A global, insurance-focused law firm is encouraging insurers to prepare for the likelihood that cyber ransoms will soon become part of the government’s sanctions regime. In November, the government announced it would consider making the paying of ransoms to cyber criminals illegal.
“Where you have cyber policies and ransoms being paid out under cyber policies, that could be an area of exposure,” said Avryl Lattin (pictured above), Clyde & Co partner and expert in the insurance, trade and commodities sectors.
Sydney-based Lattin said cyber attacks already come under Australia’s autonomous sanctions regime. Under a proposed overhaul of Australia's Autonomous Sanctions Act 2011, firms that suffer a ransomware attack could be prohibited from making ransom payments.
The new government’s proposal is in line with the former government’s Ransomware Action Plan that adopted a zero-tolerance approach to cyber criminals demanding ransoms.
“Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” said former Minister for Home Affairs Karen Andrews.
“At the end of 2021 the government introduced a thematic sanctions regime,” Lattin said. She said this regime – called the Autonomous Sanctions Amendment Act 2021 – was modelled on US sanctions law knowns as the Global Magnitsky Human Rights Accountability Act
Malicious cyber activity already comes under the thematic sanctions regime, together with a range of other areas including weapons of mass destruction, threats to international peace and serious abuses of human rights.
“We’re working closely with our cyber incident team to help companies look at cyber attacks and have insurers who might be ensuring the cost of such attacks think about the sanctions risk in the ransom payment,” said Lattin.
Another sanctions issue Clyde & Co would like to flag: the government could soon start actively prosecuting firms that breach the sanctions regime.
“We've just had one year of Russia’s invasion and the sanctions regimes have gradually increased over that 12-month period in Australia and other jurisdictions as well,” Lattin said.
She said the US often leads when it comes to sanctions enforcement actions.
“At the end of last year, we did see the Department of Justice start to pick up companies that were trying to evade Russia-related US sanctions and export controls,” Lattin said.
She said those actions have largely targeted front companies trying to hide sanctions breaches by trans-shipment through different jurisdictions.
“This is definitely a corporate enforcement action that we would expect in Australia as well,” Lattin said. However, these enforcement actions could still be a couple of years away.
“The Australian Sanctions Office (ASO) anticipates that in the next 18 months to two years we will see enforcement action by the ASO and prosecution through the AFP [Australian Federal Police] and the DPP [Director of Public Prosecutions] – but that would be the first time body corporate actors have been charged with breaching sanctions offenses,” Lattin said.
She said most insurers already have risk assessment practices in place to deal with sanctions exposure.
“They’re taking it into account in their underwriting processes and their payment of claim payments and any other payments,” Lattin said.
However, she suggested some industry coverage areas will need extra scrutiny.
“I think the important thing will be in policies like marine, cargo and trade credit where some of the fronting companies might be exposed to sanctions breaches, and that could potentially flow through [to insurers],” she said.
In April last year, Insurance Business interviewed underwriter Ben Webster, founder of the website and software application SanctionsCheck.co.
“Essentially, what it is [SanctionsCheck.co], is making sure that you’re not binding a policy, or paying out a claim or refunding premium to someone who’s on the sanctions list,” he said.
Webster said his offering is more cost-effective than many other checking options and a streamlined option designed for the insurance industry.
SanctionsCheck.co aggregates and checks all the publicly available lists, Webster said. The US, the United Nations and the World Central Bank all publish sanctions lists. DFAT (Department of Foreign Affairs and Trade) publishes a consolidated version. Thousands of individuals and entities – including many from Russia – are listed.
What do you think of the government’s approach to sanctions and does it impact your work in the insurance industry? Please tell us below