Aussie officials: Cyber insurance should not cover ransomware attacks

Cyber Security Cooperative Research Centre (CSCRC) chief executive Rachael Falk and director of corporate affairs and policy Anne-Louise Brown have said that cyber insurance should not cover ransom or extortion payments. 

In a policy paper focusing on how cyber insurance can hinder or help cyber security in Australia, authors Falk and Brown found that some cyber insurance policies explicitly offer coverage for extortion and ransom payments.

“This is problematic, serving to feed the criminal enterprise of ransomware gangs, especially those that prey on insured organisations,” they said – noting an incident overseas involving ransomware criminals who accessed systems to look for insurance certificates, then demanded ransom payment of the specific amount covered by the insurer.

Other ransomware criminals have also hinted at targeting insurers, with a representative from ransomware gang REvil telling a reporter that it aims to “hack the insurers first to get their customer base and work in a targeted way from there. And after you go through the list, hit the insurer themselves.”

Read more: Can machine learning save the insurance industry from cyberattacks?

The authors argued that cyber insurance should not be seen as an organisation cyber security strategy, nor should insurers be permitted to pay extortion payments – a trend that has not only fuelled the ransomware trade but also placed extraordinary pressure on the viability of the cyber insurance industry itself.

Therefore, the authors recommended:

• Prohibiting insurers offering cyber insurance policies from making any ransom or extortion payments as part of any cyber insurance offering. Instead, organisations should focus on response and recovery.
• The Australian Prudential Regulation Authority (APRA) should provide regarding the management of cyber insurance underwriting risk. It should also require insurers to clarify what is and is not covered and where exclusions may apply.
• Insurers should develop a cyber security best practice guidance checklist for small- and mid-size enterprises (SMEs), setting out the minimum cyber security settings and policies they should have in place when seeking cyber insurance.
• Insurers should work with telecommunications providers, cloud services, and software providers to provide “bundled packages.”