rusi.org
Open in
urlscan Pro
18.66.147.38
Public Scan
URL:
https://rusi.org/explore-our-research/publications/occasional-papers/cyber-insurance-and-ransomware-challenge
Submission: On August 01 via api from TR — Scanned from DE
Submission: On August 01 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
Name: mc-embedded-subscribe-form — https://rusi.us17.list-manage.com/subscribe/post
<form class="NewsletterSignup-module--form--e0bc1 NewsletterSignup-module--footer--e56af" action="https://rusi.us17.list-manage.com/subscribe/post" name="mc-embedded-subscribe-form" target="_blank"><input type="hidden" name="u"
value="722b72d453b7a1a6e69ceef05"><input type="hidden" name="id" value="0c9bbb5ef0">
<div>
<h3>Stay up to date with RUSI</h3><label for="footer-email">Receive updates on publications and events from RUSI straight into your inbox.</label>
</div>
<div><input placeholder="Enter your email address" class="TextInput-module--component--9db69 NewsletterSignup-module--input--508a4" type="email" id="footer-email" name="EMAIL" required="">
<div class="NewsletterSignup-module--hidden--32faf" aria-hidden="true"><input type="text" name="b_722b72d453b7a1a6e69ceef05_0c9bbb5ef0" tabindex="-1" readonly="" value=""></div><button class="Button-module--primary--b8701 hideOnPrint"
type="submit"><span>Sign up</span></button>
</div>
</form>Text Content
MenumenuExplore our Researchplus
EventsNews & CommentMembershipNextGenAboutContact
searchLog inuser
* Explore our Research
* Events
* News & Comment
* Membership
* NextGen
* About
* Contact
Log in user
Connect with us
* Explore Our Research
* Publications
* Occasional Papers
--------------------------------------------------------------------------------
Occasional Papers
CYBER INSURANCE AND THE RANSOMWARE CHALLENGE
Jamie MacColl, James Sullivan, Dr Jason R. C. Nurse, Gareth Mott, Sarah Turner,
Edward Cartwright and Anna Cartwright
31 July 2023clockLong Read
Share
facebooktwitterlinkedinemail
pdf
Download PDF(3MB)
--------------------------------------------------------------------------------
Main Image Credit Courtesy of Torsten / Adobe Stock
--------------------------------------------------------------------------------
A study examining the role of cyber insurance in addressing the threats posed by
ransomware.
EXECUTIVE SUMMARY
The cyber insurance industry has been heavily criticised for providing coverage
for ransom payments. A frequent accusation, which has become close to perceived
wisdom in policymaking and cyber security discussions on ransomware, is that
cyber insurance has incentivised victims to pay a ransom following a cyber
incident, rather than seek alternative remediation options. Over a 12-month
research project, researchers from RUSI, the University of Kent, De Montfort
University and Oxford Brookes University conducted a series of expert interviews
and workshops to explore the relationship between cyber insurance and ransomware
in depth. This paper argues that there is, in fact, no compelling evidence that
victims with cyber insurance are much more likely to pay ransoms than those
without.
Ransomware remains one of the most persistent cyber threats facing the UK.
Despite a range of government, law enforcement and even military cyber unit
initiatives, ransomware remains lucrative for criminals. During this research,
we identified three main drivers that ensure its continued success:
* A profitable business model that continues to find innovative ways to extort
victims.
* Challenges around securing organisations of all sizes.
* The low costs and risks for cybercriminals involved in the ransomware
ecosystem, both in terms of the barriers to entry and the prospect of
punishment.
Despite this perfect storm of factors, the cyber insurance industry has been
singled out for criticism with the claim that it is funding organised cybercrime
by covering ransom payments. In reality, cyber insurance’s influence on victim
decision-making is considerably more nuanced than the public debate has captured
so far. While there is evidence that cyber insurance policies exfiltrated during
attacks are used as leverage in negotiations and to set higher ransom demands,
the conclusion that ransomware operators are deliberately targeting
organisations with insurance has been overstated.
However, the insurance industry could do much more to instil discipline in both
insureds and the ransomware response ecosystem in relation to ransom payments to
reduce cybercriminals’ profits. Insurers’ role as convenors of incident response
services gives them considerable power to reward firms that drive best practices
and only guide victims towards payment as a last resort. But the lack of clearly
defined negotiation protocols and the challenges around learning from incidents
make it difficult to develop a sense of collective responsibility and shared
best practices around ransomware response. This has not been helped by the UK
government’s black-and-white position on ransom payments, which has created a
vacuum of assurance and advice on best practices for ransom negotiations and
payments.
