Hostage to fortune report: ideas to combat ransomware

It has generated a few fleeting headlines, but I think it deserves more of a spotlight. In case you missed it, a very interesting report: “A Hostage to Fortune: Ransomware and UK national security” was published on December 4th by the Joint Committee on the National Security Strategy (JCNSS). This is a UK Parliament body set up in 2010 to consider National Security Strategies (made up from both Houses) to scrutinise policy areas, cross-government processes and structures. This report focuses on the state and impact of ransomware on the UK economy, building resilience, and suggested strategies to manage the threat.

If you haven’t got time to read the 76 page report, I have! Here are my main takeaways, especially with perspective of the cyber insurance industry in mind.

Don’t have time to read this article? ?Here’s the digested read: The UK government is way off track in dealing with ransomware. But, there are opportunities to close the gap with criminals, and a number of policy areas where improvements can be.

Here are the key themes I pulled from the report, together with some closing thoughts on next steps for the cyber insurance industry. ?

• No surprise to anyone in the space, but the threat is serious, and getting worse. Techniques are rapidly evolving, and technological advances are increasing the frequency and severity of the attacks.
• Newer targets such as cyber-physical system vulnerabilities, and data corruption and emerging as areas which require increased vigilance.
• Most vulnerable areas include Critical National Infrastructure (CNI) and their supply chains, which are described as “the soft underbelly” particularly as these typically more vulnerable SMEs often make up part of the supply chains. Public sector entities (especially the NHS) have suffered from long standing funding limitations and are vulnerable in many areas.
• The National Cyber Security Centre (NCSC) have made some progress in producing public education and coordinating across Government departments through the Cabinet Office
• Improvements to regulatory requirements of CNI have stalled. There is a call for “a Cross-sector regulator on CNI cyber resilience… to make recommendations for investment and legislative reforms”. National exercises for ransomware attack simulations on CNI should be conducted on a more regular and structured manner.
• There are numerous examples of devastating consequences, both on a primary (direct), and secondary basis (i.e. those who rely on companies directly impacted). There is very limited state or police support. A key recommendation is for the NCSC to have the authority to act on behalf of public sector bodies in negotiations and recovery, as well as pro bono services by incident response services.
• Insurance has a fundamental role to play in improving cyber security standards, providing valuable recovery services, financial support, and specialist advice. When effective, it can be a “vital lifeline”.? Greater government engagement is required to enable the continued development of the market. I explore this theme further on.
• There is a case to be made for some type of reinsurance scheme to address market failures, based on the template of Flood Re.
• There is compelling evidence that centralized reporting of ransomware attacks should be developed for the benefit of threat intelligence, together with anonymized public reporting.
• There is limited political leadership in developing a long term, sustainable strategy on ransomware, whilst the Home Office prioritises other issues. Responsibility should move from the Home Office to the Cabinet Office, as part of a holistic security strategy.
• The National Crime Agency needs dedicated funding to improve the ability to disrupt criminal actors. Additionally, significant legislative updates are required to the outdated Computer Misuse Act (1990). As a start the theft and copying of data should be criminalised.
• Governmental planning is poor. The government “knows that the possibility of a major ransomware attack is high, yet it is failing to invest sufficiently to prevent catastrophic costs later on”.

Government?Backstop?

One area worth exploring further are the implications for the cyber insurance industry. To quote the report more fully in this area:

“Cyber insurance can provide a vital lifeline for ransomware victims, offering the sort of support and technical advice not offered by state agencies, as well as driving up cyber security standards through conditions of coverage. Unfortunately, there remains a woeful lack of UK coverage: premiums are unaffordable for many organisations and have increased drastically in recent years. There are precedents for more extensive Government interventions, where market failures in insurance have wider societal implications [my emphasis]. Given the losses endured by ransomware victims and the costs to businesses and public finances, there is a strong economic case for the Government to do more. The Government should work with the insurance sector to establish a re-insurance scheme for major cyber-attacks, akin to Flood Re, to ensure the sustainability and accessibility of the market.”

The idea of governments as “insurer of last resort” is not new, and there are numerous examples of sustainable schemes such as for terrorism risk Pool Re in the UK and the Terrorism Risk Insurance Program (TRIP) in the US. Discussions about some type of back stop for cyber risk are over 10 years old in policy circles, but it is only in recent years that these discussions have gained momentum as the recognition of the potential systemic nature of cyber risk has grown. Indeed, in the US there has been public consultation on the topic, including a report by the Federal Insurance Office as part of the Treasury. From a personal perspective, I am broadly in favour of the concept, within certain parameters. As with anything complex issue of this nature, there are several challenges to be mindful of in addressing the goal. These include:

• Unintended consequences, such as creating an environment in which underwriting standards are negatively impacted by the presence of a back stop.
• Managing cross-jurisdictional exposures effectively such that policy holders are not caught between different rules.
• The threshold for protection is sufficiently high that it does not distort market behaviour, or encroach on the development of the existing risk capital.
• If there are substantial upfront costs, it could draw negative attention from the media or legislators who may prioritise other matters.

The benefits of an effective government scheme are substantial in providing increased resilience and security for the economy and wider society. It can also act to improve the baseline expectations of security standards and raise awareness of the threats which exist.

In conclusion, it is a timely report on an urgent matter of public interest. The insurance industry has an important role to play, both as a voice in the debate, and in contributing to the solutions.

?