A renowned think tank, the Royal United Service Institute (RUSI), has called for urgent government action to consider banning ransom payments in the cyber-insurance industry. In a new report titled “Cyber Insurance and the Cyber Security Challenge,” RUSI highlighted that the current insurance system has failed to encourage better security practices among organizations.
Ransomware attacks pose a significant challenge, with insurance reimbursements to threat groups viewed as exacerbating the problem. The report urged the National Security Secretariat to conduct a policy review on the possibility of banning ransom payments, with actionable recommendations expected within three to six months. This review would involve consultations with government departments, intelligence agencies, law enforcement, and industry stakeholders.
However, RUSI cautioned that a blanket ban on ransom payments could have unintended consequences, such as driving payments underground. Critical infrastructure providers may require exemptions to prevent threat actors from targeting them specifically. One suggested alternative is for insurers to cease coverage for ransom payments, following the example of AXA. Nonetheless, this approach may not significantly impact ransomware operations as the need to maintain services remains a strong incentive for victims.
The report proposed closer collaboration between insurers and cybersecurity agencies like the National Cyber Security Centre (NCSC) and law enforcement. Insurers possess valuable data on ransomware incidents, including details on cryptocurrency wallets used by threat actors. RUSI recommended pressuring insurers to include contractual obligations for policyholders to notify law enforcement immediately post-attack and before making any ransom payments.
In the long term, insurers could enhance baseline security by incorporating minimum ransomware controls into policies. These controls may include timely patching, multi-factor authentication, network segmentation, and regular backups. RUSI suggested aligning SMB cybersecurity requirements with the government’s Cyber Essentials scheme to improve overall security posture.
Insurers could benefit from partnerships with managed security service providers, cloud service providers, and threat intelligence providers to enhance threat intelligence and understand policyholders’ security posture. The government should facilitate breach notification data sharing with the insurance industry, establish a cyber-insurance data-sharing exchange, and review legislation hindering information sharing.
By implementing these recommendations, the cyber-insurance industry can play a more proactive role in combating ransomware and bolstering overall cybersecurity practices. The collaboration between insurers, government agencies, and cybersecurity partners is crucial in addressing the evolving threat landscape effectively.