15
Joint Committee on the National Security Strategy
Oral evidence: Ransomware
Monday 3 March 2025
4.30 pm
Evidence Session No. 1 Heard in Public Questions 1 - 11
Witnesses
I: Jamie MacColl, Research Fellow in Cyber Threats, RUSI; Kelly Butler, Head of UK Cyber, Marsh; Professor Sadie Creese, Professor of Cybersecurity, University of Oxford.
Jamie MacColl, Kelly Butler and Professor Sadie Creese.
Q1 The Chair: Welcome to the first oral evidence session of the Joint Committee on the National Security Strategy. Today’s session is looking at two related subjects. First, we will be looking into ransomware. In our second session, we will move into offensive cyber. Can I start by asking our witnesses to introduce themselves—first, those in the room?
Kelly Butler: I am a managing director at Marsh, and head of our UK cyber practice.
Jamie MacColl: I am a research fellow at the Royal United Services Institute. Thank you very much for having me today. I also gave evidence to the main inquiry on ransomware in 2023.
The Chair: And virtually?
Professor Sadie Creese: I am a professor of cybersecurity at the University of Oxford, based in the Department of Computer Science.
The Chair: Terrific. Thank you for joining us today. Can I start the questions by just posing a more general opening remark? That is about the surge that we have seen in attacks since 2021. I am interested to know to what extent we have seen a change in the type of attacks that we are experiencing, or any changes in terms of those being targeted in the last couple of years or so.
Kelly Butler: Ransomware continues to boom despite increased law enforcement efforts. It is complex. It is a criminal ecosystem focused on maximising financial returns with minimal efforts. We continue to see a rise in this area. Namely, in the last couple of years, we have really seen it more targeted towards the SME sector as well. As organisations increase their cybersecurity and are better at mitigating the impacts of a ransomware event happening within organisations, we have certainly seen a change in tactics in targeting those who are more vulnerable.
Professor Sadie Creese: In addition to that, I would note that we are also seeing an upsurge in targets of our supply chains. By that, I mean attempts to place malicious software or hardware into our environments by virtue of what we procure in terms of service and technology. It is particularly challenging to defend against that, especially where the effectiveness of attackers’ strategies is based upon leveraging trust relationships that we have—we trust that supplier, we trust that technology, we often buy it. We have seen examples of malware being placed inside those supply chains, and we lack some of the scrutiny that we would normally have, which is making organisations fall victim to this kind of attack.
The Chair: Jamie, which are the new emerging actors out there that we should be most concerned by?
Jamie MacColl: To be honest, the actors have mostly been the same since 2021. The threat and the core ransomware business model or operating model has not changed. It has not had to, because it has remained profitable for four years. They remain effective at compromising victims in all sectors and of all sizes and being able to extort them.
I will make a few comments on how the ecosystem has changed a bit, even if the business model or operating model has not. A couple of years ago, when the inquiry started, there were a lot of ransomware enterprises—“groups” is the wrong word—made up of lots of people, which were responsible for a significant portion of ransomware attacks.
That has changed. The ecosystem has become more fragmented. That is partly in response to disruptions from law enforcement, but also some of these groups just imploding as criminals fall out with one another. Because the ecosystem that we have now is more fragmented, there are arguably fewer norms and rules that govern their behaviour. There are more lone wolves who may be prepared to compromise targets that, historically, some groups may have eschewed—hospitals, schools and that kind of thing.
Disruptions from Government and law enforcement have been good and have probably decreased the frequency of attacks, but they have displaced the problem and we now have this fragmented criminal ecosystem that is arguably more dangerous.
Q2 Tanmanjeet Singh Dhesi: How would you rate the Government’s progress in tackling ransomware since our predecessor Joint Committee on the National Security Strategy published its report in 2023?
Jamie MacColl: The operational response has been quite positive, particularly from law enforcement in the UK, the US and Australia. As I mentioned, we have seen several quite prominent disruption operations, the most obvious example being Operation Cronos last year, which is when the National Crime Agency got access to the system of the LockBit ransomware group, which, at the time was the most prolific ransomware group, both in terms of the frequency of attacks and the volume of ransom payments that they were getting. It got access to their infrastructure, unmasked the criminals and sanctioned them, which really broke the business model of LockBit. There are success stories such as that.
In terms of policy, until the consultation, which I hope we will talk about today, there has not been anything significant since the last inquiry report.
