Posted by KBI

A Growing Ransomware Threat is Driving Change in the Australian Cyber Insurance Market

According to Cybersecurity Ventures, ransomware attacks are expected to occur every 11 seconds at a combined cost of over $20bn in 2021. Australia’s wealth and strong online presence mean that a disproportionate number of these attacks will be targeted at Australian businesses. This quarter saw the release of two critical reports aimed at protecting Australians from ransomware threats.

➤ The Australian Government’s Ransomware Action Plan

The Department of Home Affairs released a plan for preventing and responding to ransomware attacks. The government aims to make Australian businesses a less palatable target for attackers by making attacks less profitable and easier to prosecute.

➤ The Cyber Security Co-Operative Research Centre’s (CSCRC) Policy Paper on Cyber Insurance

The CSCRC’s paper recommends the prevention of ransomware attacks through significant changes to the cyber insurance market. It includes the controversial recommendation that Australia ban insurance cover for ransomware extortion payments.

In this article, we will discuss the changes proposed by each report, including their possible impact on your business. We will pay particular attention to the potential ban on ransomware payment cover and how your business can prepare.

Overview: The Australian Ransomware Action Plan

The Australian Ransomware Action Plan builds on existing cybercrime prevention measures, including education campaigns and support services. The Minister of Home Affairs, The Hon Karen Andrews MP, says:

The Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.

The newly proposed measures include:

Mandatory ransomware incident reporting for businesses with an annual turnover greater than $10m.

A standalone offence for cyber extortion with an increased maximum penalty.

A second standalone offence with a higher maximum penalty for cybercriminals who target critical infrastructure.

Making it illegal to knowingly deal with stolen data as part of committing a separate criminal offence.

Making it illegal to buy or sell malware for use in cybercrimes.

Giving law enforcement agencies better ability to track and seize cybercriminals’ cryptocurrency transactions.

Source: Minster for Home Affairs

Overview: Underwritten or Oversold — The CSCRC's Policy Paper on Cyber Insurance

The CSCRC is a government-funded organisation that undertakes cybersecurity research in collaboration with relevant industry members, academics and the government. CSCRC CEO Rachael Falk co-authored their paper on cyber insurance. She says:

This policy paper explores a number of issues related to cyber insurance, with a focus on how it can hinder and help cyber security uplift across the Australian economy,

The paper’s key findings are:

Australia should ban insurance companies from including ransomware extortion payment cover in their cyber insurance policies.

Insurers should provide greater transparency around what cyber insurance policies cover and exclude.

Insurers should require businesses to meet minimum cyber protection standards before a policy is issued.

Insurers should work with telecommunications companies, cloud service providers and software providers to increase insurance uptake by bundling products together.

Source: Cyber Security Cooperative Research Centre

Why has the CSCRC suggested a ban on ransomware payment cover?

The CSCRC argues that insurers are “unintentionally feeding the ransomware epidemic” by providing ransomware payment cover. Falk says:

We believe the payment of ransoms by insurers is helping drive the illicit ransomware trade – what is vital when it comes to ransomware and cyber insurance is that we start to starve out the cyber criminals and break the payment chain by stopping insurers paying the ransom.

The report also argues ransomware payment cover may lead organisations to be lax about cyber security.

Is banning ransomware cover the answer?

Since the CSCRC released their paper, questions have been raised around the efficacy and fairness of banning ransomware payment cover. Objections to banning ransomware payment cover can include:

i. Insurance is not always a deciding factor in ransom payment decisions

A 2021 IDC survey suggested that 43% of Australian businesses would “probably pay” a “widespread ransomware attack” that “significantly hampers” operations, even if insurance was not in place

ii. There are other effective ways that insurers can encourage businesses to take cyber protection seriously.

Several other ideas mentioned in the CSCRC’s report encourage businesses to step up their cyber policies without removing insurance protection. Examples include requiring businesses to meet a minimum cyber security standard before having insurance, offering insurance premium incentives for solid security practices and providing free risk assessment tools.

iii. Banning ransomware payment cover will take the option of paying a ransom off the table for some businesses.

The Ransomware Action Plan makes it clear that the Australian government does not condone ransomware payment. But it does not go as far as making payment illegal.

