a growing ransomware threat is driving change in the australian cyber insurance market

Overview: The Australian Ransomware Action Plan

 

The Australian Ransomware Action Plan builds on existing cybercrime prevention measures, including education campaigns and support services. The Minister of Home Affairs, The Hon Karen Andrews MP, says:

 

The Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances.

The newly proposed measures include:

 

  • Mandatory ransomware incident reporting for businesses with an annual turnover greater than $10m.
  • A standalone offence for cyber extortion with an increased maximum penalty.
  • A second standalone offence with a higher maximum penalty for cybercriminals who target critical infrastructure.
  • Making it illegal to knowingly deal with stolen data as part of committing a separate criminal offence.
  • Making it illegal to buy or sell malware for use in cybercrimes.
  • Giving law enforcement agencies better ability to track and seize cybercriminals’ cryptocurrency transactions.

 

Source: Minster for Home Affairs

 

Overview: Underwritten or Oversold — The CSCRC’s Policy Paper on Cyber Insurance

 

The CSCRC is a government-funded organisation that undertakes cybersecurity research in collaboration with relevant industry members, academics and the government. CSCRC CEO Rachael Falk co-authored their paper on cyber insurance. She says:

 

This policy paper explores a number of issues related to cyber insurance, with a focus on how it can hinder and help cyber security uplift across the Australian economy,

The paper’s key findings are:

  • Australia should ban insurance companies from including ransomware extortion payment cover in their cyber insurance policies.
  • Insurers should provide greater transparency around what cyber insurance policies cover and exclude.
  • Insurers should require businesses to meet minimum cyber protection standards before a policy is issued.
  • Insurers should work with telecommunications companies, cloud service providers and software providers to increase insurance uptake by bundling products together.

 

Source: Cyber Security Cooperative Research Centre

 

Why has the CSCRC suggested a ban on ransomware payment cover?

 

The CSCRC argues that insurers are “unintentionally feeding the ransomware epidemic” by providing ransomware payment cover.  Falk says:

 

We believe the payment of ransoms by insurers is helping drive the illicit ransomware trade – what is vital when it comes to ransomware and cyber insurance is that we start to starve out the cyber criminals and break the payment chain by stopping insurers paying the ransom.
The report also argues ransomware payment cover may lead organisations to be lax about cyber security.

 

 

Is banning ransomware cover the answer?

 

Since the CSCRC released their paper, questions have been raised around the efficacy and fairness of banning ransomware payment cover. Objections to banning ransomware payment cover can include:

 

Tailoring Insurance Programs to

Association Needs

 

i. Insurance is not always a deciding factor in ransom payment decisions

 

2021 IDC survey suggested that 43% of Australian businesses would “probably pay” a “widespread ransomware attack” that “significantly hampers” operations, even if insurance was not in place

 

ii. There are other effective ways that insurers can encourage businesses to take cyber protection seriously.

Several other ideas mentioned in the CSCRC’s report encourage businesses to step up their cyber policies without removing insurance protection. Examples include requiring businesses to meet a minimum cyber security standard before having insurance, offering insurance premium incentives for solid security practices and providing free risk assessment tools.

iii. Banning ransomware payment cover will take the option of paying a ransom off the table for some businesses.

The Ransomware Action Plan makes it clear that the Australian government does not condone ransomware payment. But it does not go as far as making payment illegal.

 

For many businesses paying a ransom demand is the only realistic option available. This includes organisations who fail to recover their systems in other ways, who are at risk of bankruptcy unless they take immediate action, and who experience attacks on systems critical to the immediate personal safety of their staff or customers.

 

 

Is a ban on ransomware payment cover likely?

 

“It’s hard to say,” explains KBI’s lead cyber insurance broker Tyler Speers. He notes that Australia is not the only country looking into this sort of ban. He says:

 

As the cost and frequency of ransomware attacks grows, the risks associated with providing ransomware cover have begun to push the risk appetite of many insurers. As brokers, we are beginning to see restrictions on ransomware payment cover in Australia. Internationally some insurers, like AXA France, have voluntarily ceased ransomware payment cover, but it is unclear how other insurers will respond to these changes.

 

For insurers who have enacted (or are considering enacting) limitations on ransomware cover, a market-wide ban would help ensure their policies will not lose competitiveness. However, not all insurers will necessarily share this view.

For concerned businesses, Speers adds that the best thing to do is strengthen your cyber security policies.

 

We don’t know how the cyber insurance market will change over the next 12 months. But there are three things we do know. Firstly, changes are likely. Secondly, changes will almost certainly favour businesses with robust cyber protections and ransomware attack plans in place. And thirdly, in any circumstance, the best way to prevent issues with ransomware payment is to prevent attackers from gaining access to your systems in the first place.