Professor Sadie Creese: I do not have much to add, apart from that the recent report on cyber resilience, created by the National Audit Office on behalf of the Cabinet Office, which has a ransomware component, was an excellent piece of work. To a certain extent, it does deliver some insight that is actionable. In addition to the law enforcement progress that Jamie has highlighted, this represents a substantive piece of work upon which more could be based.
Tanmanjeet Singh Dhesi: Ms Butler, the Cyber Monitoring Centre, which is a non-government body, stated that it will now start rating the severity of cyber events as they happen. Surely the National Cyber Security Centre should already have been doing that, do you not think?
Kelly Butler: Yes, absolutely, and I know that a big body of work has been done globally in relation to looking to rate catastrophic or systemic incidents within the ecosystem that we are seeing here today. The Cyber Monitoring Centre, which Jamie has been very involved in, has now come to a base level in regard to categorisation and would be looking to roll that out shortly.
Jamie MacColl: The UK Government have a categorisation system, which I think is a scale of 1 to 7; if I am wrong on that, maybe one of my fellow evidence-givers can weigh in. That is more to guide the Government and law enforcement response. It is to help allocate resources, not to put a financial figure on the impact of an incident.
Tanmanjeet Singh Dhesi: Professor Creese, do you agree with my statement?
Professor Sadie Creese: Could you repeat your statement, please?
Tanmanjeet Singh Dhesi: Basically, the Cyber Monitoring Centre has said that it is going to start rating the severity of cyber events. Should the NCSC not have already been doing that?
Professor Sadie Creese: As Mr MacColl has pointed out, the NSCS has been rating things for its own purposes for some time. My understanding is that that is working effectively for it, because it is used to determine what level of response it would give to the victims, and what the nature of that response should be. The work of the Cyber Monitoring Centre is targeting a different kind of knowledge, and it is incredibly important for us to understand what the potential breadth and scale of harm might be.
I am not sure that I would completely agree with your statement that the NCSC should have been doing this, but I would agree that it is a need that we have. It would have been nice for it to have been started sooner, but it is now happening, which is good.
Q3 Baroness Kidron: It is interesting that all of you have already spoken about the fragmentation of targets. I am interested to hear from you as to whether a payment ban on public service organisations will achieve the Government’s idea of making them less attractive and fragment further, or are we going to see no change?
Jamie MacColl: The Government’s current proposal in the consultation would cover public sector organisations or regulated private sector critical national infrastructure. My personal view is that it will not significantly deter attacks against the UK, because, as I said, it is an opportunistic crime. When we use words such as, “They have targeted a specific organisation”, that is not actually what they have done. They are scanning the internet and looking for vulnerabilities. They are purchasing stolen credentials off the dark web. It is a crime of vulnerability and opportunity. It is not as purposeful as we often understand.
Kelly Butler: Although Marsh McLennan supports the Government’s effort to combat ransomware, I completely agree with Mr MacColl’s comments. The topic is really complex. We would mostly agree that paying ransom is not a desirable outcome, but the question is whether a hardline ban will help reduce ransomware, and we have our doubts on that.
Baroness Kidron: Is there any negative effect from a hardline ban at this time?
Kelly Butler: It certainly could place a target on the backs of critical infrastructure in general, and particularly small and medium-sized enterprises, as we mentioned before, which probably do not have the resources and the resilience built into their business.
Professor Sadie Creese: As colleagues have said, it is complex. One thing that is for certain is that ransomware is primarily driven by extorting and making money. If you can implement a ban whereby nobody pays the money, I am sure that that would deter from that particular sector, but it does not get rid of the threat actors. That is the point that my colleagues are making. They will go elsewhere to make their money, so we would be pushing targets on to other potential victims. On that basis, we would certainly have a moral responsibility to ensure that support is put in place for those that might become more likely targeted.
The other thing to note is that a hardline ban also necessitates that we ensure that those organisations can continue to operate. In some cases, you may be facing a human life risk if those systems cannot continue to operate. That kind of mechanism will need to be supported by other mechanisms to ensure that those sectors that do not pay have an ability to continue to deliver service as is necessary, and that those that are not covered by the ban are supported when they are more likely to be targeted, because the threat actors will remain.
Baroness Kidron: Can I push you a bit and just hear whether you think the ban is a bad idea, or are you saying that a targeted ban of this kind requires a big wraparound that is not in the proposal currently?
