Cyber Insurance and the Ransomware Challenge

The cyber insurance industry has been heavily criticised for providing coverage for ransom payments. A frequent accusation, which has become close to perceived wisdom in policymaking and cyber security discussions on ransomware, is that cyber insurance has incentivised victims to pay a ransom following a cyber incident, rather than seek alternative remediation options. Over a 12-month research project, researchers from RUSI, the University of Kent, De Montfort University and Oxford Brookes University conducted a series of expert interviews and workshops to explore the relationship between cyber insurance and ransomware in depth. This paper argues that there is, in fact, no compelling evidence that victims with cyber insurance are much more likely to pay ransoms than those without. Ransomware remains one of the most persistent cyber threats facing the UK. Despite a range of government, law enforcement and even military cyber unit initiatives, ransomware remains lucrative for criminals. During this research, we identified three main drivers that ensure its continued success: A profitable business model that continues to find innovative ways to extort victims. Challenges around securing organisations of all sizes. The low costs and risks for cybercriminals involved in the ransomware ecosystem, both in terms of the barriers to entry and the prospect of punishment. Despite this perfect storm of factors, the cyber insurance industry has been singled out for criticism with the claim that it is funding organised cybercrime by covering ransom payments. In reality, cyber insurance’s influence on victim decision-making is considerably more nuanced than the public debate has captured so far. While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organisations with insurance has been overstated. However, the insurance industry could do much more to instil discipline in both insureds and the ransomware response ecosystem in relation to ransom payments to reduce cybercriminals’ profits. Insurers’ role as convenors of incident response services gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and shared best practices around ransomware response. This has not been helped by the UK government’s black-and-white position on ransom payments, which has created a vacuum of assurance and advice on best practices for ransom negotiations and payments. This paper does not advocate for an outright ban on ransom payments or for stopping insurers from providing coverage for them. Instead, it makes the case for interventions that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower demands. Ultimately, this involves creating more pathways for victims that do not result in ransom payments. Beyond ransom payments, cyber insurance has a growing role in raising cyber security standards, which could make it more difficult to successfully compromise victims and increase costs for ransomware operators. Successive years of losses from ransomware have led to more stringent security requirements and risk selection by underwriters. Although the overall effect of this on the frequency and severity of ransomware attacks remains to be seen, by linking improvements in security practices to coverage, cyber insurance is currently one of the few market-based levers for incentivising organisations to implement security controls and resilience measures. However, continued challenges around collecting and assessing reliable cyber risk and forensic claims data continue to place limits on the market’s effectiveness as a mechanism for reducing ransomware risk. This, along with cyber insurance’s low market penetration, makes clear that cyber insurance should not be treated as a substitute for the legislation and regulation required to improve minimum cyber security standards and resilience. Insurers are also commercial entities that primarily exist to help organisations transfer risk, rather than to improve national security and societal cyber resilience. The cyber insurance industry could be a valuable partner for the UK government through increased ransomware attack and payment reporting, sharing aggregated claims data, and distributing National Cyber Security Centre (NCSC) guidance and intelligence to organisations. However, the government has not made a compelling enough case to insurers and insureds about the benefits of doing so. Instead, it has relied on appealing to their general sense of altruism. While insurers will benefit if governments are able to generate more accurate and actionable data on ransomware, albeit indirectly, this needs to be sold to the industry in a more convincing way. Some principles and recommendations for both the insurance industry and the UK government are listed below. These are not designed to solve all the challenges of the cyber insurance market, nor do they present wide-ranging solutions to the ransomware challenge. Instead, they focus on where the cyber insurance industry can have the most impact on key ransomware drivers. This reflects the fact that disrupting the ransomware economy involves applying pressure from different angles in a whole-of-society approach. The recommendations also start from the position that the UK government’s light-touch approach is unsustainable and requires more intervention in private markets that are involved in ransomware prevention and response. While they are specifically aimed at UK policymakers, regulators and insurers, they may be applicable to other national contexts. Recommendations Recommendation 1: To increase oversight of ransomware response, insurers should use policy language to require that insureds and incident response firms provide written evidence of negotiation strategies and outcomes. Recommendation 2: To develop and drive ransomware response best practices across the market, insurers should select specialist ransomware response firms for panels that meet a set of pre-defined minimum requirements. These should include: A proven track record of both regularly achieving outcomes that do not result in ransom payments, and of operational relationships with law enforcement and cyber security agencies. Conducting sanctions risk assessments. Compliance with anti-money laundering laws and FATF (Financial Action Task Force) standards. Ensuring payment firms that make payments on behalf of UK victims are registered with relevant financial authorities in the UK. Recommendation 3: The UK government should commission a study to improve its understanding of specialist ransomware response firms. This should aim to identify common best practices and key market players, and create a framework for benchmarking the quality of their services and products. These findings can be distributed to trusted partners in the insurance industry. To drive best practices in ransomware response and create more oversight of the incident response ecosystem, the NCSC, National Crime Agency (NCA) and international partners should also explore the feasibility and potential implications of creating a dedicated assurance scheme for firms that provide specialist ransomware services such as decryption, recovery, negotiations and payments. Recommendation 4: To increase reporting of ransom payments, the UK government and international partners should explore creating a dedicated licensing regime for firms that facilitate cryptocurrency payments on behalf of ransomware victims. In the short-term, the UK government should follow the example set by the US government and also ensure that ransomware response firms that facilitate payments are registered as money service businesses in the UK and therefore subject to national financial crime reporting requirements. Recommendation 5: To reach a market-wide consensus on what constitutes a reasonable last resort before a ransom payment is made, insurers should agree on a set of minimum conditions and obligations in ransomware coverage to ensure alternatives are explored first. These should include sanctions due diligence, a requirement to notify law enforcement and written evidence that all options have been exhausted. Recommendation 6: To increase ransomware reporting and ensure victims are able to access any relevant law enforcement and NCSC support, insurers should specify that any ransomware coverage must contain a requirement for policyholders to notify Action Fraud (the UK’s national centre for reporting fraud and cybercrime) and the NCSC before a ransom is paid. If there is no progress on this recommendation without intervention, then regulators should intervene to compel insurers to include this obligation in coverage. However, this recommendation also depends on the implementation of long-promised but delayed reforms to Action Fraud. These should include creating a dedicated category for reporting ransomware. Law enforcement and the NCSC must also provide assurances to insurers that they have the capabilities to support victims during incidents and that reporting leads to actual outcomes against ransomware actors, such as cryptocurrency seizures, arrests or offensive cyber operations. Recommendation 7: The NCSC and a UK insurer should trial integrating the NCSC’s Early Warning service into their ongoing assessments of policyholders. This would enable the insurer to distribute intelligence from Early Warning at scale and notify policyholders of potential ransomware attacks. The NCSC should also explore whether Early Warning will need to be expanded and adapted to meet the requirements of insurers and policyholders. Recommendation 8: To deepen operational collaboration with the insurance industry, the NCSC should seek to recruit secondees from the cyber insurance industry into the Industry 100 cyber security secondment scheme. This should include identifying specific tasks and roles for underwriters, claims managers and incident response professionals working for UK insurers. Recommendation 9: To increase reporting of ransom payments, the Home Office and NCA should ensure that existing financial crime reporting mechanisms – specifically, suspicious activity reports (SARs) – are fit for reporting ransom payments or money laundering linked to ransomware. Concurrently, the UK government should also identify ways to encourage cyber insurers to report ransom payments as SARs or through more informal channels

