Companies that offer insurance in Australia to cover network attacks, including ransomware incidents, should be prohibited from making any ransom or extortion payments, the Cyber Security Co-operative Research Centre says.
A paper written by Rachael Falk, chief executive of the organisation, and Anne-Louise Brown, its director of Corporate Affairs and Policy, listed this as one of its conclusions after a brief examination of how cyber insurance was working out in other parts of the world.
Falk and Brown said assistance from an insurer should be limited to functions that covered response and recovery.
They found it troubling that some cyber insurance policies in Australia explicitly offer coverage for extortion and ransom payments.
“Most importantly, cyber insurance should not be seen as an organisational cyber security strategy – a panacea to any incidents that may occur,” they said.
“Nor should insurers be permitted to pay extortion payments, a trend which has not only fuelled the ransomware trade, but also placed extraordinary pressure on the viability of the cyber insurance industry itself.”
That said people will do this when they eventually discover some of the ransomware aligned folks are outside Russia. pic.twitter.com/HKosYQvOhq
— Kevin Beaumont (@GossiTheDog) October 11, 2021
The report made no mention of the fact that practically all ransomware attacks are made on systems running Microsoft’s Windows operating system. While ransomware for other operating systems like macOS, iOS, Linux and the BSDs, is known to exist, they have so far never figured in any major ransomware attack.
Falk and Brown said there was little known about ransom brokers, companies that offered to negotiate on behalf of ransomware victims and the ransomware gangs that stage the attacks.
“These brokers are hired — sometimes by insurance companies — to negotiate ransom payments and pay ransoms in bitcoin,” they wrote. “There is no regulation of such brokers and, concerningly, the legality of their role in the ransomware economy, and their very business model, is questionable.”
“In the US, where ransomware brokers operate more visibly, some have spoken about their trade. However, opaqueness reigns. For example, in an interview with Forbes, a negotiator and broker from Coveware would not ‘give much away about his negotiating tactics’, while insisting the firm had ways to glean information about attackers to determine whether payment was in breach of US sanctioned entity laws.
“In a separate interview, a broker from MonsterCloud said ‘we work in the shadows’ and use dark web contacts to facilitate negotiation and payment.”
Other conclusions from the report:
- APRA, like the prudential regulator in the UK, should provide a guidance outlining its expectations regarding the management of cyber insurance underwriting risk. Such guidance should also require insurers to clearly articulate what is and is not covered, and where exclusions may apply.
- Insurers should work together to develop a Cyber Security Best Practice Guidance Checklist for SMEs, setting out the minimum cyber security settings and policies they should have in place when seeking cyber insurance. This could help improve SME cyber security and reduce risk for insurers.
- Insurers should work with telecommunications providers, cloud services and software providers to provide ‘bundled packages’. Such partnerships could be incentivised by the Federal Government, which could support pilots of such packages.