Professor Sadie Creese: I would push for deeper consideration of the wraparound. I would not rule it out right now.
Q4 Baroness Fall: Following on from that conversation, you have mentioned critical infrastructure. Let us add to that the supply chain. You are saying that there is an issue around preparedness and mitigation. Some of these people suffer real reputational cost when they are attacked as well. Often, if they are in the private sector, they would rather pay the money, frankly, than have the headache. Would such a ban work on supply chain and critical infrastructure? Connected to that, you are talking very much about those who go for profit, but there are some, presumably, who may be state actors.
Jamie MacColl: I just want to say something finally on the ban, which is that there are two separate things. The first is about whether it will deter attacks, and I do not think that it will. Secondly, should public sector organisations that use taxpayer money be paying criminals? No. If we are thinking about the implementation of a partial ban, maybe we need to separate the public sector and privately owned CNI.
On whether it will improve critical national infrastructure supply chain resilience, perhaps it will force people to invest more in security and resilience measures. It will depend on how it is implemented and what the liability is. Will it be a criminal liability? Will it be a financial liability? Unless it is a criminal liability, I can see that some victims would probably try to circumvent it.
We also need to be cognisant of the fact that a lot of UK CNI is not owned by companies that are headquartered in the UK. It is a fair assumption that at least some victims that are headquartered outside of the UK would probably seek to pay through other jurisdictions where it is not criminalised.
Kelly Butler: I concur with those comments. Supply chains are vast and we are totally reliant on them. Every business is reliant on these supply chains. If they were to be impacted, it is very difficult to be part of the negotiations as well, which brings another level of difficulty within the organisation in terms of driving the best outcome.
Professor Sadie Creese: I concur. The only thing that I would note is that you asked about state actors and whether this is always about cybercrime. It is a really excellent question that demands a lot of unpacking, but suffice to say, to be succinct, what you imply is correct. If you were dealing with a state-actor-sponsored campaign that was somewhat hiding a political agenda inside a ransomware attack, you can assume that this will manifest in other ways, no matter what you do, because, ultimately, it is not a ransomware driven by a financial motive. Otherwise, I agree with my colleagues wholeheartedly.
Q5 Lord Robathan: I am particularly keen on the issue of penalties over the payment of ransoms. I was on the last committee when we discussed this, and I am glad to see that the amount that has been paid out has gone down, although not by a huge amount. Very quickly, could you say whether more should be done? Is more needed? How can we enforce this practically? If it is not a public body, how can it be enforced at all? The whole attraction of ransomware to those operating it is the fact that they get away with it. What about you from the insurance market? You deal in these things.
Kelly Butler: It is a good question. We have experienced, in looking at our own claims data, that those hit with ransomware have drastically reduced paying ransom demands, which is good news for everyone. That really talks to the resilience work being done within organisations. The insurance industry in particular promotes resilience and preparedness to put them in the best possible position to not pay a ransom demand, so we continue to see a great trend. In 2019, we saw 68% of organisations hit with it elect to pay. In 2024, we saw 23%. That really talks to the work that businesses are doing, working with the agencies to ensure that they are as resilient as possible.
Jamie MacColl: I do not think that anyone wants to pay a ransom to criminals.
Lord Robathan: No, probably not.
Jamie MacColl: We should probably start from that basis. There are some victims who probably play a bit fast and loose and are too willing to do it before thinking through all the options. Anything that the Government can do to force victims to be a little more deliberate about their decision‑making around ransom payments would be positive.
Ultimately, the thing that will carry on making that payment number go down year on year, as Kelly says, is making organisations more resilient in the first place, so that they do not have to get to the point where they have to think about paying a ransom.
Professor Sadie Creese: I would just like to build on that somewhat, because this work of making organisations more resilient will need to continue. We will need to see some prioritisation of other forms of resilience, because we have got really good at understanding what can be done to be resilient to a demand that is placed on holding your data to ransom, but perhaps slightly less resilient to the availability question.
What we can expect to see through 2025 and into next year is a beginning of a movement towards threats of sabotage, and it is not the case that all organisations understand what it might be to be resilient to that kind of threat. Under that kind of pressure, this progress may change. I am urging you to understand that, because the threat actors have not gone away, they will continue to innovate the ways in which they extort and can put pressure on victims. That is likely to change and move towards threats of sabotage, and that could be a very significant future, so we need to think about that.