This paper does not advocate for an outright ban on ransom payments or for
stopping insurers from providing coverage for them. Instead, it makes the case
for interventions that would improve market-wide ransom discipline so that fewer
victims pay ransoms, or pay lower demands. Ultimately, this involves creating
more pathways for victims that do not result in ransom payments. Beyond ransom
payments, cyber insurance has a growing role in raising cyber security
standards, which could make it more difficult to successfully compromise victims
and increase costs for ransomware operators. Successive years of losses from
ransomware have led to more stringent security requirements and risk selection
by underwriters. Although the overall effect of this on the frequency and
severity of ransomware attacks remains to be seen, by linking improvements in
security practices to coverage, cyber insurance is currently one of the few
market-based levers for incentivising organisations to implement security
controls and resilience measures. However, continued challenges around
collecting and assessing reliable cyber risk and forensic claims data continue
to place limits on the market’s effectiveness as a mechanism for reducing
ransomware risk. This, along with cyber insurance’s low market penetration,
makes clear that cyber insurance should not be treated as a substitute for the
legislation and regulation required to improve minimum cyber security standards
and resilience. Insurers are also commercial entities that primarily exist to
help organisations transfer risk, rather than to improve national security and
societal cyber resilience.
The cyber insurance industry could be a valuable partner for the UK government
through increased ransomware attack and payment reporting, sharing aggregated
claims data, and distributing National Cyber Security Centre (NCSC) guidance and
intelligence to organisations. However, the government has not made a compelling
enough case to insurers and insureds about the benefits of doing so. Instead, it
has relied on appealing to their general sense of altruism. While insurers will
benefit if governments are able to generate more accurate and actionable data on
ransomware, albeit indirectly, this needs to be sold to the industry in a more
convincing way.
Some principles and recommendations for both the insurance industry and the UK
government are listed below. These are not designed to solve all the challenges
of the cyber insurance market, nor do they present wide-ranging solutions to the
ransomware challenge. Instead, they focus on where the cyber insurance industry
can have the most impact on key ransomware drivers. This reflects the fact that
disrupting the ransomware economy involves applying pressure from different
angles in a whole-of-society approach. The recommendations also start from the
position that the UK government’s light-touch approach is unsustainable and
requires more intervention in private markets that are involved in ransomware
prevention and response. While they are specifically aimed at UK policymakers,
regulators and insurers, they may be applicable to other national contexts.
RECOMMENDATIONS
Recommendation 1: To increase oversight of ransomware response, insurers should
use policy language to require that insureds and incident response firms provide
written evidence of negotiation strategies and outcomes.
Recommendation 2: To develop and drive ransomware response best practices across
the market, insurers should select specialist ransomware response firms for
panels that meet a set of pre-defined minimum requirements. These should
include: A proven track record of both regularly achieving outcomes that do not
result in ransom payments, and of operational relationships with law enforcement
and cyber security agencies. Conducting sanctions risk assessments. Compliance
with anti-money laundering laws and FATF (Financial Action Task Force)
standards. Ensuring payment firms that make payments on behalf of UK victims are
registered with relevant financial authorities in the UK.
Recommendation 3: The UK government should commission a study to improve its
understanding of specialist ransomware response firms. This should aim to
identify common best practices and key market players, and create a framework
for benchmarking the quality of their services and products. These findings can
be distributed to trusted partners in the insurance industry. To drive best
practices in ransomware response and create more oversight of the incident
response ecosystem, the NCSC, National Crime Agency (NCA) and international
partners should also explore the feasibility and potential implications of
creating a dedicated assurance scheme for firms that provide specialist
ransomware services such as decryption, recovery, negotiations and payments.
Recommendation 4: To increase reporting of ransom payments, the UK government
and international partners should explore creating a dedicated licensing regime
for firms that facilitate cryptocurrency payments on behalf of ransomware
victims. In the short-term, the UK government should follow the example set by
the US government and also ensure that ransomware response firms that facilitate
payments are registered as money service businesses in the UK and therefore
subject to national financial crime reporting requirements.
Recommendation 5: To reach a market-wide consensus on what constitutes a
reasonable last resort before a ransom payment is made, insurers should agree on
a set of minimum conditions and obligations in ransomware coverage to ensure
alternatives are explored first. These should include sanctions due diligence, a
requirement to notify law enforcement and written evidence that all options have
been exhausted.
Recommendation 6: To increase ransomware reporting and ensure victims are able
to access any relevant law enforcement and NCSC support, insurers should specify
that any ransomware coverage must contain a requirement for policyholders to
notify Action Fraud (the UK’s national centre for reporting fraud and
cybercrime) and the NCSC before a ransom is paid. If there is no progress on
this recommendation without intervention, then regulators should intervene to
compel insurers to include this obligation in coverage. However, this
recommendation also depends on the implementation of long-promised but delayed
reforms to Action Fraud. These should include creating a dedicated category for
reporting ransomware. Law enforcement and the NCSC must also provide assurances
to insurers that they have the capabilities to support victims during incidents
and that reporting leads to actual outcomes against ransomware actors, such as
cryptocurrency seizures, arrests or offensive cyber operations.
