Despite losing billions to cyber criminals in recent years, insurers are questioning federal government advice that companies should never pay ransom demands, warning against blanket bans even as figures show Australian businesses being overrun by ransomware.

Mooted bans on ransomware payments could have “unintended consequences”, peak insurance industry group the Insurance Council of Australia (ICA) argued in its recent submission responding to the government’s Cyber Security Strategy discussion paper.

“The decision to pay or not pay a ransom is made by the client [and] made by the victim, not the insurer,” the ICA said in noting that normal actuarial processes apply during insurers’ decisions as to whether or not those payments will be reimbursed.

“While paying ransoms can contribute to a criminal business model,” the submission continues, “it must be recognised that no organisation wants to be extorted and the decision to pay a ransom is largely a function of the cost of recovery and remediation being higher than the ransom demand.”

This means an outright ban could “disproportionately” affect small businesses and other small organisations without the means to make the payments, the ICA warns, “and may significantly impact their ability and capacity to recover and return to operation.”

Despite massive losses insuring cyber attacks in recent years – a recent US court decision left insurers on the hook for $2 billion in Merck’s claim for NotPetya related losses – the ICA said government bodies should “consult further” with the insurance industry before legislating ransom payment bans.

The comments push back against an anti-ransom stance floated last year by Cyber Security Minister Clare O’Neil after the mass hack of private insurance giant Medibank – and she doubled down when financial services giant Latitude Financial was hacked in March.

The firm’s decision to not give in to ransom demands, O’Neil noted, “is consistent with Australian government advice” that is outlined in official Australian Cyber Security Centre (ACSC) guidance.

Businesses are paying the price

Insurers’ plea for government non-intervention comes amidst revelations that Russian authorities have done nothing to punish the Russia-based REvil group – which published the private health data of millions of Australians late last year – despite being handed the identities of the Medibank hackers on a platter.

Australian organisations are seen as easy and lucrative targets for cyber criminals – and 7 in 10 had to deal with a ransomware attack last year, according to security firm Sophos’ new State of Ransomware 2023 global study of 3,000 IT professionals.

Fully 69 per cent of those attacks resulted in data being encrypted and unusable, with 53 per cent of those firms deciding to pay the ransom in hopes of recovering their data.

The Australian figure was higher than the global average – with 47 per cent of organisations paying ransoms globally – and surged from 43 per cent of companies in the previous year.

Larger businesses were more likely to pay ransoms, with Sophos noting that they are more likely to have cyber insurance policies to cover those payments.

Other studies have found similar results, with ExtraHop recently reporting that 83 per cent of surveyed organisations had paid the ransom and a new Rubrik study putting the Australian figure at 72 per cent.

Paying ransoms may be common, but there is no guarantee that companies will get their data back after forking over thousands to cybercriminals, warns Louay Ghashash, director and principal of cyber security consultancy Spartans Security and chair of the ACS Cyber Security Committee.

“The only reason many businesses take cyber insurance is because they hope to use it to pay ransoms,” Ghashash said. And while a ban on payments would “hurt the sector”, he continued, ultimately better controls “will benefit that sector – which grew organically like a cancer without regulation over the past five years.”

Payment of cyber criminals “is not something I recommend to my customers,” he said, noting that just 1 or 2 companies out of ten actually get their data back – and even where data is recovered, there is a “high chance that 60 per cent of the data becomes corrupt.”

Such poor outcomes mean companies paying ransoms “are flushing your money down the drain,” he said. “I would rather focus their efforts and energy on doing the basic hygiene that prevents them from being targeted in the first place.”

Ultimately, said Palo Alto Networks vice president and regional chief security officer Sean Duca, victims’ decision about paying ransoms should be made after considering “the true implications of a breach”.

“Deciding whether or not to pay a ransom should,” he said, “be based on a careful evaluation of the impact of the stolen data or the inaccessible systems on a case-by-case basis.”

“Ultimately, the organisation’s risk appetite and its efforts to safeguard the data of both past and present customers should determine whether or not to pay the ransom.”