Academic Suggests Making Ransomware Payments Illegal

Professor Ciaran Martin told the The Guardian last week that he feels ransomware is `close to getting out of control,’ and that UK insurers are inadvertently funding organised crime by paying out on ransomware claims.

The academic who works for the Blavatnik School of Government at Oxford University called for a new law to make it illegal for insurance companies to pay out on ransomware claims. The Blavatnik School was founded by Russian business tycoon Leonard Blavatnik, a generous donor to UK arts and education projects. A donation of £75m established the Blavatnik School in 2010, which attracted some criticism from Guardianistas at the time, though all that is now long forgotten.

Some of the graduates from the Blavatnik School have gone on to become policy advisors at 10 Downing Street, work with Facebook in Africa to maintain `safe’ speech online or manage the Global Battery Alliance for the World Economic Forum. An opinion from an academic at this School of Government then carries some weight, since it suggests that global governments may well try to enact such a law, or make it a policy strategy in future.

Professor Martin is the former head of the National Cyber Security Centre in the UK, and now works at the Blavatnik School, so he has a unique insight into major cyber attacks and ransomware cases in the UK, both in the private and puublic sector.

This interesting viewpoint from a Blavatnik sponsored academic caused the ABI to issue a statement today to the BBC, who had kindly re-posted the essence of the Guardian’s story this morning. The ABI noted that paying the ransom was `not an alternative to minimising the risk,’ adding that many companies would face complete ruin if they had no ransomware coverage.


Adam Enterkin, SVP, EMEA, BlackBerry

“ This is just one part of a multi-faceted network of protective and preventative measures needed to outsmart sophisticated ransomware attackers.  

“We’ve seen that no data is safe, no matter how sensitive. Attacks on hospitals and medical institutions in 2020 proved that cyber attackers are targeting overwhelmed workforces in the hope that there will be no time for retaliation. Already suffering under a huge volume of threats, even the best cybersecurity teams have been pushed to their limits working from home.

“Preventing attackers from infiltrating systems requires teamwork. Business leaders and IT teams must acknowledge and anticipate the threat, and prepare to respond to any sign of unauthorised hackers. AI technology can then help manage the volume of potential threats, spotting anomalies in data and dealing with the simple tasks whilst flagging potential threats to cybersecurity teams. Humans and tech must work hand in hand, so the professionals are equipped with the right knowledge and skillsets to keep our enterprises, and our country, safe, even before the attackers have the chance to strike.”


“I can’t claim to speak on behalf of the insurance industry, but having been involved in cyber insurance for almost 20 years now, I can say with some certainty that this is not how the industry thinks. In fact, I’d make a fairly large wager that most (if not all) of my peers would happily support a bill to make the reimbursement of ransoms illegal, if (and only if) that would actually solve the problem. Unfortunately, I don’t think it would.

Let’s leave aside for one minute the practicality of enacting – and enforcing – such a law, it feels that targeting insurers as the source of the problem is fundamentally mis-guided. Less than 15% of global businesses purchase this kind of insurance, so to suggest that eliminating part of it would fix what is now a global issue would be to ignore the other 85% of businesses who face the same problem without insurance.

There is no evidence to suggest that businesses who purchase cyber insurance are more inclined to pay a ransom demand than those without, in fact in my experience, it is quite the opposite. Armed with insurance a company can avail itself of the appropriate experts to guide them through the issue and support them through the recovery process, in the absence of this, most small businesses assume they have no other option but to pay.”

More from Graeme here btw.


Meanwhile the Scottish Environment Protection Agency (SEPA) told the press last week that they would `not engage’ with criminals, who have trying to extort a ransom since Christmas Eve. About 4000 files were stolen in the hack and some have been published online, but SEPA remain adamant that they will not pay up.

The bold stance is interesting because part of SEPA’s job is to protect homes and businesses against floods, so if future cyber hackers intercept crucial local forecasting data, or alter flood alerts, the potential for economic/property damage and loss of life, is huge. Arguably, this brave move by SEPA to play poker with cyber criminals and call their bluff is likely to become public policy, especially if the Blavatnik graduates embedded in the public sector around the world all agree that ransoms should not be paid.

But will it work, or simply raise the stakes?


About alastair walker 12524 Articles
20 years experience as a journalist and magazine editor. I'm your contact for press releases, events, news and commercial opportunities at Insurance-Edge.Net

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.