FINANCIAL CONSEQUENCES OF CYBER ATTACKS LEADING TO DATA BREACHES IN HEALTHCARE SECTOR

Healthcare sector is identified as particularly vulnerable to digital data breaches and damages caused by illegal use of personal and confidential information. Facing such dangerous threat medical entities need to estimate financial consequences of potential cyber attack leading to a breach of patients’ data. The paper’s aim is to provide an overview of the consequences of digital data breach in healthcare sector and their financial impact – comparing Polish and global perspective. The research method used was analysis and comparison of international literature, reports, case studies, statistics concerning data breaches in healthcare sector as well as new legal regulations applicable in European Union. The results of the research show that estimations of total digital data breach costs vary widely among various reports and analysis. The main reasons are application of different methods of estimation and lack of complete and reliable databases due to insufficient disclosure of cyber incidents. In addition, the most important conclusion of the paper is that there is an urgent need to conduct research concerning probable data breach costs in Polish healthcare sector, since studies pursued by renowned organisations have not covered Poland so far.</p

Cyber security in the age of COVID-19:a timeline and analysis of cyber-crime and cyber-attacks during the pandemic

The COVID-19 pandemic was a remarkable, unprecedented event which altered the lives of billions of citizens globally resulting in what became commonly referred to as the new-normal in terms of societal norms and the way we live and work. Aside from the extraordinary impact on society and business as a whole, the pandemic generated a set of unique cyber-crime related circumstances which also affected society and business. The increased anxiety caused by the pandemic heightened the likelihood of cyber-attacks succeeding corresponding with an increase in the number and range of cyber-attacks.This paper analyses the COVID-19 pandemic from a cyber-crime perspective and highlights the range of cyber- attacks experienced globally during the pandemic. Cyber- attacks are analysed and considered within the context of key global events to reveal the modus-operandi of cyber- attack campaigns. The analysis shows how following what appeared to be large gaps between the initial outbreak of the pandemic in China and the first COVID-19 related cyber-attack, attacks steadily became much more prevalent to the point that on some days, three or four unique cyber- attacks were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber-criminals leveraged salient events and governmental announcements to carefully craft and execute cyber-crime campaigns

