A collaborative research project co-led by Kent Cyber Security expert, Dr Jason Nurse, has informed a new National Security Strategy report into the threat of ransomware. The report titled ‘A hostage to fortune: ransomware and UK national security’ was commissioned by the Joint Committee on the National Security Strategy (appointed by the House of Lords and the House of Commons).
The research project was funded by the UK’s National Cyber Security Centre (NCSC) and Research Institute for Sociotechnical Cyber Security (RISCS), and offered substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts.
The research team found that ransomware has been a key cause of the ‘hardening’ of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, yet it has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. It has become increasingly inaccessible as cyber insurers reassess their risk exposure to ransomware and apply greater scrutiny to their portfolios.
The research also revealed a split in the ongoing debate about banning payments to ransomware gangs; slightly favouring not banning ransom payments. However, there was near-uniform consensus that, were a ban to be implemented, it should cover all payments of ransoms, rather than specifically cover insurance reimbursement of ransom payments.
Dr Nurse, who is Reader in Cyber Security at the School of Computing and Public Engagement lead for the Institute of Cyber Security for Society (iCSS), said: ‘Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government.
‘For small-to-medium-sized businesses (SMEs) and other organisations with limited financial reserves, cyber insurance may be the only viable means of offsetting the financial risks of a potential ransomware breach. Yet, our research identified that with cyber insurance becoming more and more inaccessible, consumers are increasingly finding the renewal process to be a ‘dragons den’ experience. This is concerning as insurance plays a vital role in mitigating the ransomware threat for those that can access it, alongside a wider basket of actions that must also come from involved stakeholders.’
The JCNSS report ‘A hostage to fortune: ransomware and UK national security’ is available on the UK Parliament website.
The research paper which summarises the work from the project is titled ‘Between a rock and a hard(ening) place: Cyber insurance in the ransomware era’ and is published in the Computers & Security Journal. doi: 10.1016/j.cose.2023.103162
The University-wide and cross-disciplinary Institute of Cyber Security for Society (iCSS) is one of 19 Academic Centres of Excellence in Cyber Security Research (ACEs-CSR), jointly recognised by the National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council. In 2023, it was recognised by the NCSC as an Academic Centre of Excellence in Cyber Security Education (ACE-CSE) with a Gold Award. Kent is now one out of only 12 ACEs-CSE in the UK to obtain Gold status.
iCSS promotes wide-ranging interdisciplinary research in cyber security and helps enhance the cyber security skills and awareness of Kent students and the wider community. This is achieved through a diverse range of cyber security activities, including research, educational activities, professional training, industrial consultancies, expert talks and media communications. iCSS’ external partnerships with industries, governmental bodies and non-governmental organisations (NGOs) enables its’ researchers to develop wide-ranging collaborations with the cyber security community in the UK and worldwide.