‘Never pay a ransom’ says the website of the federal government’s Australian Cyber Security Centre (ACSC). However, there is currently no law against paying a cyber ransom. The government is deciding whether there should be as part of its development of a 2023-2030 Australian Cyber Security Strategy.
“In all honesty, I don’t think it’s a one size fits all scenario,” said Nic Martin (pictured above), when Insurance Business asked him what his firm advises – ‘pay? Or refuse to pay?’ – when a client suffers a ransomware attack. Sydney-based Martin is head of strategic risk consulting in the Pacific for the global brokerage Marsh.
“We are currently doing a lot of work when it comes to crisis management and ransomware with executive teams and boards of large Australian businesses across a number of sectors,” he said.
“What you find when you’re doing this is that there are a number of influencing factors.”
Martin said one of those factors is whether the business has discussed this issue before an attack takes place.
“A lot of the time, the challenge is that they are having that conversation in the heat of battle,” said Martin. “That’s not the time to have that conversation.”
He said people within the same company can have very different views.
“You’ll have one person that will say, ‘We should pay because we just need to get our information back and protect our customers’,” said Martin. “Another view will be, ‘I don’t want to support a criminal organisation.’”
He said another “really challenging” issue is the value of the ransom demand.
“If you think about the Medibank situation, the threat actor put a one dollar value on every record, so a total value of $10 million,” said Martin. “Now that would have influenced their decision to pay or not pay.”
However, he said he wasn’t privy to Medibank’s decision and doesn’t have enough information on it to have an opinion.
“What I do know though is, in my experience in dealing with organisations, depending on the level of ransom demand, [whether it’s] $1 million, $5 million $10 million, and the organisation and what the impact is, that will influence whether they choose to pay or not pay,” said Martin.
He said “philosophically” it’s “obviously wrong” to pay a ransom because the payment supports a criminal activity.
“But it’s a little bit more complicated than that when it comes to the reality of the decision,” said Martin.
IB asked Martin if, in his experience, paying a ransom generally works, or not, in terms ensuring if criminals return the data? He said it comes back to risk management.
“I know this might seem like a glib response but the reality is, and I’ve mentioned that previously, you need to have worked this through before the event occurs because I think it is such a complicated decision to make,” said Martin. “While on the surface it seems very simple, we pay or don’t pay, the actual implications of that are far reaching and way more complicated.”
He said the Medibank and Optus situations and how they played out after their attacks demonstrated this complexity.
Martin said firms also need to take into account the ransomware market and known threat actors. Another complexity and “vexed part of it”, he said, is the insurance market and proving whether the attack is state-sponsored.
“In not answering your question, I’m trying to push out more of an opinion that organisations will not get a simple answer to this,” said Martin. “They really need to start working on their position and their response to it well ahead of time when they’ve got the capacity to do it.”
The government has said its 2023-2030 Australian Cyber Security Strategy, announced in December, is developing initiatives under four key areas:
A discussion paper closed last month.
The Insurance Council of Australia’s (ICA’s) submission echoed Martin’s view and said the issue of whether to prohibit ransom payments is a “complex policy issue.”
“While paying ransoms can contribute to a criminal business model,” said the submission, “it must be recognised that no organisation wants to be extorted and the decision to pay a ransom is largely a function of the cost of recovery and remediation being higher than the ransom demand.”
The ICA expressed concern that an outright ban on ransoms could significantly impact the ability of smaller firms to recover from an attack.
“The Insurance Council strongly encourages the Government to consult further with the insurance industry before taking a definite position to ban ransom payments,” said the submission. “In the meantime, the decision to pay a ransom or not should remain with the victim organisation.”
Do you think paying cyber ransoms should be banned, or not? Please tell us below
