charges of gross misconduct and ultimately issued with a final written warning. The tribunal found that Ms Meade had been harassed on account of her gender critical beliefs, awarding her over £58,000, including aggravated and exemplary damages, reflecting the extent of the wrongs committed by the Respondents.

Frances v Department of Culture, Media and Sport and the Department of Science, Innovation and Technology (2025)

Ms Frances brought claims of constructive dismissal on the basis of her gender-critical belief and also on a separate philosophical belief in the integrity of the civil service. The claims were settled early, but this case was highly unusual in that there was no confidentiality around the settlement, including its high value (£116,000). It also resulted in public statements from two Whitehall permanent secretaries, committing their respective departments to significant redrawing of policies around sex and gender. This case helped to buck the previous trend of litigating gender critical belief cases until the bitter end, following settlement in the cases of Esses v The Metanoia Institute and the UK Council of Psychotherapy and Favaro v City, University of London.

Higgs v Farmor’s School (2025)

Kristie Higgs, pastoral administrator and work experience manager at a school, was dismissed for posts she made on her Facebook profile opposing the view that ‘gender is fluid and not binary’, contending that same-sex marriage cannot be equated with traditional marriage between a man and a woman. A complaint was made by a parent, leading to MS Higgs’ suspension and eventual dismissal. Ms Higgs claimed direct discrimination and harassment. While her claims were initially dismissed on the basis that it was the manner of expression that had caused her dismissal, not her beliefs themselves, the Employment Appeal Tribunal granted her appeal and remitted the case back to the tribunal. Ms Higgs appealed to the Court of Appeal, which ultimately ruled that Ms Higgs’ dismissal constituted unlawful discrimination on the grounds of religion or belief, emphasising that dismissing an employee merely for expressing a protected belief is unlawful unless the manner of expression is objectionable and the dismissal is a proportionate response.

What should employers be doing in light of these decisions?

It is clear that employers that conduct or condone discrimination against workers with gender critical beliefs are likely to find themselves on the wrong end of an employment tribunal judgment. While this precedent is well established, the recent decision in For Women Scotland has once again brought to the fore the issue of competing protections under the Equality Act 2010. While there is a surfeit of misinformation circulating online that the Supreme Court has ‘removed’ or ‘weakened’ the rights of transgender individuals in favour of those who hold gender critical beliefs, this is incorrect. The law today is the same as it was before last week’s decision and discrimination against trans people for reasons relating to gender reassignment remains unlawful, as does discrimination against those holding gender critical beliefs. However, because of the misrepresentation of the law on this highly emotive topic, many organisations are confused and fearful. Nevertheless, businesses must take a step back from the online noise and focus on a common-sense approach that treats everyone with dignity and respect.

Employers ought to remember that inclusion is for everyone and that there is nothing discriminatory in recognising that the protected characteristics of sex and gender reassignment relate to groups that have different needs and vulnerabilities. Employers should avoid making statements that disagree with the Equality Act 2010 or the Supreme Court judgment, or that favours or prioritises particular groups. This may lead to claims of sex-based harassment and discrimination as well as discrimination on the grounds of religion and belief.

It is possible to treat trans people with dignity and respect while also applying the Equality Act 2010 definition of sex, and remaining compliant with it. While it may be tempting to seek to avoid conflict, making all spaces ‘gender neutral’ is likely to garner complaints, as well as being in breach of workplace health and safety legislation. It may also be tempting to take situations on a case-by-case basis, but this is likely to lead to non-compliance with the Equality Act 2010 and could lead to employment tribunal claims by workers who expect to be able to access single sex spaces for reasons of privacy and dignity.

It is recommended that employers review their policies and training to assess and act on the risk that what they currently have is unlawful. Policies not based on the Equality Act 2010’s definition of sex are likely to result in unlawful conduct for which employers may be sued in the employment tribunal. Clear language should always be used and the normal standards of workplace and professional conduct must be applied to everyone equally. Set clear expectations around conduct and do not tolerate offensive behaviour in the workplace, whatever the protected characteristic in question. Businesses may see a rise in grievances relating to this topic and while proper grievance policies should always be followed, employers should not entertain vexatious or unreasonable complaints and may need to consider invoking their disciplinary policy for repeat offenders.

If you would like support and advice on making certain that your policies and handbooks ensure your employees are protected, please contact a member of our Employment team.

Alienating behaviour: Where are we now?

Posted on: April 17th, 2025 by zhewison

Jim Richards, gives us the latest insights on alienating behaviour in family law. In this article he breaks down the Family Justice Council’s 2024 review and what it means for handling parental alienation cases.

In December 2024, the Family Justice Council (FJC) published a comprehensive review on parental alienation and alienating behaviours. This long-debated issue has now been addressed with clear guidance aimed at assisting judges, and those in litigation in dealing with allegations of this nature.

A new approach to parental alienation

The FJC’s guidance marks a significant shift in how parental alienation is approached. It confirms that there is no “syndrome” of parental alienation. Instead, the focus should be on the behaviour, context, and reasons why a child is reluctant, resistant, or refuses to spend time with one parent.

