A critical report released today says cyber insurers should be banned from making “ransom or extortion” payments, and suggests insured businesses could become complacent about cyber security.

The report, from the Cyber Security Cooperative Research Centre (CSCRC), also warns that insurance is “not a cyber security silver bullet” and should be part of a package of measures.

“When it comes to cyber insurance, while there are positives, there are also pitfalls and perils,” it says.

“There is potential for organisations holding cyber insurance to be lax in their approach to managing cyber security.”

The insurance industry has hit back – pointing out that clients make decisions on payment of ransoms, not insurers, and having access to insurer-provided experts gives the best possible chance of not having to pay a ransom.

The CSCRC is a collaboration between industry, government and academia and in 2018 was awarded $50 million in Commonwealth funding over seven years.

Today’s report makes four recommendations: ban insurers from making ransom payments; have the prudential regulator outline expectations on the management of cyber insurance underwriting risks; have insurers develop a best practice checklist for SMEs; and require insurers to work with telecommunications providers, cloud services and software providers to offer bundled cyber security packages.

Explicit coverage for extortion and ransom payments in many cyber policies needs to be addressed, the report says.

“This is problematic, serving to feed the criminal enterprise of ransomware gangs, especially those that prey on insured organisations.

“While ransomware payment should not be criminalised, there is merit in moves to ban the payment of ransoms by insurance providers.

“While this may be an area where government regulatory intervention is required, individual insurers could choose to exclude these payments from insurance policies and provide greater focus on remediation and business continuity expenses.”

Broker Marsh says it is not accurate to say that insurance fuels ransomware, and that only 15-20% of businesses globally purchase cyber cover.

“Ransomware attacks occur because hackers are very successful at what they do and enough businesses pay them to make it profitable for the criminals to continue,” Marsh Head of Cyber, Pacific, Kelly Butler told insuranceNEWS.com.au.

“It could be argued that having insurance gives the client the best possible chance of not [paying] the ransom demand.

“It is our experience in dealing with ransomware events that the insurer is playing a critical role in creating structured pathways based on their extensive intelligence in dealing with these matters to ensure that payments are only made when absolutely necessary and are not breaching any sanctions imposed.”

The Insurance Council of Australia (ICA) says it supports measures which help businesses improve cyber security.

“Sensible measures such as cyber-risk health checks reduce the likelihood of a business becoming a victim and having to make a claim on its insurance cover,” a spokeswoman told insuranceNEWS.com.au.

ICA says coverage provided by insurers for ransomware “varies across industry in line with each insurer’s risk appetite”.

It also says “such products will continue to evolve in line with community expectations and commercial considerations”.

“The ICA supports the reporting of ransomware payments which allows clearer identification of risk,” the spokeswoman said.

“Government policy guidance around ransomware coverage would enable the insurance industry to provide cyber cover aligned with the Government’s broader policy goals in this area.”

Click here to read the full Cyber Security Cooperative Research Centre report.