Kirsten Maley, Director of Claims at Cowbell, asks whether the Government’s proposed ban is a step towards stronger cyber resilience, or a policy that risks creating more problems than it solves – for insurers, brokers, and the organisations they protect.
This July, the UK Government announced plans to ban all public sector bodies and critical national infrastructure – including the NHS, local councils, and schools – from paying ransoms to cybercriminals. It’s still early days, and nothing is in force yet, but the proposals have brought up a number of questions in the insurance market: what would a ban mean for underwriting practices, policy triggers, and claims handling? How might brokers support clients whose recovery options are restricted? And ultimately, would such a move strengthen national resilience or expose public services to greater risk?
On the one hand, you could argue that a blanket ban of this nature is unlikely to be workable in practice – suggesting it won’t go ahead. Many of these public sector organisations operate on legacy systems, with limited funding to upgrade infrastructure or build effective defences, which makes them prime targets. If a ban were in place and they suffered a major attack, the disruption to critical services could have far worse implications for both the individual entity and the government as a whole, which makes it difficult to see the government not stepping in to bail them out.
However, the fact this news follows a current ban on payments by government departments, and that so far we’ve seen strong public and stakeholder support for the proposal, others are leaning towards the opinion that it will – and should – materialise.
The latter of those opinions is perhaps understandable – as an idea it comes across positively on the surface. Any measures that form part of a wider push to reduce the financial incentive behind ransomware attacks and improve national cyber resilience must be good. But anyone working in cyber insurance knows it’s not that simple; not for the insurer, the broker, or the insured.
How a ban might affect the insurance value chain
Let’s delve into how each party might be affected if the ban did come into action and weigh up the pros and cons:
The insurer: As insurers may face new limitations around covering ransom payments for public sector clients, the key question is what would actually change and how they would adapt to the prospect of systemic risk. With no parameters defined yet, we’re largely reliant on government guidance, and until that comes through, much of the impact remains speculative. That said, if a ban were enforced, underwriters would likely model for longer outages, higher DFIR and rebuild costs, and place more weight on business interruption exposures. Policies could be amended with clear prohibition clauses (“no cover where illegal”), and minimal controls would be treated more harshly. On the positive side, this could reduce legal or sanctions risk and even drive stronger resilience if organisations strengthen controls and backups. But the flip side is higher ancillary costs, tougher wordings, operational burden, and the real risk of public bodies struggling—or even folding—under the weight of extended downtime.
The insured: If paying is no longer an option and an organisation cannot restore operations, the impact could be severe, ranging from prolonged outages and operating risks to permanent closure. Even where recovery is possible, rebuilding without access to stolen data could mean much larger costs and significant disruption. In this context, reliance on tested, offline or immutable backups, as well as rapid isolation and rebuild capabilities, becomes critical. These safeguards should be in place regardless, since ransom payment should always be a last resort. The priority for public bodies must therefore be to design recovery plans on the assumption that paying is not possible: ensuring backups are reliable, clean rebuild environments exist, systems are segmented and hardened, exercises are conducted, communication plans are ready, and insurers are engaged to strengthen resilience and training. Policyholders will also need to reassess policy limits and coverage, as underwriters are likely to scrutinise controls more closely – potentially driving higher premiums for those seeking broader protection.
The broker: It’s a broker’s job to help clients plan ahead, pressure-test their controls, and ensure they’re not left exposed, not just to attackers, but to a regulatory change that could remove their fallback option. With this in mind, brokers will need to help clients shift their focus from reactive measures to stronger resilience. Specifically, they must ensure policyholders fully understand the scope of their cover, ensure they have adequate cover in place (primary, excess, limits etc), ensure they are educated in cyber and what this means to their policyholders. These are all good practices whether the proposals are actioned or not.
The attacker: From the cyber attacker’s perspective, many would assume that with the financial incentive removed, attacks would reduce. However, there is always the possibility that a ban of this nature could simply see tactics shift. This shift may see a rise in data theft, harassment, and attackers pivot towards other sectors. Criminals could also respond with higher levels of coercion, such as issuing shorter payment timeframes or intensifying threats, which would in turn increase regulatory exposure and pressure on the ICO.
Private companies: At the moment, the ransom payment ban proposal doesn’t cover private businesses, which for me is a positive. While there is good intention behind a potential ban, in reality it could lead to a number of private businesses who are under-insured collapsing. Just as is the case with public sector bodies, if there is no way to recover or rebuild a network, ransoms are banned and there are limited policy coverages, a business may not have the reserve to cover those costs and even if so, would suffer significantly financially.
While ransoms are always a last resort, and businesses are starting to understand cyber risk better and are putting good controls and critical action plans together, there are still risks. Removing that option altogether would simply restrict their ability to respond. That being said, private companies may soon be required to notify the government before paying; an update that also warrants change from companies in terms of cyber resilience and planning.
My advice here is to adopt a no-payment posture to build internal hardening, strength and ensure they can withstand an event. With respect to reporting, this will require additional measures that should be planned for and preparedness to manage public disclosure of incidents, given reporting will feed directly to the ICO.
Whether for public or private organisations, the debate around ransom payments for me highlights that the focus must be on resilience. Bans and reporting regimes may shape behaviour, but only robust preparation will ensure organisations can survive if and when the worst happens.
Be the first to comment