The test for alienating behaviour

The guidance outlines a three-part test for identifying alienating behaviour:

  1. The child is reluctant, resists, or refuses to engage with a parent.
  2. This reluctance is not due to the behaviour of that parent towards the child or the other parent.
  3. The other parent has behaved in a way that has led directly or indirectly to the child’s reluctance to engage in a relationship with the other parent.
    All three elements must be present for a finding of alienation.

Moving away from past practices

This new approach moves away from the previous tendency to use alienation as a catch-all explanation for a child’s reluctance to spend time with a parent. The courts will no longer entertain this approach, especially if there is any finding of domestic abuse.

The role of the court

The report emphasises that the court is the ultimate decision-maker in these cases. Experts and Cafcass (Children and Family Court Advisory and Support Service) cannot determine whether specific events took place. It is the court’s role to decide if domestic abuse or alienating behaviours have occurred. Allegations must be supported by evidence; fake assertions will not suffice.

The importance of early action

Relevant issues must be raised early in the process, with appropriate case management directions given. It is not acceptable to introduce allegations late in the proceedings to strengthen a weak case.

Looking ahead

The development of case law in this area will be closely watched, and further guidance from the courts is anticipated.

If you would like to learn more about alienating behaviours and how they may impact your case, please contact our family law team. We are here to provide expert advice and support.

Dominic Holden explores the Home Office consultation on ransomware payments, in Law360

Posted on: April 10th, 2025 by Natasha Cox

Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.

Dominic’s article was published in Law360, 9 April 2025. 

On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.

The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.

Yet, these proposals are not without their flaws.

The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.

What is ransomware?

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.

These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.

Growing threats

One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]

Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].

As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.

These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].

Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.

The question of how to meet this threat faces governments across the globe.

Exploring the Home Office proposals

Banning ransomware payments

The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.

However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.

The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.

According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].

That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.

‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.

This poses the question of whether the Government’s proposed limited ban goes far enough.

The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].

A limited ban is not the only measure under consideration.

Reporting of all ransomware attacks

The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.

The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.

This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.

The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.

Decision to pay a ransom

Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.

The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.

It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.

The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.

Conclusion

It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.

However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.

If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.

While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.

Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.

For more information on our services relating to technology disputes, please see here

[1]                 https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[2]                  https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.

[3]                  https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.

[4]                 Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine

[5]                  https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

[6]                  https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf

[7]                  https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release

James Lyons comments on private equity and retail businesses in Retail Sector

Posted on: April 7th, 2025 by Natasha Cox

Director in the Corporate and Commercial team, James Lyons, comments on the trend of private equity firms investing in retailers, and discusses how these growth strategies can benefit both business and private equity buyers.

James’ comments were published in Retail Sector, 4 April 2025, and can be found here.

Speaking with Retail Sector about the trend of publicly listed retailers taking private equity, James explains that “if the business continues to benefit from access to institutional capital, stock liquidity, and the other advantages that come with a listing, then remaining public makes sense.”

He states that there are challenges that come with this, noting “the costs of listing, the scrutiny, and the increased pressure, especially with rising employer and NI costs, all add up. When those burdens become greater than the benefits, it’s easy to see why more retail companies are opting to go private.”

Commenting on the recent acquisitions of Walgreen Boots Alliance by private equity, James told Retail Sector that “Sycamore’s acquisition of Walgreens includes Boots, but that’s just one part of the wider business. A number of commentators believe that Sycamore will likely spin off Boots to focus more on the US retail market. It’s possible we could see Boots reappear on the public markets, perhaps through a demerger and a new listing in the UK. Alternatively, it could be sold to another private equity firm or a trade buyer.

“While it’s hard to predict exactly what form it will take, I’m sure the brand will endure.”

James explains that, for private equity firms looking for retailers to invest in, “it’s about identifying where investment can generate increased returns over the next few years and ensuring the business is positioned for long-term sustainability. Take Boots, for example. Its pharmacy element is heavily regulated, which may be of interest to some private equity firms, but not necessarily to all.”

James also notes that “retailers that can leverage technology to strategically enhance their business are likely to attract more private equity interest. Ultimately, the future of retail is moving towards digital, making it a key area for private equity firms, rather than traditional high street retail.” 

Speaking on the evolution of this sector, James commented “Retail now is very different from what it was two decades ago. It’s a blend of the traditional high street and the rapidly expanding online retail sector. The rise of digital technology and AI interfaces has really shaped the way consumers shop today. Private equity firms bring both expertise and investment, particularly in the digital and e-commerce space. Traditional retailers may not have had the same level of expertise or know-how, and that’s where private equity can make a real difference.”

He goes on to argue that this is not the be all and end all of business, stating that “public listings can still be a credible option for the right business at the right point in its cycle, if done for the right reasons. So, I don’t see this as a long-term trend. For example, it’s not beyond the realms of possibility that Boots could come back to the public markets at some point, if it makes sense for the business.

James concludes by suggesting that, overall, the strategy of the private equity firms is key to such deals, and that these are questions retailers must consider

There has to be a commercial deal that works for both parties. What are the intentions of the new owner? What areas do they plan to invest in? Where do they see future growth? Is this the right owner to take the business to the next level?” 

To find out more about our Corporate and Commercial services, click here. To find out more about our services in the Retail sector, click here.