Lord Robathan: Very briefly, should Governments have more role in this? Should they be able to fine people who are paying ransomware? Is there anything further that they can do?
Professor Sadie Creese: In terms of the particular issue that I am talking about, I am not sure that penalties are going to help, because what you need are solutions and options that enable organisations to be more resilient to that kind of threat. There, the agenda is placed on to those organisations such as NCSC and others, which are doing an excellent job of thinking this out and providing the support to organisations that they need. We need to move to these future kinds of attack that are going to enable a surge in ransomware, if we do not get on top of what it means to be resilient to a threat of sabotage.
Jamie MacColl: So far, we have talked a lot about what victims should be doing and their responsibility, and we should have a bit more discussion on the responsibility of Government to go after the criminals as well. There are not that many crimes that I can think of where our immediate thought on how to respond to it is, “How do we re-victimise the victims by, in a way, preventing their ability to recover and respond to something?”
It has taken four or five years for the Government to get to the point of even having a consultation on legislation related to ransomware. To be frank, there is a lot that could be done on resilience and also on expanding the kinds of disruption operations that I talked about. It is very easy to just say, “Most of the criminals are in Russia. They are out of our reach. We cannot do anything about it”, but there are a lot of creative ways that we can go after them.
Lord Robathan: Can I just ask one very quick last question? I am not very good on the law. You lot look much cleverer on the law than I do. There might be one or two lawyers in the room, looking around. Governments cannot stop people paying ransoms. If my son were kidnapped, for instance, they could not stop me paying a ransom, or could they?
Jamie MacColl: No, unless it was to a terrorist.
Kelly Butler: Or a sanctioned entity.
Q6 Lord Boateng: Beyond guidance and friendly persuasion, should there be a coercive role for Government in some instances where an organisation is not covered by the payment ban and informs the Government that it intends to pay a ransom? Should Government be able to stop them from doing that? If so, how could that be done practically?
Jamie MacColl: There is no payment ban at the moment, so there is no way that they can step in. To be frank, unless the Government are going to drastically change the way they go about supporting victims of cybercrime or cyberattacks in the UK, it is quite difficult to put all this emphasis on how victims behave while I cannot go to the NCSC or law enforcement and say, “Can you help me recover from this incident? Can you kick these criminals out of my networks?” That goes back to my previous point about there being a lot of emphasis on the responsibility of victims and not enough on what they get back.
Kelly Butler: There needs to be a considerably increased resource effort towards this. This is a time of crisis. This does require a number of very dedicated professionals to come together to help an organisation in likely the biggest crisis of their business. That would require a vast network of vendors to help make decisions and to help them really fend off and mitigate the circumstances.
Lord Boateng: Professor Creese, is that the opinion of you all? Is there any dissenting voice, or are you all of a mind in this regard?
Professor Sadie Creese: We are all of a mind. What I would say is this: do not underestimate the level of resource that it would take to provide that kind of support to all victims. I would certainly imagine that the threats would understand the difficulty that we would have in leveraging it.
In addition—we have to consider all of these things—I would certainly look at more proactive defensive measures. Is it possible to build on this concept of kicking them out of the network? Is it possible to make proactive defence and make it more of a hostile victim to attack that might produce a more cost-effective, scalable solution than a human-based, consultant‑driven support service? Potentially, every organisation, large and small, is a possible victim, so it is incredibly hard to stand up human-based support to all of those victims, particularly if they were to happen in close succession.
Q7 Mike Martin: From payment bans to coercion, I am interested in information. There is this idea of mandatory reporting. If you are a victim of a ransomware attack, you have to report it. That will help us in a macro sense of understanding the problem. If we were to go down that route, how would you recommend that we do that? What does that look like? Does it have thresholds? What are the criteria for that? Are there any other examples of that around the world where that has worked and has been a good policy?
Professor Sadie Creese: Mandatory reporting would be a very useful tool, but, to be effective, there would have to be a lot of clarity for people around when they are required to report, and with what. I note that this has been discussed in previous reports of sessions and committees, and there have been some very sensible recommendations around the necessity to keep this reporting secure, for example. It would be very useful data for future targeting, not least, and would have an issue for reputations of victims.
