A Growing Ransomware Threat is Driving Change in the Australian Cyber Insurance Market
According to Cybersecurity Ventures, ransomware attacks are expected to occur every 11 seconds at a combined cost of over $20bn in 2021. Australia’s wealth and strong online presence mean that a disproportionate number of these attacks will be targeted at Australian businesses. This quarter saw the release of two critical reports aimed at protecting Australians from ransomware threats.
➤ The Australian Government’s Ransomware Action Plan
The Department of Home Affairs released a plan for preventing and responding to ransomware attacks. The government aims to make Australian businesses a less palatable target for attackers by making attacks less profitable and easier to prosecute.
➤ The Cyber Security Co-Operative Research Centre’s (CSCRC) Policy Paper on Cyber Insurance
The CSCRC’s paper recommends the prevention of ransomware attacks through significant changes to the cyber insurance market. It includes the controversial recommendation that Australia ban insurance cover for ransomware extortion payments.
In this article, we will discuss the changes proposed by each report, including their possible impact on your business. We will pay particular attention to the potential ban on ransomware payment cover and how your business can prepare.
Overview: The Australian Ransomware Action Plan
The Australian Ransomware Action Plan builds on existing cybercrime prevention measures, including education campaigns and support services. The Minister of Home Affairs, The Hon Karen Andrews MP, says:
The Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.
Overview: Underwritten or Oversold — The CSCRC's Policy Paper on Cyber Insurance
The CSCRC is a government-funded organisation that undertakes cybersecurity research in collaboration with relevant industry members, academics and the government. CSCRC CEO Rachael Falk co-authored their paper on cyber insurance. She says:
This policy paper explores a number of issues related to cyber insurance, with a focus on how it can hinder and help cyber security uplift across the Australian economy,
We believe the payment of ransoms by insurers is helping drive the illicit ransomware trade – what is vital when it comes to ransomware and cyber insurance is that we start to starve out the cyber criminals and break the payment chain by stopping insurers paying the ransom.
The report also argues ransomware payment cover may lead organisations to be lax about cyber security.
Is banning ransomware cover the answer?
Since the CSCRC released their paper, questions have been raised around the efficacy and fairness of banning ransomware payment cover. Objections to banning ransomware payment cover can include:
i. Insurance is not always a deciding factor in ransom payment decisions
A 2021 IDC survey suggested that 43% of Australian businesses would “probably pay” a “widespread ransomware attack” that “significantly hampers” operations, even if insurance was not in place
ii. There are other effective ways that insurers can encourage businesses to take cyber protection seriously.
Several other ideas mentioned in the CSCRC’s report encourage businesses to step up their cyber policies without removing insurance protection. Examples include requiring businesses to meet a minimum cyber security standard before having insurance, offering insurance premium incentives for solid security practices and providing free risk assessment tools.
iii. Banning ransomware payment cover will take the option of paying a ransom off the table for some businesses.
The Ransomware Action Plan makes it clear that the Australian government does not condone ransomware payment. But it does not go as far as making payment illegal.
For many businesses paying a ransom demand is the only realistic option available. This includes organisations who fail to recover their systems in other ways, who are at risk of bankruptcy unless they take immediate action, and who experience attacks on systems critical to the immediate personal safety of their staff or customers.
Is a ban on ransomware payment cover likely?
“It’s hard to say,” explains KBI’s lead cyber insurance broker Tyler Speers. He notes that Australia is not the only country looking into this sort of ban. He says:
As the cost and frequency of ransomware attacks grows, the risks associated with providing ransomware cover have begun to push the risk appetite of many insurers. As brokers, we are beginning to see restrictions on ransomware payment cover in Australia. Internationally some insurers, like AXA France, have voluntarily ceased ransomware payment cover, but it is unclear how other insurers will respond to these changes.
For insurers who have enacted (or are considering enacting) limitations on ransomware cover, a market-wide ban would help ensure their policies will not lose competitiveness. However, not all insurers will necessarily share this view.
For concerned businesses, Speers adds that the best thing to do is strengthen your cyber security policies.
We don’t know how the cyber insurance market will change over the next 12 months. But there are three things we do know. Firstly, changes are likely. Secondly, changes will almost certainly favour businesses with robust cyber protections and ransomware attack plans in place. And thirdly, in any circumstance, the best way to prevent issues with ransomware payment is to prevent attackers from gaining access to your systems in the first place.
How do I protect my business from a ransomware attack?
The CSCRC suggests that a best practice Cyber Security Checklist for SMEs include:
KBI suggest that you also have
What should my incident response plan include?
A good ransomware incident response plan helps you respond quickly to cyber attacks by providing clear and detailed instructions for dealing with an attack.
We suggest that your plan incorporate:
Have any questions?
Talk to one of our Brokers today!
We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.
Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people. We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.