After the Biden Administration introduced a new executive order with guidelines to US businesses with regards to cyber security precautions and ransomware payments and fostering an exchange of threat intelligence (), the Australian Parliament saw a new bill introduced in June to mandate all entities that are affected by a ransomware attack to report it to the Australian Cyber Security Centre (). The Ransomware Payments Bill 2021 introduces a ransomware payment notification scheme that large private companies and public entities have to adhere to before making a ransomware payment. Among the responsibilities of affected companies of the bill, which was introduced by Labour MP Tim Watts, is the mandatory disclosure of information related to the attack and attackers:
a) the name and contact details of the entity; and (b) the identity of the attacker, or what information the entity knows about the identity of the attacker (including information about the purported identity of the attacker); and (c) a description of the ransomware attack, including: (i) the cryptocurrency wallet etc. to which the attacker demanded the ransomware payment be made; and (ii) the amount of the ransomware payment; and (iii) any indicators of compromise known to the entity.
Virtually all stakeholders of the respective economy, but especially the cyber insurance ecosystem, will benefit from the mandatory reporting and disclosure of ransomware payments by the extorted entities to a public organization. Especially when comparing it to drastic measures that are discussed in academic and industry circles, such as prohibiting insurance coverage for ransomware payments entirely, or outlawing any kind of ransomware payment, that would dramatically alter the scope and perhaps even the of current cyber insurance policies, the implementation of such a policy measure seems from a public policy standpoint almost to be a pareto improvement, an improvement which enhances the overall welfare of an economy without leaving anybody off worse.
Given the increasing reluctance of carriers to commit capacity to the cyber, these “easy and quick” wins are needed to support the cyber insurance market through on of its most testing times. We not only hope that this bill will take effect in Australia, but governments around the world see the wisdom of such policy measures.
Daniel Woods is currently a Postdoc at the University of Innsbruck, after completing his PHD about the economics of cyber risk transfer at the University of Oxford.
Daniel Kasper is the principal of Cyber Economics.