In terms of the detail of what should be reported, I would very much urge you to think about what has utility and what the objectives are, to know who is attacking who, and to know why and what the weakness was. Some of this detail is not easily accessible to the leaderships of firms that fall victim, so there would need to be some thought to make this achievable and to make it have utility.
I do support reporting, and it would be very useful. It is never helpful to have this kind of information hidden from view, because it makes it incredibly hard for Government to have oversight, and for all of the government agencies to help.
Mike Martin: Would you have a threshold, say, by size of company or amount of money? What would be the trigger for, “I now have to report this”?
Professor Sadie Creese: It would depend on the level of detail. If you were to trigger by size of company, you might lose all of the SME volume of attacks that are happening. That would not give you the insight that you want, if you want to see all of it. We need to recognise the burden that would be placed on these smaller companies. Do they have someone who can access the data, et cetera?
It may be that what we are really looking for is a tailored, tiered reporting structure, so that large organisations, or those in the CNI, are required to report perhaps any ransom attempt to a certain degree. They will be able to access that information, whereas you may want to know about smaller companies but perhaps not overburden them with the level of data that you might require from those in the CNI. It is really tricky. You certainly want to get ransoms of substantive size. Maybe you do not want to know about something that was only £100.
In terms of where this is working well, some of the mandatory reporting in the financial sector, et cetera, is working well in the States, but I am no expert on that.
Kelly Butler: I concur with those comments. It really would be around seeking clarity about the information and what its purpose is, even to the point of defining what ransomware is. That is not always obvious at the time of the incident happening within the organisation. There is talk about a 72-hour window for reporting as well. Many times, it would not be clear what is happening within that organisation within those 72 hours. There needs to be really careful consideration around the requirement, who would get that information and how to use it.
I will add—you have probably noticed my accent—that Australia has a mandatory reporting regime in place at the moment. I understand that it is pretty effective and is gathering critical information that is being dispersed to organisations. However, I am not clear on the thresholds on that, so I would need to look into that and come back to you.
Jamie MacColl: Australia is just for ransom payments rather than incidents. There is no reporting regime in the world at the moment that would be as extensive as the one that the Government are proposing. I am in favour of mandatory reporting. I would include both incidents and payments, because reporting payments will add some of that friction that I was talking about to the decision-making process. If it gets out that you have made a payment in a circumstance where you probably did not have to, that will make people think twice.
In terms of the thresholds, to simplify it, it probably just has to be all organisations and exclude individuals. Otherwise, it becomes very complicated for businesses to know whether they are in scope.
The other thing to say is that there has to be some give and take. It cannot just be a black hole where victims put data in and nothing gets fed back to the community.
Finally, there is a big assumption that we are going to get all this intelligence and data, and then be able to exploit that. If we do not expand the capacities of law enforcement, the National Cyber Security Centre or the parts of the UK intelligence community that work on cybercrime, we will be collecting a lot of data that we are not able to use in an effective way.
Q8 Lord Hutton of Furness: Kelly, has the take-up of ransomware insurance in the UK changed since we last took evidence on this subject in 2023? If so, what is driving that change?
Kelly Butler: It certainly has increased year on year, and it really is around awareness. People are using the cyber insurance application process as a way to almost do a health check within their organisation. The insurance industry has now seen a flood of ransomware events come in and knows what a good risk looks like in terms of the critical controls that they should have in place.
We have seen a very volatile market. Last time we were in this room, we saw what we deemed a hard market. It was very difficult to get cyber insurance. There was a real barrier to entry, which has now started to soften—I am sorry that I am using insurance terms—in terms of the baseline of being able to purchase that, but that really does talk to the vast amount of work that organisations have done to really bring up their baselines around those critical cyber controls that are needed.
We are seeing uptake, particularly in the larger organisations. Where we are still seeing low take-out of cyber insurance is in the area that we think most needs cyber insurance, which is small to medium-sized businesses. Again, there is a lack of awareness and of resourcing internally to be able to apply for the insurance and understand the value that it would bring to that organisation.
Lord Hutton of Furness: In your view, Kelly, what has been the overall impact of ransomware insurance on cyber resilience in the UK—positive or negative?
Kelly Butler: It has been very positive. We are now seeing a cycle where we talk about a feedback loop. We see what good looks like and what bad looks like, and are able to feed that back to clients in terms of being prepared. The key is to be prepared for an incident, which many organisations lacked. They needed to make sure that they had pre-tested their incident response plans, knew who made the decisions in a time of critical crisis, and be able to respond as soon as possible.
