The Insurance Council of Australia has warned the government to tread carefully in its contemplation of an outright ban on paying ransoms and extortion demands in data breach incidents.
The council also wants the federal government to simplify and “harmonise” cyber security requirements on business, while it contemplates drafting a specific Cyber Security Act.
It made the comments in a submission [pdf] to the 2023-2030 Australian Cyber Security Strategy consultation, which closed at the end of last week.
CEO and managing director Andrew Hall wrote that the insurance industry had a stake in cyber security, since it insures businesses against losses from incidents.
Insurers take into account the security posture and protections firms have in place when deciding whether or not to cover them.
“As part of the underwriting process, insurers often examine an organisation’s cyber defences, identify vulnerabilities and provide guidance on how to strengthen cyber security,” Hall wrote.
“The Insurance Council would welcome government initiatives that improve firms’ cyber risk posture.
“These initiatives would in turn, likely improve availability of cyber insurance.”
On the issue of ransomware payments, the council argued that banning them outright is a “complex policy issue”, and that the response to ransomware needed to be more nuanced and multi-faceted.
“The Insurance Council notes that the current practice for cyber insurance is that the decision to pay or not pay a ransom is made by the client,” it said.
“Moreover, any ransom payment is made by the victim, not the insurer and may be reimbursed (in part or full), subject to the limits of the policy and compliance with sanction policies.”
While acknowledging the argument that paying ransoms “contribute to a criminal business model”, the council said the decision to pay “is largely a function of the cost of recovery and remediation being higher than the ransom demand.”
“The Insurance Council strongly encourages the government to consult further with the insurance industry before taking a [definite] position to ban ransom payments,” it said.
“In the meantime, the decision to pay a ransom or not should remain with the victim organisation.
“Banning ransom payments by businesses and/or reimbursements by insurers may have other unintended consequences which we suggest warrant careful consideration.”
Elsewhere in its submission, the council urged government to build trust with industry to encourage cooperation in incident response.
It also said while it is “not opposed” to a specific Cyber Security Act, that non-legislative harmonisation of regulations could achieve a lot, before new legislation needs to be considered.
“The government should avoid creating an additional layer of obligations which is likely to create further complexity and a lack of clarity in terms of interactions with existing legislation and regulation,” the council said.
“Practically, the insurance industry would be disappointed in the creation of a new Act which duplicated ongoing APRA [Australian Prudential Regulation Authority] regulation.”