The insurance industry has failed to keep up with the cyber risk environment, says the Royal United Services Institute for Defence and Security Studies in a June 2021 report. It offers 10 suggestions, which we include below with some UK-only information, such as specific government agencies, removed.
CNI readers will note the suggestion, seen more commonly in recent months, that ransomware payments be prohibited. Some of the recommendations in this report are similar to initiatives being taken up by a consortium of cyber insurance carriers, see more here.
Read the study here.
Recommendation 1: Insurers should collectively agree on a set of minimum security requirements
as part of risk assessments for small and medium-sized enterprises (11–250 employees).
Recommendation 2: Cyber insurance carriers should explore partnerships with managed security
service providers, cloud service providers and threat intelligence providers to gain access to
additional sources of data (for example, beyond only external perimeter scans). In exchange,
insurers can offer reduced premiums and other financial incentives to their customers.
Recommendation 3: The insurance industry should take a more collegial approach to data
sharing.
Recommendation 4: The government and insurance regulators should review any current
insurance regulation or legislation that impedes insurers collectively sharing data on cyber
insurance incidents and claims, including confidentiality requirements in contracts.
Recommendation 5: The government should ensure mandatory breach notification data is made
available to the insurance industry.
Recommendation 6: The government, underwriters and brokers should focus awareness and
marketing campaigns around articulating and quantifying the financial costs of cyber risk to
businesses and consumers.
Recommendation 7: The Cabinet Office and Crown Commercial Service should develop a policy
and legal framework to mandate cyber insurance coverage for all government suppliers… (CIN note: Is this where CMMC and similar efforts by the U.S. government could end up? Perhaps not as a legal mandate, perhaps a best practice required by larger companies and critical infrastrure providers for their vendors.)
Recommendation 8: The government should help organisations identify cyber insurance
products that drive cyber security best practices.
Recommendation 9: The Treasury, in coordination with the Bank of England and insurance
industry stakeholders, should conduct a public study into the potential design and parameters
of a government-backed financial backstop for cyber risk.
Recommendation 10: The National Security Secretariat should conduct an urgent policy
review into the feasibility and suitability of banning ransom payments. The review should
aim to produce actionable recommendations within three to six months and consult widely
with relevant government departments, intelligence agencies, law enforcement and industry
stakeholders. This should form part of a wider UK government review into policy options for
combating ransomware.
Recommendation 11: The intelligence community, law enforcement and the insurance industry
should establish a dedicated information-sharing partnership to exchange anonymised threat
intelligence and incident response and cryptocurrency payment data relating to ransomware
attacks.
Recommendation 12: Insurers should specify that any ransomware coverage must contain a
requirement for policyholders to notify the NCA and the NCSC in the event of an attack and
before a ransom is paid.
Recommendation 13: The insurance industry should work with the NCSC and cyber security
partners to create a set of minimum ransomware controls based on threat intelligence and
insurers’ claims data. Insurance carriers should require these controls to be implemented as
part of any ransomware coverage. These controls should include:
• Timely patching of critical vulnerabilities in external-facing IT infrastructure.
• Enabling multifactor authentication on remote-access services (such as remote desktop
protocol instances).
• Limiting lateral movement by adopting network segmentation measures.
• Implementing procedures to ensure regular backups are created.4