Two major reports last week criticised the payment of ransoms to cyber criminals, putting pressure on the insurance industry for reimbursing clients under attack.

A study from the Cyber Security Cooperative Research Centre (CSCRC) says coverage for extortion and ransom payments in many cyber policies is problematic, “serving to feed the criminal enterprise of ransomware gangs, especially those that prey on insured organisations”.

“While ransomware payment should not be criminalised, there is merit in moves to ban the payment of ransoms by insurance providers,” the report says.

“While this may be an area where government regulatory intervention is required, individual insurers could choose to exclude these payments from insurance policies and provide greater focus on remediation and business continuity expenses.”

The report also warns that insurance is “not a cyber security silver bullet” and should be part of a package of measures.

“When it comes to cyber insurance, while there are positives, there are also pitfalls and perils,” it says.

“There is potential for organisations holding cyber insurance to be lax in their approach to managing cyber security.”

The CSCRC is a collaboration between industry, government and academia and in 2018 was awarded $50 million in Commonwealth funding over seven years.

The report makes four recommendations: ban insurers from making ransom payments; have the prudential regulator outline expectations on the management of cyber insurance underwriting risks; have insurers develop a best practice checklist for SMEs; and require insurers to work with telecommunications providers, cloud services and software providers to offer bundled cyber security packages.

Also published last week was the Federal Government’s Ransomware Action Plan, which outlines the powers Australia will use to combat ransomware after the nation experienced a 15% rise in attacks reported to the Australian Cyber Security Centre in the past 12 months.

“The Ransomware Action Plan takes a decisive stance – the Australian Government does not condone ransom payments being made to cybercriminals,” Minister for Home Affairs Karen Andrews said.

The Department of Home Affairs says cyber security incidents cost the Australian economy $29 billion annually, or 1.9% of gross domestic product. The threat is increasing in scale, frequency and sophistication and likely to rise as the number of connected devices grows.

Paying ransoms is no guarantee of access to locked systems or sensitive data, Ms Andrews says, and may open the victim up to repeat attacks.

“Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk. We need to ensure that Australia remains an unattractive target for criminals and a hostile place for them to operate.”

The plan outlines legislative reform aimed at further criminalising ransomware and ensuring law enforcement can track, seize or freeze ransomware crime proceeds to keep Australia a “hard target” for cybercrime gangs.

The reforms include introducing mandatory ransomware incident reporting to the Australian Government, an offence for all forms of cyber extortion, an aggravated offence for cybercriminals seeking to target critical infrastructure, and modernising legislation to ensure that cybercriminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains.

See Analysis.