Should paying cyber ransoms be outlawed?
Should paying cyber ransoms be outlawed? | Insurance Business Australia
Cyber
Should paying cyber ransoms be outlawed?
“I don’t think it’s a one size fits all scenario,” says Marsh head
‘Never pay a ransom’ says the website of the federal government’s Australian Cyber Security Centre (ACSC). However, there is currently no law against paying a cyber ransom. The government is deciding whether there should be as part of its development of a 2023-2030 Australian Cyber Security Strategy.
“In all honesty, I don’t think it’s a one size fits all scenario,” said Nic Martin (pictured above), when Insurance Business asked him what his firm advises – ‘pay? Or refuse to pay?’ – when a client suffers a ransomware attack. Sydney-based Martin is head of strategic risk consulting in the Pacific for the global brokerage Marsh.
“We are currently doing a lot of work when it comes to crisis management and ransomware with executive teams and boards of large Australian businesses across a number of sectors,” he said.
“What you find when you’re doing this is that there are a number of influencing factors.”
To pay, or not to pay?
Martin said one of those factors is whether the business has discussed this issue before an attack takes place.
“A lot of the time, the challenge is that they are having that conversation in the heat of battle,” said Martin. “That’s not the time to have that conversation.”
He said people within the same company can have very different views.
“You’ll have one person that will say, ‘We should pay because we just need to get our information back and protect our customers’,” said Martin. “Another view will be, ‘I don’t want to support a criminal organisation.’”
How much is the ransom?
He said another “really challenging” issue is the value of the ransom demand.
“If you think about the Medibank situation, the threat actor put a one dollar value on every record, so a total value of $10 million,” said Martin. “Now that would have influenced their decision to pay or not pay.”
However, he said he wasn’t privy to Medibank’s decision and doesn’t have enough information on it to have an opinion.
“What I do know though is, in my experience in dealing with organisations, depending on the level of ransom demand, [whether it’s] $1 million, $5 million $10 million, and the organisation and what the impact is, that will influence whether they choose to pay or not pay,” said Martin.
Philosophy and reality
He said “philosophically” it’s “obviously wrong” to pay a ransom because the payment supports a criminal activity.
“But it’s a little bit more complicated than that when it comes to the reality of the decision,” said Martin.
IB asked Martin if, in his experience, paying a ransom generally works, or not, in terms ensuring if criminals return the data? He said it comes back to risk management.
“I know this might seem like a glib response but the reality is, and I’ve mentioned that previously, you need to have worked this through before the event occurs because I think it is such a complicated decision to make,” said Martin. “While on the surface it seems very simple, we pay or don’t pay, the actual implications of that are far reaching and way more complicated.”
He said the Medibank and Optus situations and how they played out after their attacks demonstrated this complexity.
Martin said firms also need to take into account the ransomware market and known threat actors. Another complexity and “vexed part of it”, he said, is the insurance market and proving whether the attack is state-sponsored.
“In not answering your question, I’m trying to push out more of an opinion that organisations will not get a simple answer to this,” said Martin. “They really need to start working on their position and their response to it well ahead of time when they’ve got the capacity to do it.”
A secure economy and thriving cyber ecosystem
A secure and resilient critical infrastructure and government sector
A sovereign and assured capability to counter cyber threats
Australia as a trusted and influential global cyber leader, working in partnership with our neighbours to lift cyber security and build a cyber resilient region.
A discussion paper closed last month.
“While paying ransoms can contribute to a criminal business model,” said the submission, “it must be recognised that no organisation wants to be extorted and the decision to pay a ransom is largely a function of the cost of recovery and remediation being higher than the ransom demand.”
The ICA expressed concern that an outright ban on ransoms could significantly impact the ability of smaller firms to recover from an attack.
“The Insurance Council strongly encourages the Government to consult further with the insurance industry before taking a definite position to ban ransom payments,” said the submission. “In the meantime, the decision to pay a ransom or not should remain with the victim organisation.”
Do you think paying cyber ransoms should be banned, or not? Please tell us below
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!