Ransomware Crackdown in Singapore: Impact on Insurers

With Singapore’s high level of connectivity, ransomware is a rising and urgent threat to organisations in Singapore given its potentially devastating impact. While this worrying trend will no doubt raise concerns on risk exposure for cyber insurers, there are equally opportunities for growth as there is likely an increase in interest and demand for cyber insurance. We also discuss the Counter-Ransomware Task Force Report, the four pillars of action and their implications.

Growing threat of ransomware in Singapore

Ransomware is a rising and urgent threat to organisations in Singapore due to its high level of digital connectivity. Ransomware can be devastating for organisations as they can result in extensive data loss, business disruption, exposure to legal and regulatory risk, financial harm and reputational damage. While this worrying trend will no doubt raise concerns on risk exposure for cyber insurers, there are equally opportunities for growth as there is likely an increase in interest and demand for cyber insurance.  

The Counter-Ransomware Task Force

As testament to the prevalence and severe impact of ransomware, the Counter-Ransomware Task Force (“CRTF”), comprising senior representatives from multiple Government agencies, was convened to study this growing trend, develop policies and propose recommendations to effectively counter this risk. 

The CRTF issued a report on 29 November 2022 (“CRTF Report”) intended to act as a blueprint for the Government and respective agencies’ efforts to secure Singapore from ransomware attacks. The CRTF Report makes several comments and recommendations relevant to cyber insurers and is worth close attention. 

The CRTF’s recommended four pillars of action 

The CRTF recommends that the Government focuses on the following four pillars of action to effectively address the threat of ransomware:

(1) Pillar 1: Strengthen defences of high-risk targets 

The CRTF stresses that preventing a successful ransomware attack is paramount and this will require all organisations to raise their cyber posture and implement strong technical measures to improve cybersecurity. 

Particularly, the CRTF recommends that critical information infrastructure (“CII”) and small and medium enterprises (“SMEs") should be given due attention:   

a) The CRTF recognises that the recently revised Cybersecurity Code of Practice (“CCOP”) provides adequate guidance for owners of CII (“CIIOs”) on appropriate risk identification and mitigation measures currently, and that the CCOP will be regularly updated so it remains relevant. 

b) For SMEs, while the CRTF notes that there are initiatives in place to guide SMEs to assist with benchmarking their cybersecurity practices, the CRTF recommends developing incentives and support schemes to increase awareness and improve take-up rate of these existing initiatives. 

(2) Pillar 2: Disrupt the Ransomware Business Model

The prevalence of ransomware attacks is on the rise, as they remain a profitable venture for perpetrators, with victims often acquiescing to ransom demands. The CRTF has suggested that the government reissue advisories that dissuade ransom payments and underscore the associated risks and consequences. 

The CRTF has also recommended exploring the ramifications of cyber insurance policies that provide coverage for ransom payments and evaluating the potential fallout if such coverage were to be discontinued. The CRTF has noted preliminary data that suggests insureds are more prone to paying ransoms where insurance coverage is provided, which is fuelling the growth of the ransomware industry.

The CRTF has noted the challenges of tracing the flow of ransom payments given that they are often paid in cryptocurrency which is subsequently covered into different cryptocurrencies or privacy-centric cryptocurrencies. To circumvent these challenges, the CRTF recommends considering making it mandatory for organisations to report the payments of ransoms. The Government will concurrently improve their tracing capabilities by potentially tapping into blockchain solution providers’ expertise. 

(3) Pillar 3: Support Recovery

The CRTF emphasises that victim organisations’ cooperation and assistance is key to effectively counter ransomware. To encourage such cooperation, the CRTF recommends:

(a) Provision of resources to help recover from ransomware attacks by creating a one-stop portal for organisations to access all ransomware-related resources such decryption keys and response checklists. 

(b) Encouraging cyber insurance as a risk management practice and for the Government to explore methods to increase the purchase of cyber insurance particularly amongst CIIOs and SMEs. 

(4) Pillar 4: Work with International Partners

Given the borderless nature of ransomware, the CRTF emphasises that a coordinated global effort is required to address the threat. To foster greater international cooperation, the CRTF recommends: 

(a) That the Government expedite cross-border law enforcement collaboration for information exchange; 

(b) Continued work with the Financial Action Task Force to combat money laundering and the financing of terrorism; and 

(c) To work with international partners to study the effects of insurance policies that cover ransom payments on the ransomware industry. 

What does this mean for cyber insurers? 

The CRTF Report confirms that cyber insurance is a key solution for ransomware, particularly for managing the financial risks of ransomware attacks and boosting society's resilience to them. The recommendation to increase cyber insurance uptake is great news for cyber insurers seeking to expand their market, especially among CIIOs and SMEs - two categories of organisations worth pursuing for business growth.

The CRTF recommends creating a guide for cyber insurance and tailoring insurance packages for CIIOs and SMEs to simplify the discovery process. Cyber insurers can proactively adopt this and offer custom solutions for these target organisations. Cyber insurers may want to also consider relaxed information requirements and IT security standards at the underwriting stage for SMEs particularly by taking a more costs vs. risk approach, to avoid discouraging these organisations from buying cyber insurance. 

In May 2023, the Cyber Security Agency of Singapore (“CSA”) launched the ‘Cybersecurity Health Plan’ for eligible SMEs, a scheme designed to provide funding support for SMEs to engage cybersecurity consultants to take on the role of the SMEs’ “Chief Information Security Officers” and provide cyber health “check-ups” and improve cybersecurity hygiene. Eligible SMEs can enjoy up to 70% co-funding support when they sign up with the cybersecurity consultants onboarded by CSA. This should be seen as a welcome development for cyber insurers targeting the SME market. By promoting cybersecurity awareness and best practices, the CSA's scheme will assist SMEs to reduce their cyber risk exposure. This, in turn, will make them more attractive to cyber insurers.

Another issue potentially of interest to cyber insurers is the CRTF’s recommendation to explore whether coverage for ransomware payments should be prohibited in Singapore. Coverage for ransom payments is currently widely available in cyber insurance policies in Singapore. 

The debate on prohibiting ransomware payments is gaining momentum globally but its effectiveness is uncertain. Opponents argue that while it may close off one source of funding, it may encourage ransomware attackers to engage in more malicious forms of extortion to pressure organisations to resort to making ransom payments to regain access to their systems or data. This could leave organisations vulnerable to greater financial losses without the protection of insurance coverage. Two UK insurance associations representing hundreds of prominent insurers recently submitted evidence to Parliament’s joint committee on National Security Strategy in December 2022, calling for the UK Government to avoid a ban on ransomware payments citing that they are likely to have an adverse effect on organisations and may lead to an increase in insolvencies and unemployment. 

The CRTF also recognises that without international alignment on insurance policies covering ransom payments, any attempt to prohibit these within the domestic market may only result in driving organisations to turn to overseas providers for such coverage. This will have a negative impact on cyber insurers’ businesses. Having regard to the above, cyber insurers in Singapore may want to proactively engage with the Government on this issue.