Decision to pay cyber ransom should remain with victim: ICA
The decision whether to pay a cyber attack ransom should remain with the victim organisation, an Insurance Council of Australia (ICA) submission on development of the 2023-2030 Australia Cyber Security Strategy says.
The Federal government is seeking feedback on the development of the strategy after Prime Minister Anthony Albanese led an expert roundtable earlier this year focused on making Australia “the most cyber secure nation”.
ICA CEO and MD Andrew Hall "strongly encouraged” the government to consult further with the insurance industry before taking a definite position to ban ransom payments.
“Banning ransom payments by businesses and/or reimbursements by insurers may have other unintended consequences which we suggest warrant careful consideration,” the ICA submission said.
“An outright ban may disproportionally affect smaller entities and may significantly impact their ability and capacity to recover and return to operation.
“While paying ransoms can contribute to a criminal business model, it must be recognised that no organisation wants to be extorted and the decision to pay a ransom is largely a function of the cost of recovery and remediation being higher than the ransom demand.”
The ICA recommended strengthening cyber security standards and disclosure regimes, reporting and sharing of ransomware incidents, tougher penalties and enforcement against cyber criminals, and greater international co-operation and coordination of financial sanctions regimes and information sharing.
It says a multi-faceted approach should aim to reduce the underlying drivers, limit their impact and ensure business resilience.
"The current practice for cyber insurance is that the decision to pay or not pay a ransom is made by the client. Moreover, any ransom payment is made by the victim, not the insurer and may be reimbursed, subject to the limits of the policy and compliance with sanction policies,” it said.
Protecting a business’ cyber assets and backing-up data remain the greatest protection against the loss of data, the ICA says, and early notification to regulators and government of ransom attacks and information sharing with the wider eco-system help protect against future attacks.
As ransom payments are frequently requested in cryptocurrency, greater regulation of crypto assets should be considered as part of the solution to deter attacks.
The ICA also welcomed government initiatives that improve firms’ cyber risk posture and that “these initiatives would in turn likely improve availability of cyber insurance”.
An Expert Advisory Board to advise the government on development of the national cyber strategy is chaired by former Axa Asia Pacific Holdings and Telstra CEO Andrew Penn. On the board are former Air Force chief Mel Hupfeld and CEO of the Cyber Security Cooperative Research Centre Rachael Falk.