UK insurance industry begins to acknowledge role in tackling ransomware

BIRMINGHAM, United Kingdom — Britain’s National Cyber Security Centre (NCSC) announced during the CyberUK conference in Birmingham this week that it had developed new guidance with the insurance industry about how ransomware victims should respond to incidents.

Instead of a blanket instruction to not pay ransoms, the guidance encourages victims to instead “review alternatives, including not paying,” and states: “Decisions about payment should be informed by a comprehensive understanding – as much as is possible – of the impact of the incident.”

The guidance is the first time the NCSC and the insurance industry have jointly expressed a view on how businesses should handle ransomware attacks.

It follows a report commissioned by the NCSC and completed by the Royal United Services Institute (RUSI) that found there was no “compelling evidence” victims of ransomware attacks who had cyber insurance were more likely to pay than those without.

The RUSI report criticized the British government’s “black-and-white position” on making extortion payments, arguing that it has not helped the response to these attacks. The guidance from NCSC and the insurance industry subtly suggests this position may be softening.

But any change remains subtle. Felicity Oswald, the NCSC's chief executive, stressed that the agency still “does not encourage, endorse or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches.”

The growing strength of the ransomware ecosystem has been a challenge to government for the past five years. Officials in Westminster have been urged to put more money behind operations to disrupt the gangs involved by experts who believe the current approach isn’t working.

“Ransomware remains the biggest day-to-day cyber security threat to UK organizations with attacks rising and the ransomware model continuing to evolve,” the NCSC stated, adding that it “continues to strongly discourage the payment of ransoms.”

Newly published regulator data shows that the United Kingdom was hit by more ransomware attacks last year than ever before, with several sectors — central government, local government, and the utilities sector — suffering more incidents in 2023 than in all previous years combined.

The new guidance does not meet several of the recommendations made by the RUSI report — including, independently of the insurance industry, that the government rethinks its approach to ransomware as a matter of urgency — although it suggests there is a developing relationship between the government and the insurance sector that could help develop those proposals in the future.

Among the recommendations in the RUSI report was that the insurance industry introduce a “requirement for policyholders to notify the NCSC and the NCA in the event of an attack and before a ransom is paid.”

The report also encouraged the insurance industry “to create a set of minimum ransomware controls based on threat intelligence and insurers’ claims data” that would be a basic requirement for companies that want their insurance policies to cover ransomware attacks.

Mervyn Skeet, the director of general insurance policy at the Association of British Insurers, said: “This collaborative guidance is another positive step towards tackling cyber crime across the UK, and we look forward to continuing to work with NCSC on this shared goal.”