While cyber insurance might help improve cyber security, paying ransoms by insurers should be prohibited, according to a new policy paper from the Cyber Security Cooperative Research Centre (CSCRC). Oversold or underwritten? How cyber insurance can help (or hurt) Australia’s cyber security.
Ransomware assaults are estimated to occur every 11 seconds in 2021, costing more than $20 billion; which also cements the fact how cyber liability insurance is getting more important. Because of Australia’s riches and connections, a disproportionate percentage of these attacks will be directed at its companies. Two important papers targeted at safeguarding Australians from ransomware attacks were released this quarter.
The Australian Government’s Ransomware Action Plan
The Minister of Home Affairs, The Hon Karen Andrews MP, says the following on The Australian Ransomware Action Plan –
“The Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.”
A plan for preventing and responding to ransomware attacks was released by the Department of Home Affairs. By making attacks less profitable and simpler to prosecute, the government hopes to make Australian firms a less appealing target for attackers.
The CSCRC’s research suggests that significant changes to the cyber insurance industry be made to combat ransomware attacks. It includes the divisive suggestion that Australia prohibit insurance coverage for ransomware extortion payments.
Overview: The Australian Ransomware Action Plan
- Businesses with an annual turnover of more than $10 million are required to disclose ransomware incidents.
- Cyber extortion is now a separate offence with a higher maximum sentence.
- Cybercriminals who target essential infrastructure face a second separate offence with a greater maximum sentence.
- Making it illegal to intentionally interact with stolen data. This makes it easier for law enforcement agencies to prosecute those who withhold or release private information.
- Making the purchase or sale of malware for use in cybercrime unlawful.
- Increasing the ability of law enforcement organisations to track and confiscate cybercriminals’ bitcoin transactions.
The Plan comes after the launch of a new multi-agency operation led by the Australian Federal Police that focuses on ransomware attacks linked to sophisticated organised crime groups operating in Australia and abroad, and shares intelligence with the Australian Cyber Security Centre as they deploy their disruptive capabilities offshore.
Is banning ransomware cover the answer?
Questions have been raised about the efficacy and fairness of limiting ransomware payment cover since the CSCRC released their research. The following are some of the arguments against outlawing ransomware payment cover:
i. When it comes to ransom payments, insurance isn’t usually a deciding issue.
According to a recent IDC survey, 60% of Australian businesses would “probably pay” a ransom demand if their operations were “seriously hampered.” Furthermore, even if insurance was not in place, 43% of Australian businesses would “probably pay.”
ii. Insurers can also use other successful methods to urge firms to take cyber security seriously.
Several other recommendations in the CSCRC report encourage firms to strengthen their cyber policies without sacrificing insurance coverage. For example, SMEs could be required to fulfil a minimum cyber security level before receiving insurance, or insurance premium incentives could be offered in exchange for good security procedures and free audits.
iii. By prohibiting ransomware payment cover, certain organisations will no longer be able to pay a ransom.
The Australian government makes it clear in its Ransomware Action Plan that ransomware payment is not tolerated. It does not, however, go so far as to make payment unlawful.
Paying a ransom demand is the only feasible choice for many firms. This includes companies that have been unable to recover their systems in other ways, are on the verge of bankruptcy unless they act quickly, and have had attacks on systems that are crucial to the immediate personal safety of their employees or customers.