UK Insurance and NCSC Join Forces to Fight Ransomware Payments

Three major UK insurance associations have united with the UK’s National Cybersecurity Centre (NCSC) in an attempt to tackle ransom payments.

The insurers and government agency have published new best practice guidance which aim is to reduce the number of payments being made by UK victims.

The cross-sector coalition comprising the Association of British Insurers (ABI), the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA) is urging victim organizations to adhere to the steps outlined in guidance for organizations considering payment in ransomware incidents.

The new guidance has been developed from a NCSC-sponsored research paper by the Royal United Services Institute (RUSI), published in 2023. The paper made several recommendations for insurers and the government to reduce the likelihood of ransom payments being made after a ransomware attack.

The guidance is non-mandatory but aims to prevent a knee-jerk reaction to paying when an orgnaization finds itself dealing with a ransomware incident. 

Read more: How Cyber Insurance Can Work Better for Businesses in 2024

Considerations in the NCSC’s new guidance includes the thorough assessment of business impact, reporting protocols and where to access sources of support.

Ransoms Fuel Cybercrime

Speaking during the NCSC’s CyberUK conference in Birmingham, NCSC CEO Felicity Oswald said: “Every ransom paid provides incentives for criminals to expand their activities. As a citizen or a consumer of a company’s services I don’t want organisations that I trust to be doing the equivalent of leaving a carrier bag full of used bank notes in a dark alley. “

The NCSC does not encourage, endorse or condone paying ransoms. In a statement, Oswald said it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches. In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.

The Information Commissioners Office (ICO) also does not consider a payment to criminals who have attacked a system as a risk mitigation. The ICO would not reduce the amount of any penalty if a payment was made.

“This cross-sector initiative is an excellent next step in foiling the ransom business model: we’re proud to support work that will see cybercriminals’ wallets emptier and UK organizations more resilient,” she said.

IUA Director of Public Policy Helen Dalziel said: “The payment of ransoms in response to cyber-attacks is on a downward trend globally. Businesses are realizing that there are alternative options and this guidance further illustrates how firms can improve their operational resilience to resist criminal demands.”

Oswald also noted that organizations that have gained a Cyber Essentials certificate are 92% less likely to make an insurance claim.

“Cyber insurance is an added incentive for organizations to implement security controls and resilience measures,” she added.

Despite the new guidance and the words of caution from the NCSC and its partners, the NCSC noted the ultimate decision whether to pay the ransom is with the victim.

The global cyber insurance market is projected to be worth $90.6bn by 2033, according to an analysis by Market.Us.