Ransomware is a spiraling concern for all industries and sectors. This widely distributed criminal enterprise is continually escalating and attacks, which damage services, reputations, and financial stability, have not escaped the attention of global governments.
In 2023, the UK government commissioned a study into the threat. On 11th March 2024, the Joint Committee on the National Security Strategy (JCNSS) published the Government’s Response to its year-long inquiry into ransomware. Within the response, the Chair of the JCNSS expressed concerns that the government is leaving the UK open to attack.
The JCNSS stated that there was a high risk of a “catastrophic” ransomware attack “at any moment”, while saying that Governmental planning is “lacking” and the UK remains a “hostage to fortune”. They also made clear recommendations to reduce the risk to essential services across the country.
It was unfortunate to see that the considered risk mitigants fell on deaf ears. Dame Margaret Beckett MP made clear her disapproval of the governmental response to the JCNSS paper – “…the Government insists on operating an ‘ostrich strategy’ for national cyber-security – based on legislation made before the internet arrived, centred on a Department that has little interest in the issue, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced.”
The threat landscape
It’s true, there is a real risk to society from the disruption of digital systems that underpin modern life – from medical technology, to power generation & distribution, to logistics and local social services – all are wholly dependent on technical platforms for their operation and efficiency. Dame Beckett’s perception that more ‘immediate’ public issues, such as immigration, is taking focus away from the wider, more systemic threats sounds plausible – and entirely predictable for national politics.
The threat from ransomware is undoubtedly significant, especially as the UK is the third most cyber-attacked country in the world. Fortunately, the majority of UK organisations are awake to that, it’s just clear that some are more prepared than others. In sectors such as local government, where money can be tight, there are limitations which reduce the resilience and increase the risk.
Don't miss out on any breaking news or insightful opinions!
Subscribe to our free newsletter and stay updated on the go!
By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email.
As part of the response, The JCNSS paper calls for improvements to UK law. One is to update the antiquated Computer Misuse Act of 1990 to make it applicable to modern threats, and to prevent the inadvertent criminalisation of threat intelligence researchers. Another is to increase investment in the NCA to enhance their capabilities to detect and disrupt attacks, and to support organisations deal with incidents as they happen.
Actionable insights
While the recommendations are not unreasonable, various other players could contribute to strengthening the UK’s cyber posture. The insurance industry, for example, could be incentivised to form a larger part of the solution. By legislating that (i) local services must assess their cyber risk, and pass on a defined, significant percentage of that to insurers and that (ii) insurers must keep premium requirements under a maximum headroom, you could create some positive outcomes:
- Insurers are very aware of the controls that are truly effective at minimising the ever-changing risk of ransomware, and other cyber-attacks, and this insight and information could be passed on to the local service.
- Compliance with these proposed controls would form a positive incentive loop for the local government service, reducing the cost of the policy.
- Insurers themselves are financially incentivised to step in and minimise the impact of any breach or outbreak; they can help minimise the business impact, negotiate the ransom, recover the service, and help with rebuilding any reputational damage.
- The insurers could also then take on the burden of centralised reporting of events, incidents and payments. This would enable the government to get accurate and timely data without having to spin up a new department to undertake this task.
- Insurers have access to toolsets which enable them to assess organisational risk. These solutions can provide technical assessments of vulnerabilities and comparative risk, which can feed back to the customer – to allow control improvement and risk reduction – and to the UK government, supporting them in understanding their widescale risk.
By taking the burden of strategic advice, technical control implementation and risk measurement, and placing that with the local governmental service in collaboration with their insurer, the NCA and NCSC could spend more time on systemic risk issues, cross sector oversight and incident rehearsal. The Bank of England already runs regular exercise across the whole of FinServ meaning there would undoubtedly be benefit from similar exercises in other verticals.
When it comes to cyber security, the ‘ostrich strategy’ rarely works. This is especially true when applied at a national level in a high-profile western economy. The failure to act is short sighted, but understandable in a world driven by short termism, and populist politics – but it’s not sustainable. At some point, UK political leaders need to make the hard decisions to protect our society from these emerging threats. Leveraging the power of our insurance industry seems to offer a way to use pre-existing solutions to provide wider societal protection.