NCSC and insurers unite to fight ransomware threat

First rule: 'Don't panic'

The National Cyber Security Centre (NCSC) has joined forces with three prominent insurance associations to combat the growing threat of ransomware in the UK.

The combined effort, which involves the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA) and the International Underwriting Association (IUA), was unveiled on the inaugural day of the NCSC's annual CyberUK event on Tuesday.

At the heart of the initiative lies guidance stemming from a 2023 research paper [pdf] by the Royal United Services Institute (RUSI), offering a framework organisations can use to make more informed decisions in the event of a ransomware attack.

"I am delighted to announce that we are publishing, today, guidance that we hope will reduce the number of ransoms being paid by UK ransomware victims," NCSC CEO Felicity Oswald said in keynote speech at CyberUK.

Ransomware, identified as the most prevalent cyber threat confronting UK organisations, continues to evolve in sophistication and scale.

The NCSC strongly discourages ransom payments, citing their ineffectiveness in resolving incidents and deterring future attacks.

Paying a ransom increases the likelihood of future attacks, as it funds criminals' future endeavours.

Even after payments are made, cybercriminals often back out on their promises to delete stolen data, continuing the cycle of extortion and exploitation.

"It is a dangerous misconception that paying a ransom guarantees the end of an incident. It doesn't. And every ransom paid provides incentives for criminals to expand their activities," Oswald said.

To navigate a ransomware attack, the new guidance advises victim organisations to:

• Not panic
• Review alternatives, including not paying
• Record decision-making
• Consult experts where possible
• Involve the right people across the organisation in decisions, including technical staff
• Assess the impact of the incident
• Investigate the root cause of the incident to avoid a repeat attack
• Be aware that payment does not guarantee access to devices or data
• Consider the correct legal and regulatory practice around payment
• Know that paying a ransom does not fulfil regulatory obligations
• Report the incident to UK authorities

The new effort by NCSC and insurance associations directly addresses recent recommendations from the Joint Committee on the National Security Strategy (JCNSS). The JCNSS called for "more detailed" and accessible guidance to help organisations avoid succumbing to ransom demands.

Raghu Nandakumara, head of industry solutions at Illumio, welcomed the new guidance, but added, "We also need to see more guidance to help businesses build resilience and contain attacks. More often than not, recovery plans are inadequate or have not been properly tested, which makes them unviable when a real incident does occur. As a result, organisations are left with no choice but to pay the ransom to restore operations and productivity levels as quickly as possible.

"The NCSC should encourage businesses to adopt an 'assume attack' mindset. This is not admitting defeat, instead it focuses on preparing to respond effectively to a cyber incident and building resilience."

Computing says:

Cyber insurance is still poorly understood, even among IT staff, so it's good to see insurers working with the NCSC on this guidance. Too many people still think the only point of insurance is to pay ransoms - a practice that could be outlawed - as discussions at our Cyber Security Festival this month showed. It actually provides a range of benefits, including but not limited to expertise and assistance in dealing with the fallout of a cyber attack.

Jason Ozin, CISO at PIB Insurance (which is not a cyber insurer), talked extensively about cyber insurance at the Cyber Security Festival, including giving attendees advice on lowering cyber insurance premiums.