Industry seeks clarity on UK ransomware payment ban

By Rebecca Delaney

July 2 - (The Insurer) - Twelve weeks on from the conclusion of the UK government consultation on plans to reduce ransomware payments, insurers are awaiting clarity on what these measures may mean for firms’ operational and security risks.

• Coalition's Seymour: Ban won't impair value proposition of cyber insurance product

• Ransomware payment prevention scheme may help uninsured businesses 'in theory'

• Resilience's Egglestone: Government policy should build on improvements in cyber insurers' security standards

In February, the UK government launched a consultation on a proposed ransom payment ban for public sector organisations and regulated private sector critical national infrastructure. The consulatation aimed to determine whether a ban would be effective in deterring cybercriminals from targeting these types of organisations.

Tom Egglestone, global head of claims at Resilience, told Cyber Risk Insurer that while the proposals indicate an important step towards curbing cybercrime, there are concerns in the market that a blanket ban may create new operational and security risks for critical infrastructure and other “high-stakes” sectors.

“A one-size-fits-all policy risks undermining existing best practice and could slow recovery when time is critical. Instead, a more targeted restrictions approach deters unnecessary payments without compromising rapid recovery when it matters most,” he said.

Egglestone said recent high-profile cyber incidents, such as the attack on Marks & Spencer, highlight how even large, well-resourced organisations can be caught off guard.

“M&S have not confirmed whether they paid the criminals and extortion fee. What we can say is that, as part of the decision-making process all companies affected by cyberattacks must do, they will have weighed up all of their options to restore their operations and protect their business,” he said.

“A blanket ban would have removed at least one significant option to bring systems back up and running and prevent further loss and disruption to M&S’s customers.”

Sezaneh Seymour, vice president and head of regulatory risk and policy at Coalition, argued that a ban would “re-victimise” businesses that have been subject to a cyberattack.

“Our concern with a ban at the moment is that we believe it will only exacerbate the problem that government seeks to solve, because it doesn't address what we feel is the root cause of ransomware, which is widespread digital insecurity,” she said.

“A ban would only re-victimise businesses, especially many smaller businesses when paying a ransom might be the only thing available between survival and permanently shuttering their doors.”

Seymour continued that while it is too early to ascertain any impacts of a ban on the cyber insurance market, the core value of cyber insurance will remain relevant in the marketplace.

“If there's a ban, that would require the sector to change some aspects of their policies, including what's covered. But that's not really why Coalition and other insurers like us are sceptical of the efficacy,” she explained.

“Cyber insurance will continue to be in demand because it's much more than ransom coverage. In fact, data indicates that the actual ransom payment when it's paid is far lower than other costs like incident response, legal defence, business interruption, data recovery, etc. So the core value of cyber insurance will remain.”

The consultation’s second proposal on a ransomware payment prevention scheme would require a ransomware victim to engage with the authorities and report their intention to make a ransom payment before doing so.

Seymour suggested that this proposal may be more useful for businesses that do not purchase cyber insurance and therefore do not have access to ancillary services around incident response, although she questioned the effectiveness and speed of such a process.

“One of the values of insurance is that when a victim has a cyber insurance policy, they contact their insurer and they get all of that assistance,” she said.

“It might help businesses that don't have insurance. Entities that are hit that have no insurance have nobody to call. But by adding an additional layer of bureaucracy, while it may add some value, our concern is that in practice, it actually will inject more costs and potentially have unforeseen cascading consequences that are bad for public policy.”

REPORTING REGIME

The consultation’s third proposal centred on threshold-based mandatory reporting requirements for suspected victims of ransomware.

Proposals for the ransomware incident reporting regime included an initial report within 72 hours (a common timeframe in other jurisdictions, such as Australia) declaring an incident, including information on whether a ransom demand has been received, whether the ransomware group is identifiable at this stage, and if the organisation can recover from existing resilience measures.

A detailed report including the vector of access, implementation of resilience measures, and any further details on the attack would be required within 28 days of the event.

“In 28 days, you will know some information about the incident, but it's entirely the case that organisations may still be learning about details of the incident for months,” said Seymour.

“While we're very supportive of reporting, we would hope that the government would take steps to make sure that the impact and cost of reporting is minimised on some of the smallest organisations, and that only the information that's absolutely necessary is collected.”

Egglestone affirmed that while mandatory incident reporting is important, it also requires a clear, efficient and valuable system for reporting organisations.

“Combatting ransomware requires a nuanced implementation strategy that combines strong deterrence with operational flexibility, leverages the expertise already in place, and ensures reporting is a two-way street,” he said.

“Government policy has an important role to play and can be most effective when it builds on what already works. Cyber insurance has helped raise security standards and promote responsible behaviour. Future initiatives should aim to reinforce these gains and foster a collaborative approach to resilience.”