Share this article on:
Australian insurers are warning the government against blanket banning ransomware payments.
In a submission to the 2023–2030 Australian Cyber Security Strategy consultation, the Insurance Council of Australia has urged the government to carefully evaluate the move to outlaw paying cyber ransom demands and instead look to set standardised cyber security requirements for businesses.
Insurance companies would lose out if ransomware payments became illegal, as many provide coverage for ransom demands in the event of a cyber attack, a fact that council managing director and chief executive Andrew Hall admitted.
“Prohibiting the payments of ransoms is a complex policy issue,” Hall said.
“The Insurance Council suggests that a broad range of policy responses and actions be considered to counter ransomware, such as strengthening cyber security standards and disclosure regimes (including reporting and sharing of ransomware incidents), tougher penalties and enforcement against cyber criminals, and greater international co-operation and coordination of financial sanctions regimes and information sharing.”
The council pointed out that the decision to pay ransom remains with the victim and that in the event that a ransom is paid, it is paid by the client, not the insurer, and that coverage would see that payment partially or fully reimbursed.
While this may be true, concerns have arisen regarding whether cyber insurance is a benefit or a burden, as a company having coverage can put a target on its head, making a threat actor more likely to attack and more likely to demand the equivalent of the insurance payout on top of the initial demands.
Associate Professor in Cyber Security Studies at Macquarie University Jeffrey Foster has said that the tactic for a threat group to demand ransom that equates to insurance coverage is “common”.
Hall stated that before providing an organisation with coverage, insurers evaluate the cyber security protections that it has in place.
“As part of the underwriting process, insurers often examine an organisation’s cyber defences, identify vulnerabilities and provide guidance on how to strengthen cyber security,” he said.
“The Insurance Council would welcome government initiatives that improve firms’ cyber risk posture.
“These initiatives would, in turn, likely improve availability of cyber insurance.”
Hall also said that an outright ban of ransomware payments could have dire consequences, including a disproportional effect on SMEs.
“While paying ransoms can contribute to a criminal business model, it must be recognised that no organisation wants to be extorted and the decision to pay a ransom is largely a function of the cost of recovery and remediation being higher than the ransom demand,” he said.
“As such, an outright ban may disproportionally affect smaller entities and may significantly impact their ability and capacity to recover and return to operation.”
The full Insurance Council submission can be found on its website here.