The insurance policy itself brings together a vast network of vendors that are available 24/7 in that time-critical need. They have just developed their own internal intelligence to be able to really help the organisation at the time of crisis to make better decisions.
Lord Hutton of Furness: Is it a condition of an insurance policy that a business, for example, makes a minimum threshold investment in cybersecurity before you will issue that policy?
Kelly Butler: Yes, absolutely. There is an assessment that a client will need to complete. Within that assessment, they would need to demonstrate that they have strong cyber hygiene around those critical controls.
Jamie MacColl: The only thing that I would add is that the security that is required will change as the market softens. A couple of years ago, when you were taking evidence last time, it was a hard market. It was much harder to get coverage. You had to have more security controls in place. The current market conditions are the inverse of that, and that does risk creating a bit of a moral hazard where you can treat insurance as a substitute for security.
Lord Hutton of Furness: Is insurance a false sense of security?
Jamie MacColl: No, I do not think so, for the most part. It is not a phenomenon that is happening very regularly. There may be segments of the market where it does, particularly for SMEs, but the key thing, as Kelly said, is that there are no flashing blue lights if you are a victim of ransomware, unless you are a central government department or a particularly critical part of critical national infrastructure, which makes insurance pretty critical.
Q9 Lord Browne of Ladyton: Can I ask you some questions, Kelly, about the size of this market? I know you are here representing yourself, not Marsh McLennan, and you probably do not have a comprehensive knowledge of the market, but you are the only person in this room who has any knowledge of it. In the papers that we got to prepare ourselves for this, the previous version of this committee, which looked at this in 2023, got evidence that the global market, which is measured, I understand, in gross written premiums, had grown from the order of £7 billion in 2020 to around £14 billion or something.
Kelly Butler: It is estimated at £15 billion.
Lord Browne of Ladyton: The evidence that we got was £12 billion by the end of 2022, but the evidence was given in 2023, so that would be about right. I have read around a bit of this, and I came across a piece of academic work that suggested that it is estimated that this global market will increase to £25 billion by the end of this year. Would that be your expectation?
Kelly Butler: No, definitely not to that level, based on the current take‑out of new buyers entering the market. Certainly, with rates starting to decrease, we have a much more competitive and buoyant market. We currently peg the latest GWP at £15.6 billion, and it is likely to get to around £20 billion by the end of the year.
Lord Browne of Ladyton: Is it your evidence that insurance companies that offer this somehow audit the IT security of an organisation before they will agree and finalise a policy?
Kelly Butler: That is correct.
Lord Browne of Ladyton: Does everybody do that?
Kelly Butler: There is a written assessment, almost like a self-assessment, from an organisation. Insurers have also invested heavily around scanning tools, so they scan, non-evasively, the perimeters of businesses as well. They are doing a huge amount of risk management before they will offer a policy to an organisation.
Lord Browne of Ladyton: Sorry. This is my fault, but I do not fully understand this. I understand the self-assessment, and I can see that that is a discipline. It makes you at least think about it. How would an insurance company go about auditing the level of IT security that there was? What does this scanning mean? How do you do this, given that people may well have software that does not even have an ISO standard? It may go back to 2015 because they did not have them then. How do you do that?
Kelly Butler: It is a really good question. Insurers have learnt a lot over the years in starting to write cyber insurance, and have built assessment models in the background as to how to understand the risk exposure within any one organisation. That starts with the assessment, but there is a vast amount of tools in the background. They have invested in having cybersecurity experts sit within their underwriting teams, and are using technology broadly just to be able to non-invasively scan perimeters of an organisation’s IT footprint and make an assessment before they place a policy with them. They also look at their own claims history and use that as information when assessing risk.
Lord Browne of Ladyton: Do insurance companies now collect long-term data?
Kelly Butler: They do. It was one of the big challenges for cyber, because we did not have the long-term and long-tail data, but now that is starting to build. Cyber insurance has been in existence for over 20 years. We saw a major flood of claims in 2020 and 2021, so a huge amount of work has been looking at the lessons learned as a result of those.
Lord Browne of Ladyton: Would the insurance industry be happy to share that data with the Government?
Kelly Butler: It is difficult to share that data, because there is a lot of sensitivity around a cyber event. However, we are yearning to talk more and consult with the Government, because this is in the best interests of organisations.
