Clear laws, 'threat actor' consequences needed on ransomware
Clearer Australian laws and international co-operation to act against criminals are among measures needed in response to the rising threat from ransomware, Kennedys Partner and cyber insurance law specialist Nicholas Blackmore says.
Mr Blackmore says it’s necessary to identify and sanction threat actors so they face consequences for crimes and don’t profit from ransomware payments received.
“We have to do that through some level of international co-operation and pressure,” he told the Australasian Professional Indemnity Group (APIG) conference. “There have been some successes and there needs to be more.”
Successes have included the FBIs recovery of bitcoin payments made following the Colonial Pipeline ransomware attack in the US last year.
Mr Blackmore says incentivising cyber security is important, and governments and technology vendors have a role to play. In the case of insurance, there has been a greater focus within a hardening market on requiring customers to step up their defences in order to obtain cover, he says.
“People actually have to think about their security before they get cyber insurance and that’s an incredibly positive thing.”
More support to assist victims of cyber crime, particularly SMEs that don’t have access to IT departments is needed, and there could be a system for mandatory reporting of ransomware payments associated with that, he said.
In Australia, ransomware payments made under duress can be legal if certain conditions are met under the Criminal Code, and provided payment recipients are not on a sanctions list.
The code aims to outlaw the payment of funds that will be used to commit a crime, but defences that may allow payments include a reasonable belief that the threat will be carried out unless money is paid, the threat can’t be rendered ineffective, and the payment is a “reasonable response” to the threat.
“We have laws, but none of them were drafted specifically for ransomware,” Mr Blackmore said. “We need more specific laws, and we need guidance from the Government.”
Discussions recently have suggested the Federal Government should set up a cyber panel, modelled on the Takeover Panel, which could make decisions on whether payments should be made in specific situations.
“It is an interesting idea, I don’t know if it could respond quickly enough, but it is a good idea,” Mr Blackmore said.
The APIG conference, which returned this year after a two-year hiatus, was held in Sydney last week.
Topics covered also included emerging risks and trends in medical indemnity, market conditions post-covid and the class actions environment.
Finity Consulting Principal Susie Amos says the overall professional indemnity and directors’ and officers’ class has likely reached insurer profitability targets but the achievement could be short lived.
Headwinds include economic instability, an increase in capacity and regulatory shifts, although a more targeted approach and a greater sophistication in pricing could point to market discipline.
“That’s a really positive sign, but definitely some new entrants means that the competition is going to increase, and it will be harder to keep the rates at the level that are needed,” she said.