Should S’pore compel insurers to report ransomware incidents?

Singapore companies are increasingly being targeted by state-sponsored hackers, yet recent reports show that firms are more likely to pay the ransom and stay silent, hindering the authorities from understanding the full scale of cyber threats.

The Cyber Security Agency of Singapore (CSA) currently does not mandate ransomware reporting for non-critical infrastructure firms owing to enforcement complexities and privacy concerns, CSA chief executive David Koh told The Straits Times in an earlier interview.

One potential solution to that is to require insurers to report cyber incidents linked to claims on an aggregated, anonymised basis.

Currently, organisations with non-critical infrastructure affected by ransomware are encouraged to report incidents to the Singapore Cyber Emergency Response Team and the police.

Mandatory notification of the Personal Data Protection Commission applies only if a data breach involves personal data and is likely to cause significant harm or affects 500 or more individuals.

The onus remains on organisations to inform the authorities, but many victims see no immediate gain from volunteering the information.

A review is timely, given the Government’s latest push to help small and medium-sized enterprises (SMEs) bolster their cyber resilience. Close to 50,000 SMEs will, from November, receive one year of free cyber-protection tools.

The Singtel Cyber Protect Programme announced on Oct 7, offered by the telco in partnership with the Infocomm Media Development Authority and Enterprise Singapore, aims to give SMEs baseline defences against threats such as malware and phishing, often the precursors to ransomware attacks.

Mr Gaurav Keerthi, CEO of cyber-security firm StrongKeep, highlighted a common misconception among SMEs that the authorities possess a “magic key” to decrypt ransomware.

That has led to disappointment among some who previously filed reports only to find no rescue but more paperwork, discouraging them from making future reports.

Under duress, businesses are more likely to prioritise recovery over reporting, Mr Keerthi added.

“Your main overriding concern is to get back in shape. Informing other people who will ask you questions is not top on your list of priorities,” he said.

Verizon Business noted that under-reporting of cyber incidents is a significant global issue.

Other countries are taking a tougher stance.

Australia, where 84 per cent of companies who were blackmailed paid the demanded ransom in 2023, introduced mandatory reporting for ransomware payments in May.

Companies with annual revenues of A$3 million (S$2.5 million) or more must report such payments within 72 hours, either directly or through proxies, with non-compliance potentially incurring a penalty of around A$19,800.

Britain is also considering proposals to require private businesses to notify the government of their intent to make, or after they have made, such payments.

This is in addition to plans to ban public entities and critical infrastructure operators from making ransom payments.

Similar legislation is being discussed in the US, but the Cybersecurity Information Sharing Act of 2015 expired on Oct 1, with no replacement or extension in place amid a chaotic government shutdown.

Industry experts warn that ransomware attacks are rarely sudden; they are often preceded by information theft, eavesdropping and account takeovers. Early flagging of such incidents is crucial for timely expert consultation and swift deployment of remediation resources.

Mr Keerthi, previously the deputy CEO of CSA, said greater visibility of these threats, in turn, helps the Government better support organisations.

He said: “Does the Government need to make significant technical changes to the national architecture? Should the telcos be doing something else? Does the Government need to be given more powers to support companies? All of those questions are important.”

Insurers themselves would benefit from improved underwriting processes using real-world incident data and stronger, industrywide datasets.

Companies, too, stand to gain.

Mr Adam Peckman, Aon’s head of cyber risk consulting and cyber solutions for Asia-Pacific, said: “The insurance industry has vast access to many vendors because of their purchasing power with that ecosystem of providers – legal firms, technical firms, ransomware negotiation firms.”

These parties can assist with intelligence on threat actors, remediation, or facilitating crypto payments, he said.

The additional measure proposed need not inflict additional pain on companies.

Insurers could seek consent to include companies in their aggregated data during claims processing, and offer sweeteners like lower premiums or enhanced coverage in return for timely reporting and intelligence sharing.

Cyber-security insurance coverage is affordable for firms, typically costing a few thousand dollars.

With state-sponsored actors increasingly focusing on financial gain through attacks, beyond just disruption and espionage, more visibility over cyber incidents would help to strengthen the collective cyber-security posture.

The private sector, which accounts for 70 per cent of organisations supporting Singapore’s critical essential services, cannot afford to be the weakest link in our national cyber defence.

Source: The Straits Times © SPH Media Limited. Permission required for reproduction.

Neighbour disputes: What more can we do for parties to come to the table? – Opinion