Three major UK insurance associations have come together with the UK’s National Cybersecurity Centre (NCSC) to address the issue of ransom payments. The collaboration aims to reduce the number of ransom payments made by UK victims, as reported by the latest news.
The Association of British Insurers (ABI), the British Insurance Brokers’ Association (BIBA), and the International Underwriting Association (IUA) have joined forces with the NCSC to publish new best practice guidance. The main objective of this guidance is to decrease the frequency of payments made by UK victims in ransomware incidents.
The coalition’s initiative stems from a research paper sponsored by the NCSC in collaboration with the Royal United Services Institute (RUSI) and published in 2023. The paper provided several recommendations for insurers and the government on how to reduce the likelihood of ransom payments following a ransomware attack. The newly developed guidance is based on these recommendations, aiming to serve as a comprehensive framework for organizations facing ransomware incidents.
While the guidance is non-mandatory, it seeks to prevent hasty decisions to pay ransom in the event of a ransomware attack. By following the outlined steps, victim organizations can ensure a more informed and strategic approach to dealing with such incidents.
The NCSC’s new guidance emphasizes the importance of conducting a thorough assessment of the business impact, establishing clear reporting protocols, and knowing where to access sources of support. These considerations are crucial in enabling organizations to make well-informed decisions when faced with ransomware demands.
During the recent CyberUK conference in Birmingham, NCSC CEO Felicity Oswald highlighted the detrimental impact of ransom payments on fueling cybercrime. She emphasized that every ransom paid serves as an incentive for criminals to perpetuate their malicious activities, ultimately contributing to the proliferation of cyber threats.
Oswald made it clear that the NCSC does not endorse or encourage ransom payments, as doing so only validates and rewards cybercriminal behavior. Paying a ransom does not guarantee resolution of an incident or protection against future attacks; instead, it reinforces the perception that such attacks are lucrative and worth pursuing.
The Information Commissioner’s Office (ICO) also does not view ransom payments as a valid risk mitigation strategy. It stated that making a payment to attackers would not mitigate any penalties imposed in the event of a data breach or cyber incident.
In light of these concerns, the collaboration between insurers, government agencies, and cybersecurity experts represents a proactive step towards mitigating the ransomware threat. By promoting alternative options and strengthening operational resilience, the guidance aims to disrupt the ransom business model and make UK organizations more resilient against cyber threats.
Helen Dalziel, Director of Public Policy at IUA, highlighted the downward trend in ransom payments globally and emphasized the importance of organizations exploring alternative strategies to combat cyber extortion. The guidance serves as a valuable resource for firms looking to enhance their operational security and resist criminal demands.
Furthermore, Oswald underscored the correlation between obtaining a Cyber Essentials certificate and lower insurance claim rates. Organizations that have achieved this certification are significantly less likely to file insurance claims, indicating the effectiveness of implementing security controls and resilience measures.
Despite the guidance provided by the NCSC and its partners, the decision to pay a ransom ultimately rests with the victim organization. The global cyber insurance market is projected to reach $90.6 billion by 2033, reflecting the growing demand for insurance coverage against cyber threats.
In conclusion, the collaborative efforts of UK insurers and the NCSC underscore the importance of adopting a strategic and informed approach to ransomware incidents. By resisting ransom payments and enhancing resilience measures, organizations can better protect themselves against cyber threats and contribute to the collective fight against cybercrime.