James Watts, Managing Director, Databarracks
A recent report from the Royal United Services Institute (RUSI) has called for greater cooperation between government bodies, insurers, and cyber security specialists to establish best practice guidelines on dealing with cyber-attacks and ransomware.
In RUSI’s words: “A frequent accusation, which has become close to perceived wisdom in policymaking and cyber security discussions on ransomware, is that cyber insurance has incentivised victims to pay a ransom following a cyber incident, rather than seek alternative remediation options.”
The report is based a 12-month research project by RUSI, the University of Kent, De Montfort University, and Oxford Brookes University.
It found no evidence that victims of ransomware who have cyber insurance are more likely to pay up than those who do not. It also states that the “conclusion that ransomware operators are deliberately targeting organisations with insurance has been overstated”.
Instead, it takes a closer look at the more likely drivers, including the profitability of the cybercrime business model, challenges around securing organisations of varying sizes, and the low cost and risk involved for cybercriminals.
Based on these observations, RUSI provides a list of nine recommendations. These focus largely on building greater understanding between the UK government and the cyber insurance industry – and suggest a significantly more proactive approach from both on shaping policy and best practice.
- To increase oversight by requiring evidence of negotiation strategies and outcomes.
- To establish minimum requirements for best practice by selecting panels made up of industry experts.
- The UK government should commission a study to improve its understanding of specialist ransomware response firms.
- The UK government should explore a dedicated licensing structure for firms that facilitate crypto payments on behalf of ransomware victims. If they’re registered money service businesses, they’re subject to financial crime reporting requirements.
- Reach a consensus on what constitutes a reasonable last resort before a ransom is paid.
- Have a requirement in insurance policies that any payment of ransom must be reported to Action Fraud. This also depends on reforms to AF, making a new category for reporting ransomware – plus guarantees that reporting leads to real consequences for attackers, and support for victims.
- To deepen operational collaboration with the insurance industry, the NCSC should seek to recruit secondees from the cyber insurance industry into the Industry 100 cyber security secondment scheme.
- To increase reporting of ransom payments, the Home Office and NCA should ensure that existing financial crime reporting mechanisms – specifically, suspicious activity reports (SARs) – are fit for reporting ransom payments or money laundering linked to ransomware.
A high number of ransomware attacks are never reported and there is a lack of information sharing which makes it hard to get an accurate picture of the situation. RUSI’s finding that cyber insurance doesn’t necessarily incentivise ransom attacks is therefore an important one. For industry, it makes room for a better understanding of the factors that are actually having an impact in this space, which will be crucial in building best practice.
Ransomware attacks have increased dramatically in the last 12 months. From our research, the most common response to a ransomware attack is to pay the ransom – though recovering from backups has become a close second.
Organisations are now really appreciating the role of backups in ransomware recovery. Where before they may have been considered largely a compliance tool, or a fallback option in case of human error, backups are a key part of business continuity in a crisis.
It has always been our position that paying the ransom is the least favourable resolution when facing a ransomware attack. The best way to manage an attack is to recover from recent backups. It minimises downtime, which limits reputational damage, and removes a critical bargaining chip for the attackers.
The more organisations that can recover effectively from backups, the stronger the overall system becomes. If your company is attacked and you don’t have sufficient backups, you’ll feel forced to pay the ransom. This is further incentive for the attackers to try other companies, and so on. Fewer payouts disincentivise ransomware attacks altogether.
But the question for many organisations is, how do you strengthen your barrier to attacks in the first place? This is why, as the report points out, unified protocols and strategies based on industry experience and government buy-in are vital. If the response is disjointed, the defence will be full of holes.
Rather than being a catalyst for more ransom payments, the insurance industry is more of a neutral player in the report. If anything, that’s its criticism, rather than the notion that insurers incentivise payouts.
The role it does play is to “instil discipline in both insureds and the ransomware response ecosystem”. Just as good locks are a requirement for home insurance, good cyber hygiene is an increasing requirement in order to obtain cyber cover. Insurance can influence organisations to make them more resilient and less likely to need a payout.
The recommendations don’t call for an outright ban on ransom payments.
Instead, the report argues for interventions that would result in fewer victims of cyber-attacks paying out ransoms. This has been another of the major areas of debate on how to stem the growth of ransomware attacks. While there are already bans on payments to known terrorist organisations, in all other cases, the choice is left to the individual organisation to decide on whether to pay out or not. This, in our opinion, is the right view. An outright ban would put further pressure on organisations at an incredibly difficult time. These interventions reduce that chance and make sure organisations have an alternative to payment and can choose to refuse.