Recently, the UK government announced plans to tackle rampant ransomware, proposing a solution that bans certain entities from paying the perpetrators. Ransomware costs the UK economy millions of pounds each year due to cyber extortionists.
According to Chainalysis, the total value of payments made to ransomware globally was approximately $813 million (£652.7 million).
In the UK, it has been estimated that the average payment for ransomware is over £438,500.
The Home Office and National Cyber Security Centre propose that public sector bodies and operators of critical infrastructure, including the National Health System, local councils, and schools, would be banned from paying ransom demands. Reportedly, nearly three-quarters of consultation respondents showed support for the proposal. The goal is to make these targets less interesting to criminals.
Firms not covered by a mandatory payment ban would be required to communicate with the UK government, especially if they intend to pay the ransom.
Matthew Geyman, Managing Director of Intersys – a provider of cyber risk management solutions, says ransomware is probably the most serious organized cybercrime impacting organizations. The mandatory reporting and ban on payments from the public sector is a defining moment in the fight against these nefarious activities.
“It also places fresh scrutiny on how the insurance sector approaches cyber risk. As attackers – often serious organised crime – shift focus to the private sector, insurers must reassess underwriting strategies to ensure organisations demonstrate robust cyber hygiene before cover is issued,” cautions Geyman.
As ransomware software is readily available on the dark web at a low cost and with minimal technical skills, the frequency of ransomware attacks is increasing. And if payment is made, there is no guarantee decryption will work or the crooks will hold up their end of the bargain.
“This isn’t just about setting premiums – it’s about avoiding policy wordings or claims processes that could inadvertently facilitate ransom payments or be seen to endorse them. Clear boundaries are now essential. With tougher legislation on the horizon, insurers must double down on resilience-based underwriting and ensure clients are equipped to recover quickly and lawfully from an attack,” says Geyman. “The same principle applies internally: insurers must also strengthen their own cyber defences, as the risk of becoming a ransomware target is just as real for them as for their policyholders.”