A world-famous think tank has called on the government to urgently investigate whether to ban ransom payments, as part of a shake-up of the cyber-insurance industry.
A new paper from the London-based Royal United Service Institute (RUSI), Cyber Insurance and the Cyber Security Challenge, noted that the insurance industry has yet to incentivize better security practices among organizations, as was hoped.
The most pressing challenge is ransomware, where reimbursements for policyholder payments to threat groups are widely seen as throwing fuel on the fire.
That’s why the report authors called on the government’s National Security Secretariat to conduct an urgent policy review into the “feasibility and sustainability” of banning payments altogether.
“The review should aim to produce actionable recommendations within three to six months and consult widely with relevant government departments, intelligence agencies, law enforcement and industry stakeholders,” it continued.
“This should form part of a wider UK government review into policy options for combating ransomware.”
However, RUSI also noted that such a policy might have unintended consequences, such as driving payments underground. It would also require exemptions for critical infrastructure providers, which could incentivize threat actors to go after these firms, the report warned.
An alternative would be for insurers to withdraw coverage for ransom payments themselves, as AXA did recently.
“However, the impact of this on ransomware operations may be more limited than some hope, given that one of the strongest incentives to pay — the need to maintain services — will still be strong for many victims,” the report explained.
“Moreover, given that the majority of organizations — at least outside the US — still do not have cyber-insurance coverage, it would likely not affect many ransomware victims.”
The report also argues that policymakers should look beyond banning ransom payments, foster greater collaboration between insures and the National Cyber Security Centre (NCSC), government and law enforcement agencies.
It noted that insurers collect significant amounts of data on ransomware events that could help investigators — right down to the cryptocurrency wallets used by threat actors.
“In the short term, government and regulators should move quickly to pressure insurers to create contractual obligations that ensure that policyholders notify law enforcement immediately after an attack and before a ransom payment is made,” RUSI argued.
In the longer term, insurers can positively impact baseline security if they coordinate more closely with the NCSC and security partners to create a set of minimum ransomware controls to be written into policies.
This should include timely patching of bugs, multi-factor authentication (MFA), network segmentation, and regular backups, RUSI said.
The same idea should be used to improve broader cybersecurity among SMBs, by basing a minimum set of required controls on the government’s Cyber Essentials scheme, RUSI said.
Insurers could explore partnerships with managed security service providers, cloud service providers, and threat intelligence providers to improve their understanding of the threat landscape and individual policyholders’ security posture, the report added.
The government should ensure breach notification data is made available to the insurance industry, coordinate the creation of a cyber-insurance data-sharing exchange, and review any legislation that currently impedes information sharing, RUSI said.