Earlier this month, more than 68 countries and organization members met in Washington D.C. for the fourth annual International Counter Ransomware Initiative (CRI). The CRI is the world’s largest partnership to combat the threat of ransomware. 

Over the course of four days, a flurry of efforts - including updates on prior commitments and announcements of new initiatives - took place. Amidst all of this, one notable new effort was the explicit and formal involvement of the private sector in what had been a Government only initiative. The CRI is the world's largest government-to-government partnership to combat the threat of ransomware and now, under Canada's leadership, a new Public-Private Advisory Panel has been established to bring industry into the group.

As part of this, on Oct. 3, the Center for Cybersecurity Policy and Law (CPPL), in conjunction with the Institute of Security and Technology, (IST) hosted the first-ever CRI Industry Partnership Dialogue. The half-day event brought together more than 28 different CRI government members, as well as a diverse array of industry representatives, for an opportunity to connect and engage on all-things-ransomware. 

The discussion began with a panel on insurance, and how ransomware had driven the evolution of the cyber insurance model. Panelists noted the important role insurers have to play in enhancing their policy-holders’ cyber posture and resilience, especially with minimum security standards requirements to obtain a policy and associated risk assessment requirements too. 

While ransomware is a major driver for insurance expenses, panelists discussed the typical claim cost structure - including costs associated with business interruption, extortion, incident response, and liability. Panelists also highlighted that fraudulent fund transfer through phishing remains the leading cause of loss for insured entities. The dialogue incorporated the CRI’s announcement of new guidance that encourages ransomware-hit organizations to consider their options and not to provide extortion payments.

The second panel focused on private sector engagement, and yielded more context on the scope of the CRI’s newly-established Public-Private Advisory Panel, which is tasked with providing support to members and is working to identify collaborative initiatives for the coming year. Panelists noted the importance of industry engagement in real-time operation and collaboration, especially when it comes to cross-border ransomware investigations and incident response.

Next, IST highlighted their Blueprint for Ransomware Defense report, which provides recommendations of defensive actions that can be taken by small- and medium-sized enterprises (SMEs) to protect against and respond to ransomware and other common cyber attacks. The report calls out that nearly 8% of ransomware attacks target SMEs. The report features 40 foundational and actionables safeguards, utilizing CIS controls. The report originates from the Ransomware Task Force call for a clear, actionable framework for ransomware mitigation, response, and recovery. 

The final discussion focused on reporting harmonization, with panelists highlighting the acute fragmentation of cyber regulation around the world, and the ensuing complexity for industry when it comes to cyber incident reporting. Panelists described the challenges of navigating a cybersecurity incident while needing to meet different reporting deadlines, often with different requirements for the information to be reported. Panelists noted two harmonization efforts that have the potential to help ease these challenges:

• The U.S. Department of Homeland Security and the European Commission’s DG CONNECT work on a comparative assessment of the recommendations from the U.S. Cyber Incident Reporting Council and the 2023 DHS report on Harmonization of Cyber Incident Reporting to the Federal Government against the EU’s Directive 2022/2555 (NIS2).
• Ongoing efforts by the Swiss Government to establish a common incident reporting form template.

Moving the CRI from a purely Government to Government partnership to a multi-stakeholder one is likely to come with some friction as the CRI works out what the best governance structure is for engaging the private sector. But as Deputy National Security Advisory Anne Nueberger stated after the inaugural CRI conference in 2021, “it takes a network to defeat a network,” and the private sector will undoubtedly strengthen the network of the CRI, in turn increasing the overall ability for CRI countries to combat this heinous type of crime. 

‍