Three major UK insurance associations have joined forces with the UK’s National Cyber Security Centre (NCSC), a part of GCHQ and the UK’s technical authority for cyber-security, to publish new joint guidance (Guidance) for organisations considering the thorny issue of whether to make payment in ransomware cases. According to one cybersecurity firm, victims worldwide paid nearly $350 million in ransom in 2020 – over a 300% increase over 2019 and the average payment increased by 170% to $312,000.
As detailed in our previous article summarising the NCSC’s 2023 annual review, ransomware remains the biggest day-to-day cyber security threat to UK organisations with attacks rising and the ransomware model continuing to evolve. As well as locking them out of their data, victims of ransomware also increasingly face an extortion threat, where the attacker threatens to publish or sell stolen data unless a ransom is paid. But following payment, a victim may discover the attacker has lied about deleting the data and tries to sell it to other criminals for profit.
The NCSC has always advised businesses/individuals not to make ransomware payments. On 2 November 2023, the UK Government announced that it and more than 40 countries had signed a Joint Statement strongly discouraging the payment of ransomware demands and pledging that central government funds should not be used to pay ransoms to cyber criminals. However, the reality is that some businesses, whose entire IT systems and data may have been compromised, do contemplate paying out, notwithstanding the potential complex legal, financial, reputational, practical and regulatory risks involved.
The Guidance seeks to toughen the insurance sector’s approach to ransom payments and thwart cyber criminals’ profits by improving market-wide ransom discipline and reducing the number (and size) of ransoms being paid by victims. The cross-sector coalition comprising the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA) is urging victim organisations to adhere to the steps outlined in the Guidance which aim to empower organisations to make informed decisions and help minimise the disruption and cost of a ransomware incident.
Whilst the NCSC continues to strongly discourage the payment of ransoms, the Guidance acknowledges that the ultimate decision whether to pay the ransom rests with the victim. It emphasises that incident preparedness is key and includes links to associated NCSC guidance, including how to develop an incident management capability and prevent ransomware in the first place.
The Guidance recommends the following steps:
- Avoid panicking – slowing-down to review the options will improve decision-making and lead to a better outcome.
- Review alternatives, including not paying – payment may not be the only way to recover; there may be viable back-ups or unexpected ways to help recover systems and data (partially or fully). The use of decryption keys may also be an option.
- Record your decision making – maintaining a careful record of the incident response, decisions made, actions taken and data captured (or missing) is key for post-incident reviews, lessons learned and/or presenting evidence to a regulator. During an incident, record decision making off line or on systems that are not impacted.
- Where possible, consult experts – suggested external experts such as insurers, the NCSC, law enforcement or cyber incident response (CIR) companies familiar with ransomware incidents can improve the quality of decision making (insurers often provide recommended CIRs). Organisations with cyber insurance should report the attack to its insurer/broker and those with outsourced IT should engage their IT provider.
- Involve the right people across the organisation and decisions, including technical staff.
- Assess the impact – payment decisions should be informed by a comprehensive understanding of the business impact, including on business operations and finances (costs may include business interruption, security improvement work, staff overtime, legal expenses and regulatory fines). Assess what data was compromised and how sensitive it is, consider taking legal advice and whether you need to notify the ICO and/or data subjects; evaluate the risks to life, vulnerable groups or national security if data were published and try to verify any claims about the nature or the amount of data stolen.
- Investigate the root cause of the incident to avoid a repeated attack
- Be aware that payment does not guarantee access to your devices or data – even where a decryption key is acquired, it is unlikely to lead to an immediate return to business as usual. Back-ups may prove quicker than a decryptor.
- Consider the correct legal and regulatory practice around payments - payments may be unlawful e.g. if made to an entity or area sanctioned by the UK. The Government’s financial sanctions guidance for ransomware notes that ransomware payments are unlikely to be considered appropriate for an Office of Financial Sanctions Implementation (OFSI) licence (which effectively authorises an act that would otherwise breach financial sanctions prohibitions).
- Know that paying a ransom does not fulfil your regulatory obligations - the ICO doesn’t consider a ransom payment as a risk mitigation and it won’t reduce any penalty levied.
- Report the incident to UK authorities – if the incident is of national significance, engaging with the NCSC brings many benefits e.g. it will manage engagement with other authorities and early engagement may result in a more favourable regulatory response.
Across the pond, amidst growing concerns that the rise of ransomware attacks and the growing payments made by victims may have significant implications for cybersecurity, financial stability and the cyber insurance market, a new US law has been proposed which would compel US businesses to disclose any ransomware payments within 48 hours of the transaction. The bill aims to bolster the US government’s understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat. This move to increased transparency follows the introduction last year by the US Securities and Exchange Commission of a rule requiring the disclosure of material cybersecurity incidents within four days – Live Nation’s Form-8K filing following the ransomware attack on Ticketmaster being a recent, well publicised example.
There were also rumours of similar proposals potentially being put out to consultation in the UK pre the election announcement. On 28 May 2024, Stephen McPartland MP, published the McPartland Review of Cyber Security and Economic Growth following a "Call for Views" and a series of 26 evidence sessions with industry participants including business organisations, academics, law firms, IT (including forensics) providers and insurers. This review included specific recommendations that the Government "tighten the rules" on ransom payments, by increasing reporting obligations and potentially seeking market driven "rewards" for organisations which resist extortion attempts, such as lower insurance premiums. The proposals reportedly include a scheme whereby victims would need to seek a license to make any ransom payment, as well as a complete ban on ransom payments for organisations involved with critical national infrastructure. Whether these proposals come to fruition post-election remains to be seen. Watch this space for further ransomware and wider cyber related updates.
“It’s really encouraging to see all corners of the insurance industry unite to support victim organisations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses…This cross-sector initiative is an excellent next step in foiling the ransom business model: we’re proud to support work that will see cyber criminals’ wallets emptier and UK organisations more resilient.” NCSC CEO Felicity Oswald
https://www.ncsc.gov.uk/news/cyber-insurance-industry-unites-reduce-ransom-harm