Two UK insurance associations representing hundreds of prominent insurers say the government “must avoid a ban on ransomware payments” – despite critics saying such payments directly fund further cybercrime.
Aberdeen, AIG, Allianz, Aviva, and AXA are among the members – which manage investments of over £1.6 trillion – of the Association of British Insurers (ABI), which alongside the International Underwriting Association of London (IUA) urged policymakers on January 30 to avoid banning ransomware ransom payments.
A UK ban on ransomware payments would trigger “increased insolvencies and unemployment” they said, adding — perhaps controversially and certainly hopefully — that “if a ban is considered the Government should be ready to step in and provide necessary relief for businesses who fall victim to a ransomware attack.”
The plea came in written evidence submitted to Parliament’s joint committee on National Security Strategy.
“There are limits to what the private sector alone can achieve on ransomware and it requires greater levels of Government intervention and investment. Crucially, Government must avoid a ban on ransomware payments, as this is likely to have an adverse effect on businesses affected by ransomware attacks, and should work with international partners towards global regulatory consistency and clarity on ransomware” the two wrote.
Join the conversation: Follow The Stack on LinkedIn
The government advises against making ransomware payments, saying that they encourage repeat attacks and do not guarantee recovery of data. But it has steered shy thus far of explicitly criminalising such payments.
In June 2022 however the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) took the unusual step of writing publicly to the Law Society to warn over “an increase in the number of ransomware attacks and ransom amounts being paid,” saying “we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay. It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”
The ICO’s position that “payment of ransom will not mitigate risk to individuals whose data has been encrypted and / or stolen by malicious third parties” is “one which we do not believe to be correct” global law firm Norton Rose Fulbright LLP told Parliament strikingly bluntly this week however: “Our experience, which is reflected in published research, suggests that payment of ransom does in the majority of cases prevent publication of data stolen by third parties, and often leads to stolen data being removed from third-party hands.
“It also usually leads to the provision of decryption keys which can be used to restore encrypted data where necessary (most notably, where backups are unavailable). This in turn mitigates risk to individuals whose data would otherwise have been published, sold or otherwise made available to potentially malicious third parties, or whose data would have remained inaccessible for the use of decryption keys. While it is not our role to encourage, endorse or condone the payment of ransom, we feel it is incumbent on us to ask that point be corrected by the ICO so that all stakeholders are provided with an evidence-based understanding of the competing risk considerations relating to the payment of ransom and the protection of individuals impacted by personal data breaches.
(The submission came as Lloyd’s of London has told members that from March 2023, all standalone cyber insurance policies they underwrite “must exclude liability for losses arising from any state-backed cyber attack”. The 300-year-old organisation warned members in 2022 that cyber attack coverage “if not managed properly… has the potential to expose the market to systemic risks that syndicates could struggle to manage.”)
Insurers plead against ransomware payments ban
The ABI and IUA added: “The lack of data available to insurers to help them understand cyber risks remains an important hindrance to further growth of this market [and causes]… limitations in terms of the policy coverage that is able to be provided, given the requirements on insurers to prudently manage their potential exposure.”
The insurance associations’ joint submission comes weeks after a survey by insurance buyers Mactavish found that the “accessibility and quality of such cover [cyber insurance] is declining” with the group saying on January 9 that “cyber remains perhaps the most harshly affected class in the ongoing insurance ‘hard market’. In addition to cost increases, most insureds are finding the information requirements and minimum IT security standards increasingly stringent when buying insurance cover. Where supported by a meaningful discussion of IT security, this is a very positive role that insurers can play to encourage risk management best practice.
“The most insidious effect of hard market conditions is neither price nor information, but narrowing coverage. Sometimes, this is obvious (such as reduced limits or outright unavailability of cyber business interruption cover for some sectors), but can take many forms” said the independent UK insurance buyer.
These, Mactavish added in a whitepaper, include “shortened ‘indemnity periods’, multiple reduced sublimits, narrowing definitions of covered acts and/or systems, widened exclusions such as for legacy or ‘in development’ systems or software, co-insurance clauses for certain types of loss. All of this leaves the corporate paying more premium at the same time as retaining a far greater share of their financial risk.”