Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Reports
Risk & Compliance
Secure-by-Design
System Design & Architecture
Technology & Solutions
Threat Landscape

UK insurance associations join with NCSC to combat ransom payments, enhance cyber resilience

May 21, 2024
UK insurance associations join with NCSC to combat ransom payments, enhance cyber resilience

Three U.K. insurance associations have joined forces with GCHQ’s National Cyber Security Centre (NCSC) to collaborate on reducing ransom payments made by cybercrime victims. The new guidance aims to enhance market-wide ransomware discipline, disrupting the profitability of the ransom business model to minimize harm to victim organizations. The ‘unprecedented’ cross-sector partnership will bolster U.K.-wide cyber resilience, providing a robust response following a 2023 parliamentary review on ransomware.

The document titled ‘Guidance for organisations considering payment in ransomware incidents’ aims to minimize the overall impact of a ransomware incident on an organization. It also aims to help reduce disruption and cost to businesses, the number of ransoms paid by U.K. ransomware victims; and the size of ransoms where victims choose to pay.

The guidance addresses parliamentary recommendations made in December by the Joint Committee on the National Security Strategy (JCNSS) which called for ‘more detailed,’ accessible guidance ‘on how best to avoid the payment of ransoms after an attack.’ 

In its report, JCNSS acknowledges that cyber insurance could provide ‘vital lifeline for ransomware victims,’ with this guidance deepening the important role the insurance industry can play as convenors of the incident response to help boost organizations’ resilience against ransomware.

“It’s really encouraging to see all corners of the insurance industry unite to support victim organizations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses,” Felicity Oswald, NCSC CEO said in a media statement recently. “The NCSC does not encourage, endorse, or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches. In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.”

Oswald added that this cross-sector initiative is an excellent next step in foiling the ransom business model: “We’re proud to support work that will see cyber criminals’ wallets emptier and UK organizations more resilient.”

“We’re pleased to be working with NCSC, BIBA, and the IUA on strengthening cyber resilience and supporting customers affected by ransomware attacks,” said Mervyn Skeet, ABI director of general insurance policy. “Following the launch of our Cyber Safety Tool for SMEs last year, this collaborative guidance is another positive step towards tackling cybercrime across the UK, and we look forward to continuing to work with NCSC on this shared goal.”

“BIBA was proud to work with the ABI, IUA, and the NCSC on this important guidance,” said Shaune Worrall, BIBA deputy head of general insurance. “It could help businesses form their response to one of the greatest risks to their organization’s ability to trade: a ransomware attack.”

“The payment of ransoms in response to cyber attacks is on a downward trend globally,” said Helen Dalziel, IUA director of public policy. “Businesses are realizing that there are alternative options and this guidance further illustrates how firms can improve their operational resilience to resist criminal demands.”

The NCSC established the Cyber Insurance Industry Working Group (CIIWG) in 2023 to engage the government, academia, and the insurance industry on how to strengthen U.K. online resilience collectively. It also works to encourage organizations to be transparent about their experience with cyber attacks, especially when it comes to ransomware.

The CIIWG and now this guidance builds on the recent, world-first agreement by the Counter Ransomware Initiative (CRI) whose member nations jointly denounced ransomware attacks and committed to work to undermine the profitability of the ransomware business model.

The guidance outlines that in the immediate aftermath, a ransomware attack can feel overwhelming. Ransomware actors know the tactics to use to pressure organizations into making quick decisions. But slowing down to review the options will improve decision-making and lead to a better outcome.

Decisions regarding payment should be based on a thorough understanding of the incident’s impact. Cybercriminals often advocate for payment as the sole solution for recovery. It is advisable to take the necessary time to explore available options. Viable backups might exist, or alternative methods could aid in the partial or complete recovery of systems and data. In some cases, decryption keys may be accessible through third parties, like law enforcement, who distribute them openly.

It also said that maintaining a detailed record of the incident response, decisions, actions, and data collected (or absent) is crucial for post-incident evaluations, learning from the experience, or providing evidence to a regulator. It is advisable to document decision-making offline or on systems unaffected by the incident.

The guidance identified that objective external experts such as insurers, the NCSC, law enforcement, or cyber incident response (CIR) companies experienced in handling ransomware incidents can enhance the decision-making process. The NCSC website features a list of CIR companies endorsed by the NCSC. Insurance providers usually suggest particular CIR companies. In the event of a cyber attack, it is advisable to inform the insurer or broker if cyber insurance is in place. Contact details or an app for after-hours support will be supplied. If the IT network is outsourced, engaging the IT provider is advisable.

It also called for involving the right people across the organization in decisions, including technical staff. Few scenarios engage senior business owners and decision-makers as swiftly as the decision on whether to pay a ransom. It is essential to ensure that the options are not presented prematurely and that the strongest possible evidence base is provided.

The guidance also emphasizes that organizations should investigate the root cause of the incident to prevent a recurrence. Making a payment without understanding the initial source of the compromise and implementing suitable mitigation measures exposes the organization to potential future incidents. While some ransomware attackers may claim to reveal the compromised details, it is essential to independently verify the information to ensure accuracy.

It also cautions about the lack of assurance that payment will grant access to devices or data. Even if a decryption key is obtained, the restoration of normal operations, especially for large organizations, is unlikely to be immediate. Decrypting data across intricate networks can be a time-consuming process. In cases where a victim organization possesses backups and a decryptor, utilizing backups may offer a faster resolution.

In March, the NCSC issued security guidance to assist organizations utilizing operational technology (OT) in assessing the feasibility of migrating their supervisory control and data acquisition (SCADA) systems to the cloud. The move encourages OT organizations to make a risk-informed decision on migrating SCADA solutions to the cloud, with cybersecurity as a key consideration.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: Transforming Manufacturing Security: The 5-Step Approach to Rolling Out and Scaling Up OT Cybersecurity

Register: May 22, 2024 | 8am PDT | 11am EDT | 5pm CEST

http://industrialcyber.co

Related

2024.06.16 gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Gauging maturity of secure remote access as cybersecurity demands grow in operational, industrial environments
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Rockwell warns ICS sector of FactoryTalk View SE v11 vulnerability, recommends upgrade to patched v14.0
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices
Xona
XONA Systems secures $18 million in funding to bolster OT cybersecurity amid rising threats
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order
DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order