It is likely that the government's proposed ransomware payment ban, impacting public sector bodies and operators of critical national infrastructure (CNI), will come into force in 2026 and marks a significant shift in the UK's national cyber policy. The exact scope of the legislation remains to be seen, particularly whether the ban will extend to privately owned organisations within the public and CNI sectors, as well as their suppliers. In response, insurers will likely reassess underwriting appetite to reflect a changed risk exposure where ransom payments are no longer a viable recovery option. The objective of the legislation is to reduce the attractiveness of public and CNI sector targets to ransomware groups. However, this theory is untested and the removal of ransom payments as a recovery option could increase the financial exposures of the sector. In the short term, this could lead to an impact on the availability of cyber insurance capacity, limits of indemnity, and amendments to policy conditions, or the emergence of separate specialised cyber products for public bodies and operators of CNI.