Cyber Insurance , Fraud Management & Cybercrime , Governance & Risk Management

Cyber Insurers Pledge to Help Reduce Ransom Payments

Firms Back New Guidance for Victims From UK's National Cyber Security Center
Cyber Insurers Pledge to Help Reduce Ransom Payments
Felicity Oswald, CEO of the NCSC, detailed new ransomware guidance at CYBERUK on May 14, 2024. (Image: NCSC)

As ransomware continues to pummel Britain, the government's cybersecurity agency and three major insurance associations have pledged to offer better support and guidance to victims.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Goals for the joint initiative include reducing ransomware's profitability for criminals, improving organizations' resilience and ability to repel such attacks and helping victims to more quickly recover from such incidents without ever paying a ransom, said Britain's National Cyber Security Center - the public-facing arm of intelligence agency GCHQ.

Felicity Oswald, who's serving as interim CEO of the NCSC, announced the new joint initiative Tuesday at the annual NCSC-hosted CYBERUK conference - held this year in Birmingham, England - together with the release of new guidance for all organizations who might be considering paying a ransom.

"Ransomware continues to be the biggest day-to-day cybersecurity threat to most U.K. organizations," Oswald said in a keynote speech. "In recent months, law enforcement has dramatically reduced the global threat from ransomware by disrupting LockBit's activities and just last week unmasking and sanctioning one of its Russia-based leaders."

Nevertheless, officials continue to urge organizations to hone their defenses and constantly keep improving their resilience capabilities, to better repel hack attacks and avoid ever having to even consider paying a ransom.

"The NCSC does not encourage, endorse or condone paying ransoms, and it's a dangerous misconception that doing so will make an incident go away or free victims of any future headaches," Oswald said. "In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing."

The insurance sector participants in the new initiative are the Association of British Insurers, the British Insurance Brokers' Association and the International Underwriting Association. All have pledged to encourage their policyholders to work through the NCSC's new guidance.

Despite fewer victims now appearing to pay a ransom, ransomware groups collectively received record-breaking profits of at least $1 billion last year, said blockchain analytics firm Chainalysis.

Insurers said the ongoing focus on boosting domestic resilience as well as offering victims recovery pathways that don't involve paying a ransom stand to take a bigger bite out of the illicit business model. "The payment of ransoms in response to cyberattacks is on a downward trend globally," said Helen Dalziel, director of public policy at the International Underwriting Association. "Businesses are realizing that there are alternative options and this guidance further illustrates how firms can improve their operational resilience to resist criminal demands."

Among other recommendations, the guidance urges any organization that falls victim to ransomware to work with "objective external experts such as insurers, the NCSC, law enforcement or cyber incident response companies" that have experience in dealing with ransomware attacks. It also advises victims to "review alternatives, including not paying," and cautions that paying a ransom won't erase any regulatory requirements, such as potentially having to notify the Information Commissioner's Office about any resulting data breach.

The new guidance reflects an NCSC-sponsored research paper published last year by the Royal United Services Institute, or RUSI, which outlines in part how paying a ransom doesn't guarantee better outcomes for victims (see: Study Downplays Cyber Insurance as Incentive to Pay Ransom).

The RUSI paper also details how working with cyber insurers gives victims access to incident response and crisis management services they might not otherwise have, which can lead to better outcomes, such as faster and more complete recovery. Thanks in part to such help, the RUSI reported that unlike even just a few years ago, paying a ransom today is largely viewed as "a last resort" strategy by victims.

The joint NCSC and insurance association announcement builds on recommendations for combating ransomware issued by the public/private Ransomware Task Force, which the Institute for Security and Technology launched in 2020. The task force in 2022 called on the cybersecurity community to "develop a clear, actionable framework for ransomware mitigation, response and recovery," in part by detailing best practices for focusing "on the critical actions needed to defend against the most common cyberattacks."

The new guidance also responds to Parliament's Joint Committee on the National Security Strategy, which last December issued recommendations following a yearlong review of the country's ransomware response posture.

One of the committee's recommendations was that "the NCSC must produce more detailed guidance - accessible to a non-technical audience - on how best to avoid the payment of ransoms after an attack, including negotiating techniques and sources of support for smaller organizations."

The committee also said the state of Britain's U.K. cyber insurance market was "in an extremely poor state," with poor price controls and demand far outstripping capacity, and suggested the Conservative government of British Prime Minister Rishi Sunak pursue "alternative models for support or intervention," such as a government-backed reinsurance plan for cyber insurance, similar to what the government did after widespread flooding in 2012 left many homeowners unable to access home insurance.

Deputy Prime Minister Oliver Dowden declined that recommendation on the grounds that it would "damage competition." He also declined to endorse another recommendation from the committee that all ransomware victims be required to confidentially report to the government precise details about any successful ransomware attack they suffered within three months of being hit. The committee said such transparency would help the NCSC and law enforcement better combat ransomware attacks and assist victims.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.