Cyber Insurance , Fraud Management & Cybercrime , Governance & Risk Management
UK Conservatives Say 'No' to Cyber Insurance Backstop
Committee Chairs Accuses UK of Favoring an 'Ostrich Strategy' For RansomwareThe Conservative government of British Prime Minister Rishi Sunak says it won't champion a reinsurance plan for cyber insurance similar to flood insurance, telling a parliamentary committee that it believes government action would "damage competition."
See Also: Ransomware Response Essential: Fixing Initial Access Vector
That and other responses to December reccomendations by the Joint Committee on the National Security Strategy earned the government accusations of failing to grapple with the threat posed by ransomware.
"In its response to our ransomware report, it is ever clearer that the government does not know the extent or costs of cyberattacks across the country," said Margaret Beckett, a Labour member of parliament and committee chair. "If the government insists on operating the ostrich strategy for national cybersecurity, the U.K. is and will remain exposed and unprepared if it continues this approach to tackling ransomware."
After an apparent lull in 2022, global ransomware payments surged to record levels during 2023 as mainly Russian-speaking cyber criminal groups targeted scores of organizations, including critical services such as healthcare and public health agencies (see: Ransomware Attacks on Critical Infrastructure Are Surging).
U.K. victims affected by ransomware attacks during 2023 included the Royal Mail, at least two National Health Service ambulance services and the British Library.
At the conclusion of an investigation spanning more than a year, the parliamentary committee characterized the U.K. cyber insurance market as being "in an extremely poor state," in which insurers are raising premiums and, for those who can afford it, demand outstrips capacity (see: UK Downplays Ransomware Threat at Its Peril, Says Committee).
It suggested the government investigate a publicly-funded backstop for cyber insurance. In its response, the government said it won't. "The government does not generally intervene in insurance markets as this could damage competition in the market," it told the committee.
The government also turned down a recommendation to elevate ransomware as an issue into the portfolio of the deputy prime minister, rather than the Home office - which committee members said seemed little interested. "The Home Office will continue to lead and coordinate the cross-government ransomware work."
Sunak's government was non-committal to a recommendation that it consider requiring all ransomware victims to notify authorities within three months of an incident. The government "is undertaking further work to increase reporting from organizations, including examining regulatory levers."
With regard to a suggestion that the National Crime Agency and the National Cyber Security Center establish an industry-led effort that provides free ransomware recovery assistance to charities and small businesses, the government said plenty of free resources are already available.