Recommendation 7: The NCSC and a UK insurer should trial integrating the NCSC’s
Early Warning service into their ongoing assessments of policyholders. This
would enable the insurer to distribute intelligence from Early Warning at scale
and notify policyholders of potential ransomware attacks. The NCSC should also
explore whether Early Warning will need to be expanded and adapted to meet the
requirements of insurers and policyholders.
Recommendation 8: To deepen operational collaboration with the insurance
industry, the NCSC should seek to recruit secondees from the cyber insurance
industry into the Industry 100 cyber security secondment scheme. This should
include identifying specific tasks and roles for underwriters, claims managers
and incident response professionals working for UK insurers.
Recommendation 9: To increase reporting of ransom payments, the Home Office and
NCA should ensure that existing financial crime reporting mechanisms –
specifically, suspicious activity reports (SARs) – are fit for reporting ransom
payments or money laundering linked to ransomware. Concurrently, the UK
government should also identify ways to encourage cyber insurers to report
ransom payments as SARs or through more informal channels.
--------------------------------------------------------------------------------
keywords
Topics
* Technology, Security and Intelligence
* Cybercrime
* Cyber Security and Resilience
Research Groups
* Cyber
Projects
* Ransomware Harms and the Victim Experience
WRITTEN BY
JAMIE MACCOLL
Research Fellow
Cyber
View profile
JAMES SULLIVAN
Director, Cyber Research
Cyber
View profile
DR JASON R. C. NURSE
Associate Fellow; Associate Professor in Cyber Security, University of Kent
View profile
GARETH MOTT
View profile
SARAH TURNER
View profile
EDWARD CARTWRIGHT
View profile
ANNA CARTWRIGHT
View profile
--------------------------------------------------------------------------------
Main Image Credit Courtesy of Torsten / Adobe Stock
--------------------------------------------------------------------------------
WRITTEN BY
JAMIE MACCOLL
Research Fellow
Cyber
View profile
JAMES SULLIVAN
Director, Cyber Research
Cyber
View profile
DR JASON R. C. NURSE
Associate Fellow; Associate Professor in Cyber Security, University of Kent
View profile
GARETH MOTT
View profile
SARAH TURNER
View profile
EDWARD CARTWRIGHT
View profile
ANNA CARTWRIGHT
View profile
--------------------------------------------------------------------------------
Media Enquiries
* Paraic WalkerInterim Media Relations Manager+44 (0)7917 373
069ParaicW@rusi.org
Reading options
quotes
Cite this
pdf
Download PDF(3MB)
print
Print this page
--------------------------------------------------------------------------------
Share this page
facebooktwitterlinkedinemail
Media Enquiries
* Paraic WalkerInterim Media Relations Manager+44 (0)7917 373
069ParaicW@rusi.org
Reading optionspdf
Download PDF(3MB)
print
Print this page
FOOTNOTES
--------------------------------------------------------------------------------
EXPLORE OUR RELATED CONTENT
* Commentary
FOREIGN MINISTRIES AND CYBER POWER: IMPLICATIONS OF ARTIFICIAL INTELLIGENCE
July 21, 2023clock7 Minute Read
* Commentary
THE DEATH OF SECRET INTELLIGENCE? THINK AGAIN
July 5, 2023clock7 Minute Read
* Commentary
DOES DOMESTIC OIL AND GAS PRODUCTION IMPROVE UK ENERGY SECURITY?
June 30, 2023clock10 Minute Read
STAY UP TO DATE WITH RUSI
Receive updates on publications and events from RUSI straight into your inbox.
Sign up
Connect with us
facebooktwitteryoutubelinkedinrss
EXPLORE RUSI
--------------------------------------------------------------------------------
* Topics
* Regions
* Research Groups & Experts
* Publications
POPULAR LINKS
--------------------------------------------------------------------------------
* Events
* News & Comment
* Membership
* About
* Contact Us
* Report a problem
* Support RUSI
As an independent institution, we produce evidence-based research, publications
and events on defence, security and international affairs to help build a safer
UK and a more secure, equitable and stable world.
Cookie PolicyPrivacy PolicyEthics StatementEvents Ts&CsMembership Ts&CsLegalDEI
Policy
Copyright 2023 | The Royal United Services Institute for Defence and Security
Studies | RUSI is registered as a charity in England and Wales - Charity number:
210639 | VAT number: GB752275038
PRIVACY PREFERENCE CENTER
YOUR PRIVACY
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalised web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
* TARGETING COOKIES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
Cookies Details
* STRICTLY NECESSARY COOKIES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser
to block or alert you about these cookies, but some parts of the site will
not then work. These cookies do not store any personally identifiable
information.
Cookies Details
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
YOUR CHOICE REGARDING COOKIES ON THIS SITE
We use cookies to optimise site functionality and give you the best possible
experience. View Cookie Policy
Manage cookie preferences Accept all