The federal government is considering banning insurance reimbursements for companies opting to make ransomware payments, as the Opposition pushes for a mandatory notification scheme around these attacks.
A House Committee inquiry last week heard from a number of Australian insurance companies, with Chair and Liberal MP Tim Wilson investigating insurance reimbursements for ransomware attack payments and the potential to make this illegal.
Several of the insurance companies confirmed they do offer some coverage for companies making a ransom payment following a cyber-attack, and that these attacks are occurring far more frequently recently.
Following the hearing, Mr Wilson said he would back legislation outlawing insurers making payouts to companies subject to a ransomware payment.
“It seems pretty clear to me that allowing insurance to reimburse for ransoms just incentivises criminal behaviours, while also increasing premiums for other cyber risks and should be outlawed,” Mr Wilson said.
Insurance Australia Group CEO Nick Hawkins told the committee that the company does offer coverage for cyber-attacks and ransomware payments currently.
“If there is a cyberattack on a business…we would cover that claim to a certain extent. If part of the cost ends up being some sort of cost to the negotiation and consultants and even potentially a ransom, my understanding is that that is of the coverage,” Mr Hawkins said.
“None of those payments can contravene any laws. So if there is any sort of suggestion that payments are money laundering or if there are any acts or laws in the country that don’t allow it or that you are contravening by making this sort of payment, then that is an exclusion and that payment is not allowed to be made.”
Mr Hawkens said that the prospect floated by Mr Wilson of banning insurance payouts for ransomware payments “sort of sounds sensible”.
“Anything to incentivise this topic would be better, so yes, I can’t see any reason why what you suggested wouldn’t sound like a good idea,” he said.
Marsh managing director Craig Claughton also confirmed the company insurers against ransomware payments, and that these demands have increased “fairly significantly” in the last 18 months.
“Most of our clients are terribly concerned about ransom demands being made upon them, so they’re looking for us to arrange cover if it’s available. Obviously, an insurance contract can’t do anything that’s against the law but, at the moment, provided it’s not in breach of any laws, insurers are willing to provide cover for ransom demands,” Mr Claughton said.
There is a risk that this will incentivise ransomware attacks against Australian businesses, QBE Insurance Australia chief financial officer Chris Esson told the MPs.
“We’re very conscious here of the risk that the availability of insurance for ransom might drive attacks. We do note that there’s a need to balance that against the fact that a ransom attack can be very possible for business, which is part of the market in which we operate,” Mr Esson said.
“But we do suggest that these considerations need to be carefully balanced, and it would be an appropriate area to do more review.”
Shadow assistant minister for cybersecurity Tim Watts criticised the fact the policy proposal was coming from Mr Wilson rather than the responsible ministers.
“The leadership vacuum left by the Morrison government on ransomware is now being filled by its own backbenchers,” Mr Watts told InnovationAus.
“The Morrison government missed every opportunity to act while ransomware escalated to a crisis point. It needs to show leadership now.”
Mr Watts last week introduced a private members bill to the lower house which would launch a mandatory notification scheme for ransomware attacks, with companies subject to such an attack having to inform authorities about it before making a payment to the attackers.
“Mandatory notification of ransomware payments is a sensible foundation for government action against ransomware. If the Morrison government wants to get serious about fighting ransomware it can support Labor’s private members bill introducing a mandatory payment notification scheme in the next sitting of Parliament,” Mr Watts said.
Home Affairs minister Karen Andrews has said she is “open to exploring” the proposal, with the legislation set to be debated in August.