Between a rock and the Dark Web Do ransom payments only add fuel to cyber crime and should they be banned? We polled experts in the field By Miranda Maxwell
I
f I pay one penny now, I’ll have 14 kidnapped grandchildren.” That was the reaction of multi-billionaire oil tycoon J. Paul Getty in 1973 when kidnappers demanded $US17 million in exchange for one of his grandsons. Almost 50 years on, cyber crime ensures the debate over whether to concede to ransom demands rages on, and the Getty family case still perfectly encapsulates the conundrum these payments present – an issue that has never dominated the minds of executives and insurers more than in 2021. Global broker Aon describes ransomware as now “truly weaponised” and calculates a 500% increase in average insured losses since the start of 2017 and a 350% increase in Australian cyber incidents. Cyber premium increases of up to 40% are on the cards this year, Aon says, with the global cyber insurance market set to reach $US14 billion in 2022. Capacity has commenced a “slow but steady retraction globally and locally,” and in the Australian market, where gross written premium in cyber cover sits near $US110 million, capacity has been withdrawn “for those organisations that cannot convince markets that their security programs adequately address ransomware risks”.
50 insuranceNEWS
June/July 2021
“Underwriting practices are adapting to the velocity and impact,” Aon notes. “Markets are increasingly empowered to walk away from an organisation that cannot adequately explain their security investment strategy.” For Kieran Doyle, the Cyber Leader at law firm Wotton + Kearney, all organisations, particularly those that are data-rich, “have to assume they are a target”. “Ransomware brings even the largest organisation to its knees,” he says. True. An Insurance News article in March warning of the exposure of critical infrastructure to ransomware attacks proved to be prophetic, with US company Colonial Pipeline suffering a ransomware attack in May that cost it the equivalent of $US4.4 million in bitcoin. The company was forced to close down its pipeline operations between Houston and the southeastern United States after its computer system was compromised. The payment was made within hours, with the hackers then supplying a software application to restore the system. The chaos created by that single cyber attack has woken even the most complacent business to the very real dangers of cyber criminals “It is now visible in the community beyond just