Jamie MacColl: Just as a final comment: it should be very clear that the vast majority of UK organisations do not have cyber insurance, and we should be careful not to overestimate its impact both in terms of raising security but also in terms of—
The Chair: Sorry, I must intervene and move us on. Edward Morello?
Q10 Edward Morello: I assume that, like every other form of insurance, the premiums are related to the risk but also what processes you have in place to manage that risk. Cyber insurance, therefore, presumably is not financially viable for the SME market, or is it? To the broader point that Jamie was making, if it is not reaching down to the SME market, does it need to be in order to act as a deterrent?
Kelly Butler: As mentioned, the market has a lot more capital and a lot more premium in it, so insurers are a lot more comfortable around underwriting the risk and understanding the exposure. Therefore, it is much easier for SMEs at the moment to obtain cyber insurance. In a broad form, it will come down to an assessment. Of course, if they do not have the critical controls in place that the insurers require, that may see higher retentions or coverage restrictions. At the moment, we are seeing quite a competitive market for SMEs to be able to buy cyber insurance.
Edward Morello: Jamie, to your point, does that then disincentivise an SME to invest in the infrastructure or the protection necessary?
Jamie MacColl: I am not looking closely enough at underwriting risk assessments to be able to say with certainty, but, based on previous research we did in 2019-20, when the market was very soft and ransomware was becoming a big issue, I would say that, at the lower end of the market, it is easier to get coverage without having to prove that you have mature cybersecurity. When that was the case five or six years ago, the cyber insurance market was very badly affected by ransomware. A lot of them had loss ratios of over 100%, which means that they were losing money.
Q11 Baroness Tyler of Enfield: I would like to turn to the implementation of these new proposals and the new regime. First, do you feel that existing government structures are sufficiently well equipped to deal with the increased number of reports, as we have been saying, that they are going to receive as a result of this new regime? Secondly, do you feel clear where responsibility or accountability should and could lie as between the National Crime Agency—ie, the Home Office—and the National Cyber Security Centre, as in GCHQ? I am not sure who is best placed to respond. Is it Professor Creese?
Professor Sadie Creese: I can certainly give you a response; I may not be best placed. I do not work within the Government, so I can only give you an opinion based on what I see. I found the recent government cyber resilience report particularly useful, as I said. My guess is that there will not be enough resource to deal with the vast increase in reporting. That is probably true for any substantive increase in reporting for any government department. There will be a need to put more in.
I would also imagine that work will need to be done on how to partner across these organisations that you have just highlighted, so that people understand who is responsible for gathering the data and for processing it. Does one gather on behalf of the others and then share? There is definitely substantive work to be done if we are not to end up in a situation where there is lots of reporting, no benefit gained, and an awful lot of demand made of too little resource. There is a substantive risk that will need looking at.
Jamie MacColl: The risk with mandatory reporting, particularly if it is the reporting of a crime, is that it goes to Action Fraud, which I imagine is what the proposal envisages. We could spend half an hour talking about problems with Action Fraud. I would consider a different reporting portal to Action Fraud, and possibly that all types of cybersecurity incidents should go to a single portal rather than all the different regulators.
Baroness Tyler of Enfield: In that new set-up that you are suggesting, are there lessons that could and should be learned from the clear failure of Action Fraud?
Jamie MacColl: One thing that I would say is that Action Fraud has been being revamped for the last several years, so we could see a trial run of how effective that is before we try something entirely new.
Baroness Tyler of Enfield: Finally, and very briefly, please, is there anything else that the Government should have included in their consultation but did not? Are there any key omissions?
Jamie MacColl: Within the remit of what the Home Office does, I would like to see a lot more resourcing for law enforcement. Some of the proposals are relatively expensive compared to the resources that law enforcement have. In an ideal world, I would resource law enforcement to do more of the disruption operations, more of the counter-threat work, more sanctions and more attribution. The Australian model is a joint operational unit between the intelligence community and law enforcement, and is the kind of model that we should be pursuing and make sure that it is resourced properly.
The Chair: Thank you. That concludes our panel on ransomware. Can I thank our three witnesses for joining us today? No doubt we will meet again in two years’ time, or whatever it may be. This issue is not going to go away. Thank you once again for giving up your time for, clearly, what is a crucial issue and one that the Government are also trying to get their teeth into, in a fast-moving environment. For the moment, thank you.