A renowned think tank has urged the government to conduct a thorough investigation into the possibility of banning ransom payments as part of a revamp of the cyber-insurance sector. The Royal United Service Institute (RUSI) based in London has released a new paper titled “Cyber Insurance and the Cyber Security Challenge,” highlighting the lack of progress in encouraging better security practices among organizations through insurance incentives.
The paper specifically points out the significant challenge posed by ransomware attacks, where insurance reimbursements for payments to threat groups are believed to exacerbate the problem. The authors of the report have called for an urgent policy review by the National Security Secretariat to evaluate the potential ban on ransom payments and provide actionable recommendations within a timeframe of three to six months. The review is expected to involve consultations with various government departments, intelligence agencies, law enforcement, and industry stakeholders, as part of a broader UK government initiative to combat ransomware.
However, the report also acknowledges the potential unintended consequences of a blanket ban on ransom payments, such as driving payments underground and the need for exemptions for critical infrastructure providers. It suggests an alternative approach where insurers could cease to cover ransom payments, following the example set by AXA recently. This move may not have a significant impact on ransomware operations, as the need to maintain services often drives victims to make payments, especially for organizations without cyber-insurance coverage.
In addition to exploring the ban on ransom payments, the report emphasizes the importance of fostering collaboration between insurers, the National Cyber Security Centre (NCSC), government, and law enforcement agencies. It suggests that insurers could play a crucial role in improving cybersecurity by implementing contractual obligations that require policyholders to notify law enforcement before making ransom payments. Furthermore, insurers could work closely with the NCSC and security partners to establish minimum ransomware controls in policies, including timely patching, multi-factor authentication, network segmentation, and regular backups.
The report also proposes leveraging insurers’ access to data on ransomware incidents to enhance cybersecurity among small and medium-sized businesses (SMBs). By aligning with the government’s Cyber Essentials scheme, insurers can set a baseline of required security controls for policyholders. Partnerships with managed security service providers, cloud service providers, and threat intelligence providers can also improve insurers’ understanding of the threat landscape and enhance policyholders’ security posture.
To support these initiatives, the government should facilitate the sharing of breach notification data with the insurance industry, establish a cyber-insurance data-sharing exchange, and review any legislation that hinders information sharing. By implementing these recommendations, the cyber-insurance industry can play a more proactive role in mitigating cyber threats and promoting better cybersecurity practices among organizations.