The Association of British Insurers (ABI), the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA) have joined with the National Cyber Security Centre (NCSC) in a coalition aiming to toughen approaches to ransomware payments and bring down the volumes of such payments made by UK organisations.
Launched on the opening day of the NCSC’s annual CyberUK jamboree, the coalition is backed by guidance that has its genesis in a Royal United Services Institute (RUSI) research paper published in 2023. It also “robustly addresses” recommendations made by the Parliamentary Joint Committee on the National Security Strategy (JCNSS) last December.
It sets out a series of recommendations to empower organisations and associated third parties to make better-informed decisions should they fall victim to a ransomware attack, helping to minimise the disruption arising from, and the costs associated with, an incident.
Some of the considerations contained within include the need to conduct thorough assessments of business impacts, follow proper reporting protocols, and accessing appropriate sources of support. The JCNSS said previously that the insurance sector had a key role to play in terms of supporting victims, and could even act as convenors of cyber incident response in some cases.
“It’s really encouraging to see all corners of the insurance industry unite to support victim organisations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses,” said NCSC interim CEO Felicity Oswald.
“The NCSC does not encourage, endorse or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches. In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.
“This cross-sector initiative is an excellent next step in foiling the ransom business model: we’re proud to support work that will see cyber criminals’ wallets emptier and UK organisations more resilient,” she said.
“We’re pleased to be working with NCSC, BIBA and the IUA on strengthening cyber resilience and supporting customers affected by ransomware attacks,” said ABI director of general insurance policy Mervyn Skeet.
“Following the launch of our Cyber Safety Tool for SMEs last year, this collaborative guidance is another positive step towards tackling cyber crime across the UK, and we look forward to continuing to work with NCSC on this shared goal.”
BIBA deputy head of general insurance Shaune Worrall added: “BIBA was proud to work with the ABI, IUA and the NCSC on this important guidance. It could help businesses form their response to one of the greatest risks to their organisation’s ability to trade: a ransomware attack.
Helen Dalziel, director of public policy at the IUA, said: “The payment of ransoms in response to cyber attacks is on a downward trend globally. Businesses are realising that there are alternative options and this guidance further illustrates how firms can improve their operational resilience to resist criminal demands.”
Raghu Nandakumara, head of industry solutions at Illumio, applauded the new guidance and said he fully endorsed the goals behind it.
“At the same time, we also need to see more guidance to help businesses build resilience and contain attacks. More often than not, recovery plans are inadequate or have not been properly tested, which makes them unviable when a real incident does occur,” said Nandakumara.
“As a result, organisations are left with no choice but to pay the ransom to restore operations and productivity levels as quickly as possible. The NCSC should encourage businesses to adopt an ‘assume attack’ mindset. This is not admitting defeat, instead it focuses on preparing to respond effectively to a cyber incident and building resilience.”
Don’t pay the ransom
With ransomware remaining the biggest day-to-day cyber threat facing UK organisations – even reckoning with the impact of successful actions against prominent cyber gangs such as LockBit – the NCSC continues to strongly discourage the payment of ransoms.
Giving in to cyber criminal demands does not guarantee the swift end of an incident nor the removal of malicious software from compromised systems. However, what it does do is incentivise cyber criminals to continue to attack new victims and expand their operations, and as was frequently seen with LockBit, even when paid off to delete stolen data, the attackers will generally hang on to it.
With this in mind, many cyber security experts are increasingly coming around to the idea of banning payments outright. Writing in Computer Weekly recently, Allan Liska of Recorded Future, said: “Nothing else we do – at least are willing to do – is working…Is it a good idea? No. Will anyone be happy with how it is implemented? No…But, ultimately, it may be the least bad option available to us.”