The Big Question: Is the UK ready to meet the threat of ransomware to British business?

The threat of ransomware attacks on businesses of all sizes has only been increasing and in the UK the government has been keen to look to enhance the country’s cyber-security systems.

Those efforts have been accompanied by a year-long enquiry into ransomware. The insurance industry is no stranger to the risks that come with cyber-crime. The growing demand from businesses for products to both mitigate the risks and enhance the response should they suffer a cyber-attack has challenged the market. The growing involvement of state actors has made the threat ever more complex.

The industry has worked hard to create a set of solutions for clients but like so many emerging risks the threats are evolving and continue to do so.

The response of government will be significant in the fight against cyber-crime including ransomware. Regulation and standards have to be established and the lengthening supply chains put businesses in the hands of the risk management systems of suppliers, some of which could be on the other side the world.

This week the Joint Committee on the National Security Strategy (JCNSS) published the Government’s Response to the ransomware inquiry and the conclusions were stark.

Ian Summers, Global Business Development Leader, AdvantageGo

Chair of the JCNSS, Dame Margaret Beckett MP, says the government has a lot to do if it is to truly tackle the threat posed by ransomware to the economy and UK business.

“Perhaps it is not surprising that Government is not focused on preparing for the acknowledged, extremely high risk of a destructive and ruinously costly cyber-attack on the UK,” she explains. “Despite its place at the top of the UK’s national risk register for years, our national response to the pandemic when it inevitably hit could fairly be categorised as shambolic.

“In the response to our ransomware report, it is ever clearer that Government does not know the extent or costs of cyber-attacks across the country – though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response.”

Beckett adds if the Government insists on operating the “ostrich strategy” for national cyber-security – based on legislation made before the internet arrived, “centred on a Department that seems to have difficulty mustering much interest in the issue”, and in stark contrast to the cyber-attackers who are so fantastically well co-ordinated and resourced – where is the pro-active national security response to protect the UK supposed to come from?

“The UK is and will remain exposed and unprepared if it continues this approach to tackling ransomware,” she warns. “This response from the Government is not the assurance the Committee sought or that the country needs, and all the responsible and coordinating Departments would benefit from going away and reconsidering how the UK is to defend against this most pernicious threat.”

She explains following the Government response, her Committee intends to continue to monitor and follow up on issues raised in its report, especially in the areas where well-founded recommendations to enhance critical elements of national security have been rejected out of hand.

“It will also encourage the successor Committee appointed after the upcoming General Election to continue to follow up and monitor progress against this report’s recommendations,” Beckett added.

In particular she says the committee is concerned the Government continues to insist that all is well in the regulatory model while the regulators charged with implementing it say limitations in their capabilities and in the regulations themselves, are preventing some of them from making full use of the powers they do have.  

“In all 42% of operators of essential services have said they don’t have the skills and capacity to deliver their obligations under the NIS Regulations. After a painfully delayed consultation the UK still continues to rely on an act of Parliament created before the advent of the internet itself as its main legislative tool against cyber-crime.”

On insurance Beckett adds: “The Government does not acknowledge how unaffordable the insurance market can be for some cyber-attack victims – local authorities and small companies are among the notable examples – and the Government does not agree that public intervention in this market is necessary,

“It instead suggests that the roll out of the National Cyber Strategy should begin to reduce claims and therefore lower premiums: despite the Committee’s report highlighting both the rapid recent growth of costly cyber-attacks and the Government’s lack of understanding of the frequency and type of attacks that are actually occurring or how often or what amounts of ransoms are being paid.”

She added during their enquiries the Committee has heard worrying evidence of exactly how unprepared and unsupported UK local authorities are in facing cyber-attacks that could cripple or temporarily cease essential local services – and that the Government is fully cognisant of this.

“But there is nothing in the response to address or assuage those concerns, there is no offer to counter the lack of resourcing and skills at local level; no offer of enhanced help for the responsible authorities or the populations that would be affected.”

Beckett concludes: “The Committee will seek to assess whether the assertions made by Government in rejecting key recommendations – that the National Cyber Strategy will reduce the number and size of cyber-attack insurance claims, obviating the need for Government intervention in the insurance market; that the fragmented approach to regulation and enforcement across Government is effective; that the proposed 21% resource uplift for the NCA is commensurate with the resource needed to tackle cyber-crime – are borne out in evidence, and continue to press for the recommended interventions to be implemented where it is not.”