Major UK insurance associations unite with National Cyber Security Centre to combat ransomware
The Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA), International Underwriting Association (IUA) and GCHQ’s National Cyber Security Centre have united in a bid to strengthen UK cyber resilience and reduce ransom payments made by victims of cybercrime.
Following cross-sector collaboration, ABI, BIBA, IUA and NCSC have released guidance which seeks to improve market-wide ransom discipline, assist victims of ransomware in minimising operational disruption and costs in the event of an incident, and reduce ransom payments, with the aim of undermining the profit of cybercriminals.
The guidance, developed from a NCSC-sponsored research paper by the Royal United Services Institute (RUSI), sets out recommendations to support organisations and associated third parties victim to ransomware attacks in making informed decisions. Considerations include a thorough assessment of business impact, reporting protocols, and where to access support. The three major insurance associations and NCSC have urged victim organisations to follow the steps set out in the guidance when considering whether to pay perpetrators following a ransomware incident.
Ransomware is a prominent cyber security threat facing UK organisations, and attacks are on the rise. Ransomware involves cyber-criminal groups gaining unauthorised access to an organisation’s network and using malware to encrypt files and prevent access to data before demanding a ransom, often in cryptocurrency, in exchange for a decryption key to decrypt files and restore systems. Perpetrators often extort victims, threatening to publish or sell on an organisation’s data unless ransom is paid.
However, criminals will often lie about deleting data after a ransom is paid, retaining data to sell onto other criminals, or can resume extorting the organisation months, or even years, after an original attack. The lucrative nature of the ransomware business model incentivises criminals to grow and expand their activities, whilst its continuous evolution requires increasingly sophisticated cyber defences.
NCSC CEO Felicity Oswald commented:
“It’s really encouraging to see all corners of the insurance industry unite to support victim organisations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses.”
“The NCSC does not encourage, endorse, or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches. In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing. […] [t]his cross-sector initiative is an excellent next step in foiling the ransom business model”.
Recommended by LinkedIn
The release of the joint guidance addresses parliamentary recommendations made in December by the Joint Committee on the National Security Strategy (JCNSS), which called for “more detailed”, accessible guidance “on how best to avoid the payment of ransoms after an attack”.
The JCNSS also noted that, whilst cyber insurance could provide “a vital lifeline for ransomware victims, offering the sort of support and technical advice not offered by state agencies, as well as driving up as well as driving up cyber security standards through conditions of coverage”, there remains a “woeful lack of UK coverage”. The report cited rising premiums as making coverage unaffordable for many organisations.
However, insuring against cybercrime is highly complex and nuanced; many insurers are unable to quantify the risk to quote for coverage, or are simply unprepared to risk potentially substantial losses or market failures by providing covering for such a nascent, ever-evolving crime. The JCNSS report cited various factors contributing to the hardening of the cybersecurity insurance market; the increase in ransomware-as-service in 2018-2019 led to huge losses for some insurers, and a lack of reliable data regarding attacks has made it difficult for underwriters to secure evidence on which to base risk assessment calculations.
Further complications include the continuous advancement of cyber-attacks, their links to geopolitical conflicts, and potential liabilities associated with sensitive data held by organisations. Due to these variables, and the increasing diligence standards in insurance provision, coverage has become increasingly limited to organisations who already have sophisticated defence systems in place.
Yet, with cyber-crime rising, along with the significant risk of huge losses and disruption for victims, businesses and public finances, there have been calls for increased government intervention and collaboration with the insurance sector regarding cyber-attacks. The JCNSS has called on the government to “work with the insurance sector to establish a reinsurance scheme for major cyber-attacks, akin to Flood Re” to ensure the sustainability and accessibility of the market.
The release of the guidance from ABI, BIBA, UAI and NCSC, however, could signal a move towards greater collaboration and unison across sectors in a bid to protect the UK from cybercrime- specifically ransomware- and builds upon recent collective efforts to tackle the issue.
In 2023, NCSC created the Cyber Insurance Industry Working Group (CIIWG) to unite government, academics, and the insurance industry in their efforts to boost UK online resilience and transparency among organisations regarding cyber-attacks. In November of the same year, Counter Ransomware Initiative (CRI) members signed a joint statement denouncing ransomware and payments being made to cyber criminals and vowing to diminish criminal profits- the first international statement of its kind.
Regardless of what future cross-sector or international collaboration will bring, the threat posed by ransomware to UK cyber security cannot be ignored. More transparency regarding organisations’ experience with cybercrime and unity in combating it and building robust defences is required to tackle such a complex, multifaceted sustained threat; therefore, the release of the joint guidance via NCSC and three major UK insurance associations sets a positive precedent for future endeavours.