Cyber insurance driving ransomware threat

The payment of ransoms by insurers should be banned, according to a new Cyber Security Cooperative Research Centre (CSCRC) policy paper

Written on 13 October, 2021
Tanaya Das

While cyber insurance can play a positive role in uplifting cyber security, the payment of ransoms by insurers should be banned, according to a new Cyber Security Cooperative Research Centre (CSCRC) policy paper, Underwritten or oversold? How cyber insurance can hinder (or help) cyber security in Australia.

CSCRC CEO Rachael Falk (co-author), said cyber insurance was not a cyber security silver bullet and should be viewed as part of an organisation’s holistic cyber security strategy, “We believe the payment of ransoms by insurers is helping drive the illicit ransomware trade – what is vital when it comes to ransomware and cyber insurance is that we start to starve out the cyber criminals and break the payment chain by stopping insurers paying the ransom.”

Other concerns raised in the paper include the lack of clarity regarding inclusions and exclusions in Australian cyber insurance policies, which could leave insured businesses ineligible to claim, and the sweeping ‘step-in’ powers insurers wield in the event of a cyber event, which in effect could make them shadow directors.

Despite the pitfalls, however, Falk said cyber insurance could play a positive role in uplifting cyber security. “There are really practical steps insurers can take to drive cyber security uplift in Australia as part of their cyber insurance offerings,” Ms Falk said. “They are in a position to set minimum cyber security standards for coverage. They can work with other organisations like telecommunications providers to offer ‘bundled’ cyber security products as part of policies. And they could help drive regulatory compliance by refusing to cover costs associated with an unreported breach.”

Government’s plan to protect Australians against ransomware

Minister for Home Affairs Karen Andrews said individuals, businesses, and critical infrastructure across Australia will be better protected as a result of a new and comprehensive Ransomware Action Plan.

“Ransomware gangs have attacked businesses, individuals, and critical infrastructure right across the country,” Andrews said.

“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.”

Under the Ransomware Action Plan the Government will:
 Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cybercriminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
 Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
 Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
 Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
 Modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.

The Plan follows the establishment of a new Australian Federal Police-led multi-agency operation that targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore.

You can read the entire CSCRC policy paper here and the Ransomware Action Plan is available on the Department of Home Affairs website.