Clearer Australian laws and international cooperation to crack down on criminals are among the actions needed in response to the rising ransomware threat, says Nicholas Blackmore, Kennedy’s partner and cyber insurance legal specialist.
Mr Blackmore says there is a need to identify and sanction threat actors so that they face consequences for crimes and do not benefit from ransom payments received.
“We need to achieve that through some degree of international cooperation and pressure,” he said at the Australasian Professional Indemnity Group (APIG) conference. “There have been some successes, and more are yet to come.”
Accomplishments included the FBI reclaiming bitcoin payments following last year’s ransomware attack on the US Colonial Pipeline.
Incentivizing cybersecurity is important, Blackmore says, and governments and technology providers have a role to play. In the case of insurance, in a hardening market, there has been a greater focus on requiring customers to strengthen their defenses to get coverage, he says.
“People actually need to think about their security before purchasing cyber insurance, and that’s an incredibly positive thing.”
More support to help victims of cybercrime, especially SMEs that don’t have access to IT departments, is needed, and there could be a system for mandatory reporting of associated ransomware payments, he said.
In Australia, ransomware duress payments can be legal if certain conditions under the Criminal Code are met and the payee is not on a sanctions list.
The code aims to prohibit the payment of funds used to commit a crime, but defenses that allow payments involve the reasonable belief that if money is not paid the threat will not be void can be made and the payment is an “appropriate response” to the threat.
“We have laws, but none of them are designed specifically for ransomware,” Mr Blackmore said. “We need more specific legislation and we need guidance from the government.”
Recently, it was suggested that the federal government should set up a cyber panel based on the model of the takeover committee, which could decide on payments in specific situations.
“It’s an interesting idea, I don’t know if it could react quickly enough, but it’s a good idea,” Mr Blackmore said.
The APIG conference, which returned this year after a two-year hiatus, took place in Sydney last week.
Topics covered also included emerging risks and trends in medical compensation, post-Covid market conditions and the class action environment.
Susie Amos, head of Finity Consulting, says the entire professional liability and directors and officers class has likely met insurers’ profitability targets, but the achievement may be short-lived.
Headwinds include economic instability, increased capacity and regulatory changes, although a more focused approach and sophisticated pricing may indicate market discipline.
“It’s a really positive sign, but some new entrants definitely mean that competition will increase and it will be harder to keep prices at the required levels,” she said.