Insurance industry regulation is needed to mitigate ransomware attacks

Richard Massey, vice-president of sales EMEA at Arcserve, discusses the need for insurance sector regulation to mitigate ransomware attacks.

There is a growing need in the IT industry to ‘switch off the tap’ that is fuelling the increase in ransomware attacks. We continue to see the devastating impact that such attacks have on organisations, including the high-profile Colonial Pipeline attack that disrupted oil distribution across the east coast of the United States, as well as the crippling attack on Ireland’s healthcare systems. The UK too is under constant bombardment from malicious actors, with the education, healthcare and other critical sectors under immense pressure from ransomware.

In the case of the Colonial Pipeline attack, a payout was made to cyber criminals so the organisation could recover its systems and resume operating. High-profile ransom payouts such as this have provoked much controversy. Former UK Cybersecurity Chief, Ciaran Martin, advocated for legislation to be put in place to stop ransomware payouts, and this idea has been widely discussed since. Insurance companies are also finding the recent spate of ransomware attacks costly, having bumped up policy premiums by an average of 27%.

Ransom payments ultimately fund more attacks and enable bad actors to develop more sophisticated capabilities which help them avoid detection for longer periods of time. While insurers are undoubtedly vital in helping organisations to stay afloat following the hard-hitting financial and reputational costs of ransomware attacks, comprehensive insurance should under no circumstances be seen as a replacement for comprehensive cyber security. The time has come for governments around the world to pass legislation stipulating that organisations give cyber security and data protection serious consideration before insurers can agree to offering them cyber cover. With such legislation in place, insurers and organisations would share collective responsibility for ensuring companies’ IT systems are prepared for an attack.

Mandating stringent requirements that companies have to comply with before their cyber insurance policies are underwritten is a no brainer, since when companies fall victim to cyber attacks, it is often customers who suffer most. Often, the personal data of thousands or millions of people is leaked, and access to key services like healthcare or banking is put at risk. If the right procedures and tools are in place to prevent and mitigate the impact of ransomware, customers’ sensitive data will be collected and stored safely, and IT infrastructures will have the capabilities necessary to maintain business continuity.

Any legislation that is introduced will need to ensure that all trading businesses have met a minimum legal requirement in order to be covered by any cyber insurance. This sentiment has been echoed throughout the cyber security industry for some time, as organisations continue to underestimate cyber criminals and underprepare for attacks. So, what should legislation require companies to do before they’re eligible to claim on cyber insurance?

Insurtech disruption trends: is traditional insurance broken?

What are the main Insurtech disruption trends of 2021? In this article four of the UK’s leading insurtechs discuss the decline of traditional insurance and the rise of disruptive innovation in the sector. Read here

Back ups are essential to effective cyber security

At a minimum, any future legislation relating to cyber security insurance should require companies to protect and back up systems and data, as well as ensuring they have an effective cyber security solution in place to detect any known or unknown threats.

Today’s attackers are using strains such as the EKANS ransomware, which goes after a company’s data backups with the same hostility as its primary systems. Therefore, backups need to be treated as part of an organisation’s core infrastructure. They should be secured with the same, high standard of cyber security as primary systems to properly protect a businesses continuity and customer data.

Additionally, legislation would need to ensure a company’s data backup system follows the 3-2-1-1 rule. If followed to the letter, two identical copies of data should be stored alongside the original. These should be kept on two separate types of media, and one of those should be stored at an offsite location. Plus, one of these copies should be stored on an immutable storage solution, being on-prem or cloud based. With these measures in place, if the worst were to happen and systems became encrypted, an organisation would still be able to quickly and seamlessly recover its services and data.

Benefits of an all-in-one cyber security solution

Often, bad actors stay dormant in an organisation’s IT infrastructure whilst harvesting data and preparing for an attack. In order to protect against this eventuality, many large organisations are paying top prices for the best cyber security and data protection solutions. However, not all organisations have the resources to justify multiple expensive solutions, so the best approach is to seek an all-in-one encompassing solution that can be implemented with minimum hassle. This will ensure a high level of protection, and also offer organisations visibility into their threat landscape.

Implementing a cyber security solution that also provides protection for backups data ensures organisations can restore systems following a ransomware attack, thereby mitigating any serious consequences. Opting for a solution that continuously monitors back up images for any malicious code also means that organisations won’t inadvertently back up ransomware.

Today, ransomware is certainly the biggest threat facing organisations across the globe. In order to protect consumers in the UK, new cyber insurance legislation will help encourage greater organisational security. For some time now, experts have been urging companies to take security seriously, yet we’re still seeing increasing numbers of ransomware attack victims using their insurance as a safety net.

Any new regulation covering cyber insurance must ensure organisations adhere to the 3-2-1-1 rule and have fit-for-purpose data protection and cyber security solutions in place. By doing this, we’ll ensure that both businesses and customers are protected, and we’ll stem the flow of ransomware in the insurance space by cutting attackers’ main source of income — ransoms.

Written by Richard Massey, vice-president of sales EMEA at Arcserve

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at