Insurance Council: Banning paying a ransom to cyber hackers is counter-productive
Insurance Council boss Andrew Hall says a proposed government ban on paying ransoms to cyber hackers is not appropriate.
The peak body for insurers says attempts to ban businesses from paying ransoms for cyber attacks risks eroding trust and relationships with government.
In a speech to the Clyde and Co Australia Cyber Summit, the head of the Insurance Council of Australia said more work was needed to protect businesses from the threat of hacking.
ICA chief executive Andrew Hall said last Tuesday’s federal budget announcement of $23.4m funding for the small business cyber warden program would go some way to addressing the issue.
But he said it was critical the program was delivered “efficiently and genuinely achieves positive outcomes, at scale”.
“There is significant opportunity for industry to partner with the government on demystifying cyber security for the small business community,” Mr Hall said.
“Given this, we encourage the government to consult further on the implementation of the program.”
Mr Hall said the ICA wanted the government to remove or streamline duplicated obligations around reporting cyber breaches, and replace it with a single portal allowing businesses to disclose hacks.
“Reduced reporting obligations will allow businesses to effectively direct resources towards
responding to an attack, rather than meeting multiple but similar reporting requirements,” he said.
However, Mr Hall said the ICA was concerned about proposals to ban the paying of ransoms for cyber attacks.
Mr Hall said ransomware would “remain a feature of the global economy as the scale of digitisation grows”.
“While we can limit the effectiveness and frequency of cyber attacks through increasing firms’ basic cyber hygiene, they will continue,” he said.
“Ultimately, and regardless of insurance coverage, the decision for a business to pay or not pay a ransom is a decision for the business.
“Business leaders will weigh up all the associated costs and risks, and make a decision in the best interest of their company and stakeholders.”
The boss of the ICA, which represents almost all major insurers in Australia, said banning ransom payments would “limit the ability of some firms to recover from a cyber attack” and potentially cause a perverse outcome driving “reporting of attacks and payments underground”.
“This in turn erodes trust and the broader relationship between industry and government at the exact moment that greater co-operation is needed,” he said.
“There are other policy levers government can deploy to ward off cyber criminals – including increased penalties and crypto-asset regulation.”
Mr Hall said business leaders must understand that paying a ransom “may not see the return or decryption of stolen assets”, noting some insurance policies might not cover the ransom costs.
“Nobody wants to be extorted and contribute to a criminal business model but without access to digital assets in a digital economy, a business’ survival is threatened,” he said.
“It is an ugly truth that the decision to pay a ransom is a function of this reality.”
Australian companies have been grappling with a number of high-profile cyber attacks and intrusions that have resulted in hackers stealing valuable customer data.
As a result of the hack of telco Optus in October last year, the personal data of nearly 10 million Australians was stolen.
Credit provider Latitude was hit by a hack in March and the details of almost 14 million customers were stolen.
More Coverage
ASX 200 eyes new peak; Dow, S&P hit records
Macquarie's big US regulatory settlement. Super Retail reviewing second ex-staffer's claims in ongoing workplace lawsuit. Myer results ahead. Techs lead US' belated rate cut rally. Bank of England holds rates. Bank of Japan decision to come.
The biggest roadblock to buying a home has changed
High house prices are no longer the biggest barrier to home ownership, as buyers seek new ways to get a foot in the door.