Major insurance companies are urging the government to outlaw reimbursements to companies making ransomware payments to cyber criminals on the basis that these payments act as a perverse incentive.
IAG chief executive Nick Hawkins claimed cyber insurance covering ransom payments was “an area that is likely to see a significant change in coming years.”
“Though IAG covers businesses hit by cyberattacks for matters including losses due to the disruption and hiring consultants to alleviate the issues, its insurance also extends to reimbursement of payments made to criminals as part of ransomware attacks, or similar,” Hawkins said, as reported by the Australian Financial Review (AFR).
“The way it also works, and this is standard in the industry, is that none of those payments can contravene any laws,” he continued. “If there are any acts in any country that you're contravening by making that payment, then that is exclusion, and that payment is not allowed to be made.”
Read more: Revealed: Ransomware attacks surge in 2021
Liberal MP Tim Wilson claimed allowing insurance to reimburse ransom payments only “incentivises criminal behaviours” – highlighting that the practice has become common despite organisations such as the FBI and the Australian Cyber Security Centre discouraging companies from paying cyber criminals.
“It seems pretty clear to me that allowing insurance to reimburse for ransoms just incentivises criminal behaviours, while also increasing premiums for other cyber risks and should be outlawed,” Wilson said, as reported by AFR.
Hawkins aired the same thoughts, saying: “Directionally, that sort of sounds sensible. That's what has been happening in Europe, or in France at least.”
Scott Leney, the head of risk for Asia at Marsh, told the House of Representatives committee that the cyber insurance market was “very challenged” due to heightened risks – with insurance companies withdrawing coverage and increasing premiums significantly.
Craig Claughton, the head of financial and professional liability at Marsh, added: “Most of our clients are terribly concerned about ransom demands being made on them. Provided it's not in breach of any laws, insurers are willing to provide cover for ransom demands.
“Insurers are equally concerned. We are seeing them starting to limit the form of cover they are willing to provide, and I wouldn't be surprised in the not too distant future that it disappears completely.”