On May 14, 2024, the UK National Cyber Security Centre (“NCSC”) and three major UK insurance associations (Association of British Insurers (“ABI”), British Insurance Brokers’ Association (“BIBA”) and International Underwriting Association (“IUA”)), published joint guidance on the approach to ransom payments (the “Guidance”). The Guidance was prepared for businesses experiencing a ransomware attack with the aim of reducing the overall impact of the incident on the business. The Guidance is intended, among other things, to reduce the number of ransoms paid by ransomware victims in the UK, and the size of the ransoms paid in cases where the victims do elect to pay.
The Guidance provides details on “things to consider” when experiencing a ransomware attack. These include, but are not limited to:
- Consider alternatives to paying the ransom;
- Record important elements of the incident including decision-making, actions taken and data captured;
- Instruct and consult with experts;
- Assess the impact of paying a ransom on the business, g., with regard to business operations and finances;
- Consider the applicable legal and regulatory practices regarding payment; and
- Report the incident to the relevant authorities where required by law.