For many businesses paying a ransom demand is the only realistic option available. This includes organisations who fail to recover their systems in other ways, who are at risk of bankruptcy unless they take immediate action, and who experience attacks on systems critical to the immediate personal safety of their staff or customers.

Is a ban on ransomware payment cover likely?

“It’s hard to say,” explains KBI’s lead cyber insurance broker Tyler Speers. He notes that Australia is not the only country looking into this sort of ban. He says:

As the cost and frequency of ransomware attacks grows, the risks associated with providing ransomware cover have begun to push the risk appetite of many insurers. As brokers, we are beginning to see restrictions on ransomware payment cover in Australia. Internationally some insurers, like AXA France, have voluntarily ceased ransomware payment cover, but it is unclear how other insurers will respond to these changes.

For insurers who have enacted (or are considering enacting) limitations on ransomware cover, a market-wide ban would help ensure their policies will not lose competitiveness. However, not all insurers will necessarily share this view.

For concerned businesses, Speers adds that the best thing to do is strengthen your cyber security policies.

We don’t know how the cyber insurance market will change over the next 12 months. But there are three things we do know. Firstly, changes are likely. Secondly, changes will almost certainly favour businesses with robust cyber protections and ransomware attack plans in place. And thirdly, in any circumstance, the best way to prevent issues with ransomware payment is to prevent attackers from gaining access to your systems in the first place.

How do I protect my business from a ransomware attack?

The CSCRC suggests that a best practice Cyber Security Checklist for SMEs include:

Clear policies around system access, downloads, emails and 3rd party devices (like USBs.)

Regular staff cyber security training

Regular onsite and offsite data backup

Regular data backups

Up-to-date antivirus software

A patching program

A strong password policy

Multi-factor authentication

Strong access management

Source: Cyber Security Cooperative Research Centre

KBI suggest that you also have

An existing connection with a team of experts, including experts on cyber security, cyber law & cyber insurance.

A solid incident response plan

What should my incident response plan include?

A good ransomware incident response plan helps you respond quickly to cyber attacks by providing clear and detailed instructions for dealing with an attack.

We suggest that your plan incorporate:

A team of experts

As well as relevant internal parties, you should create your plan in consultation with a legal expert, a risk manager, a cyber insurance broker, a cybersecurity expert and a cyber security forensic service provider.

A policy around the payment of ransom demands

If an attacker takes over your operating system, will your business pay ransom demands? If so, in what circumstances? Considerations might include whether you can restore data, what data the attackers have accessed and whether the ransom cost exceeds the recovery cost.

An immediate response plan

Who is on your response team? Who will you need to contact? If you will consider paying the ransom, how will you get the information you need to decide? Who will decide? Who will need to sign the decision off?

A ransom payment plan

If you decide to pay the ransom, who will negotiate it and organise the payment? Who will ensure the payment is legally compliant? What information will they need to do this? How long will it take? What will you do after the ransom is paid?

A ransom non-payment plan

Will you attempt to restore your operating systems, encrypted data and encrypted files from backup or break the encryption? If both, which one is the priority? Who will you contact? What will they need to do? How long will it take?

Full sign off from your board

Don’t forget to check (and document)

The possible legal implications of your plan.

Your legal expert can help with this.

The way your plan interacts with your cyber insurance.

Does it take the best advantage of your available cover? Does it trigger any exclusions?

Whether parties involved in your plan have the necessary permissions.

Has your insurer approved the third parties who be helping guide your response? Is the person who will contact your lawyer authorised to do so? Is the person who will pay the ransom authorised to do so?

Key takeaways

The Australian Government is taking action against ransomware attacks.

The CSCRC has suggested that their plan include major changes to cyber security insurance.

The CSCRC recommendation for a ban on ransomware payment cover has met with objections but may still be implemented.

In any case, we advise businesses to step up their cyber security practices, talk to their broker about insurance cover & make a solid plan for ransomware attacks.

To talk to a broker, or find out more about cyber insurance, visit our cyber insurance page.

Have any questions?

Talk to one of our Brokers today!

About KBI

We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.

Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people. We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.