 

How do I protect my business from a ransomware attack?

 

The CSCRC suggests that a best practice Cyber Security Checklist for SMEs include:

  • Clear policies around system access, downloads, emails and 3rd party devices (like USBs.)
  • Regular staff cyber security training
  • Regular onsite and offsite data backup
  • Regular data backups
  • Up-to-date antivirus software
  • A patching program
  • A strong password policy
  • Multi-factor authentication
  • Strong access management

 

Source: Cyber Security Cooperative Research Centre

KBI suggest that you also have

  • An existing connection with a team of experts, including experts on cyber security, cyber law & cyber insurance.
  • A solid incident response plan

 

What should my incident response plan include?

 

A good ransomware incident response plan helps you respond quickly to cyber attacks by providing clear and detailed instructions for dealing with an attack.

 

We suggest that your plan incorporate:

 

  • A team of experts
    As well as relevant internal parties, you should create your plan in consultation with a legal expert, a risk manager, a cyber insurance broker, a cybersecurity expert and a cyber security forensic service provider.

 

  • A policy around the payment of ransom demands
    If an attacker takes over your operating system, will your business pay ransom demands? If so, in what circumstances? Considerations might include whether you can restore data, what data the attackers have accessed and whether the ransom cost exceeds the recovery cost.

 

  • An immediate response plan
    Who is on your response team? Who will you need to contact? If you will consider paying the ransom, how will you get the information you need to decide? Who will decide? Who will need to sign the decision off?

 

  • A ransom payment plan
    If you decide to pay the ransom, who will negotiate it and organise the payment? Who will ensure the payment is legally compliant? What information will they need to do this? How long will it take? What will you do after the ransom is paid?
  • A ransom non-payment plan
    Will you attempt to restore your operating systems, encrypted data and encrypted files from backup or break the encryption? If both, which one is the priority? Who will you contact? What will they need to do? How long will it take?

 

  • Full sign off from your board

 

  • Don’t forget to check (and document)

 

  • The possible legal implications of your plan.
    Your legal expert can help with this.

 

  • The way your plan interacts with your cyber insurance.
    Does it take the best advantage of your available cover? Does it trigger any exclusions?

 

  • Whether parties involved in your plan have the necessary permissions.
    Has your insurer approved the third parties who be helping guide your response? Is the person who will contact your lawyer authorised to do so? Is the person who will pay the ransom authorised to do so?

 

Key takeaways

 

  • The Australian Government is taking action against ransomware attacks.
  • The CSCRC has suggested that their plan include major changes to cyber security insurance.
  • The CSCRC recommendation for a ban on ransomware payment cover has met with objections but may still be implemented.
  • In any case, we advise businesses to step up their cyber security practices, talk to their broker about insurance cover & make a solid plan for ransomware attacks.

 

To talk to a broker, or find out more about cyber insurance, visit our cyber insurance page.

 

 

Secure Your Association’s Future with Tailored Insurance Solutions from KBI

Protect your association’s future by partnering with a specialised insurance broker, KBI. With KBI’s Association Insurance Program, you gain comprehensive coverage designed to address your association’s unique risks. Don’t leave your success to chance—contact us today to discuss your insurance needs.

 

Let KBI be your trusted partner in protecting your association’s interests and ensuring long-term resilience. Together, we can navigate the complexities of risk management and insurance and secure a brighter future for your association.

Next

LOGO 1

We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.

 

Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people. We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.

SHARE THIS ARTICLE

latest news

Related Articles

Association Insurance

Why Do Associations Need a Tailored Insurance Program?

author: KBI | March 22, 2024

why do associations need a tailored insurance program

Associations play a key role in many industries. They represent the shared interests of professionals, businesses, and communities. Associations operate in dynamic […] {{ post.title }}>Read More

Why Do Associations Need a Tailored Insurance Program? Read Article

Cyber Blog

Strengthening Your Business with Comprehensive Cyber Insurance Solutions

author: KBI | August 15, 2023

strengthening your business with comprehensive cyber insurance solutions 1

In this article, we provide some key insight into the current cyber insurance landscape including how insurers are responding to increasing risks […] {{ post.title }}>Read More

Strengthening Your Business with Comprehensive Cyber Insurance Solutions Read Article

Business Insurance

Safeguarding Business Continuity: Learning from the Optus Outage

author: KBI | November 16, 2023

safeguarding business continuity learning from the optus outage

In an era where connectivity is the lifeblood of businesses, the recent Optus outage in Australia served as a stark reminder of […] {{ post.title }}>Read More

Safeguarding Business Continuity: Learning from the Optus Outage Read Article
view all articles