Ransomware: Victim Insights on Harms to Individuals, Organisations and Society

Ransomware incidents remain a scourge on UK society. Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society. The research reveals a wide range of harms caused by ransomware, including physical, financial, reputational, psychological and social harms. We set out a framework of: First-order harms: Harms to any organisation and their staff directly targeted by a ransomware operation. Second-order harms: Harms to any organisation or individuals that are indirectly affected by a ransomware incident. Third-order harms: The cumulative effect of ransomware incidents on wider society, the economy and national security. Building on an existing taxonomy of cyber harms, 1. this framework will enable policymakers, practitioners and researchers to categorise more case studies on ransomware incidents and to better explain new and existing types of harm to the UK and other countries. Ransomware is a risk for organisations of all sizes. The findings from this paper highlight that ransomware can create significant financial costs and losses for organisations, which in some cases can threaten their very existence. Ransomware can also create reputational harm for businesses that rely on continuous operations or hold very sensitive data – although customers and the general public can be more forgiving than some victims believe. The harms from ransomware go beyond financial and reputational costs for organisations. Interviews with victims and incident responders revealed that ransomware creates physical and psychological harms for individuals and groups, including members of staff, healthcare patients and schoolchildren. Ransomware can ruin lives. Incidents highlighted in this paper have caused individuals to lose their jobs, evoked feelings of shame and self-blame, extended to private and family life, and contributed to serious health issues. The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations. Downstream harm to individuals from ransomware is more severe when attacks encrypt IT infrastructure, rather than steal and leak data. There is no evidence from this research that the ransomware ecosystem is exploiting stolen or leaked personal data in a systemic way for fraud or other financially motivated cybercrimes. At present, exploiting stolen data for other activities is less profitable than extortion-based crime that takes away victims’ access to their systems and data. This finding may inform victim decision-making on when they should and should not consider paying a ransom demand

Health information technology and digital innovation for national learning health and care systems

Health information technology can support the development of national learning health and care systems, which can be defined as health and care systems that continuously use data-enabled infrastructure to support policy and planning, public health, and personalisation of care. The COVID-19 pandemic has offered an opportunity to assess how well equipped the UK is to leverage health information technology and apply the principles of a national learning health and care system in response to a major public health shock. With the experience acquired during the pandemic, each country within the UK should now re-evaluate their digital health and care strategies. After leaving the EU, UK countries now need to decide to what extent they wish to engage with European efforts to promote interoperability between electronic health records. Major priorities for strengthening health information technology in the UK include achieving the optimal balance between top-down and bottom-up implementation, improving usability and interoperability, developing capacity for handling, processing, and analysing data, addressing privacy and security concerns, and encouraging digital inclusivity. Current and future opportunities include integrating electronic health records across health and care providers, investing in health data science research, generating real-world data, developing artificial intelligence and robotics, and facilitating public–private partnerships. Many ethical challenges and unintended consequences of implementation of health information technology exist. To address these, there is a need to develop regulatory frameworks for the development, management, and procurement of artificial intelligence and health information technology systems, create public–private partnerships, and ethically and safely apply artificial intelligence in the National Health Service

Successful Operational Cyber Security Strategies for Small Businesses

Cybercriminals threaten strategic and efficient use of the Internet within the business environment. Each year, cybercrimes in the United States cost business leaders approximately $6 billion, and globally,$445 billion. The purpose of this multiple case study was to explore the operational strategies chief information security officers of high-technology companies used to protect their businesses from cyberattacks. Organizational learning theory was the conceptual framework for the study. The population of the study was 3 high-technology business owners operating in Florida who have Internet expertise and successfully protected their businesses from cyberattacks. Member checking and methodological triangulation were used to valid the data gathered through semistructured interviews, a review of company websites, and social media pages. Data were analyzed using thematic analysis, which supported the identification of 4 themes: effective leadership, cybersecurity awareness, reliance on third-party vendors, and cybersecurity training. The implications of this study for positive social change include a safe and secure environment for conducting electronic transactions, which may result in increased business and consumer confidence strengthened by the protection of personal and confidential information. The creation and sustainability of a safe Internet environment may lead to increased usage and trust in online business activities, leading to greater online business through consumer confidence and communication

Archives and Records

This open access book addresses the protection of privacy and personality rights in public records, records management, historical sources, and archives; and historical and current access to them in a broad international comparative perspective. Considering the question “can archiving pose a security risk to the protection of sensitive data and human rights?”, it analyses data security and presents several significant cases of the misuse of sensitive personal data, such as census data or medical records. It examines archival inflation and the minimisation and reduction of data in public records and archives, including data anonymisation and pseudonymisation, and the risks of deanonymisation and reidentification of persons. The book looks at post-mortem privacy protection, the relationship of the right to know and the right to be forgotten and introduces a specific model of four categories of the right to be forgotten. In its conclusion, the book presents a set of recommendations for archives and records management

Best Practices and Recommendations for Cybersecurity Service Providers

This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decision-making procedures of private cybersecurity service providers