top of page

UK Insurance and NCSC crackdown on ransomware payments

Three large UK Insurance companies have joined up with the National Cyber Security Centre with the aim of reducing ransomware payments by publishing new best practice guidance.

The Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA) have been encouraging victims to follow the NCSC advice against making ransomware payments.

Download PDF • 381KB

The new guidance features research from the Royal United Services Institute which makes new recommendations for insurers and the government to decrease the likelihood of a victim business paying a ransom following a ransomware attack.

The New NCSC guidance is not mandatory however it aims to prevent the likelihood of a business paying a ransom by educating them on the possible consequences of paying. The CEO of the NCSC Felicity Oswald comments that:

"Every ransom paid provides incentives for criminals to expand their activities. As a citizen or a consumer of a company’s services I don’t want organisations that I trust to be doing the equivalent of leaving a carrier bag full of used bank notes in a dark alley."  
The guidance reminds businesses that paying the ransom does not make the incident go away and in fact helps facilitate future attacks against other business organisations by proving that cyber attacks are profitable. In addition, the ICO has mentioned that they do not consider paying the ransom as risk mitigation and would not reduce any possible fine they might issue in the event of a data breach. The Guidance concludes that ultimately the decision to make a payment is up to the victim business however there are alternatives out there for them and that businesses with a valid cyber essentials certificate are 92% less likely to make an insurance claim”.

The NCSC and the insurance industry bodies recommend victim organisations review the following guidance before paying a ransom to a criminal group.

For further information on guidance for organisations considering payment in ransomware incidents, check out the NCSC's advice here:


bottom of page