IAG, QBE and Marsh insurance brokers have told a House of Representatives committee that they largely back potential parliamentary action to ban insurance payments to businesses making ransomware payments to cyber criminals, according to a report in the Australian Financial Review (AFR).
The AFR said the federal government is considering mandatory reporting of ransom payments, while the opposition has introduced a private member’s bill that will also require companies to inform the government if they pay ransoms.
The report said the recent rise in ransomware incidents, such as the $US4.4 million ($5.8 million) paid by Colonial Pipeline in America and $US11 million by global meat group JBS, has focused attention on insurance payments.
“It seems pretty clear to me that allowing insurance to reimburse for ransoms just incentivises criminal behaviours, while also increasing premiums for other cyber risks and should be outlawed,” said Liberal MP Tim Wilson.
IAG Chief Executive Nick Hawkins believes insurance covering cyber ransom payments is an area likely to change significantly in coming years. Responding to questioning by Wilson, Hawkins said a government ban on payments made sense.
“Directionally, that sort of sounds sensible. That’s what has been happening in Europe, or in France at least,” said Hawkins. Asked by Wilson if he agreed it would be better not to incentivise this behaviour, Hawkins replied, “Yes, I can’t see any reason what you say wouldn’t be a good idea.”
Scott Leney, Head of Risk for Asia at Marsh, told the hearing that the cyber insurance market was “very challenged” by heightened risk. The consequence of the rising usage of ransomware could be withdrawal of coverage or a significant increase in premiums.
Marsh’s Head of Financial and Professional Liability, Craig Claughton, said most of the company’s clients are “terribly concerned” about ransom demands being made on them. “Insurers are equally concerned. We are seeing them starting to limit the form of cover they are willing to provide, and I wouldn’t be surprised in the not-too-distant future that it disappears completely. If it is made illegal it may assist that moving forward much more rapidly,” he said.
QBE Australia Chief Financial Officer Christopher Esson supported further review of the practice of insuring ransom payments, while insurance Council of Australia Chief Executive Andrew Hall said ransomware demands are an “increasingly complex and challenging area”.
“The debate that is happening globally around cyber is very similar to the same issues that arose 20 years ago post-9/11 with terrorism. While there is impact on business and the like, if there is a motive of terrorism and the like sitting behind it, then that represents a big challenge for the insurance pool,” Hall said.