AXA, one of Europe’s top five insurers, said it was suspending the option in response to concerns raised by French justice and cybersecurity officials during a Senate roundtable on ransomware last month in Paris. At the hearing, cybercrime prosecutor Johanna Brousse said, “The word to get out today is that we don’t pay and we won’t pay about ransomware.” According to cybersecurity company Emsisoft, only the United States exceeded France in ransomware damage to companies, hospitals, schools, and local governments last year, with France’s total losses estimated at more than $5.5 billion. According to Christine Weirsky, a spokeswoman for the U.S. AXA subsidiary, a leading underwriter of cyber-insurance in the United States, the suspension only applies to France and has no bearing on current policies. She added that it has no bearing on coverage for reacting to and recovering from ransomware attacks, in which hackers operating out of safe havens such as Russia hack into networks, seed malware, and cripple them by scrambling data. The criminals only have software keys to decrypt the data after the ransom is paid. Some started stealing confidential data last year, then encrypting networks and threatening to dump it online unless victims paid up. As a result, ransom payments have nearly tripled, averaging more than $300,000. A ransomware attack takes an average of three weeks to recover from. The insurance company has received a lot of flak for reimbursing ransom payments. Cybersecurity specialist Josephine Wolff of Tufts University said it has become “one of the costs of doing business” in organisations’ risk-management practises. And I think that’s really concerning because that’s what keeps the ransomware company going — people keep paying the ransom.” A public-private task force sent an 81-page urgent action plan to the White House last week, stating that enriching ransomware offenders only encourages more global crime, like terrorism. However, the writers stopped short of calling for a ban on ransom payments, claiming that in some cases, paying up is the only way for a victimised company to escape bankruptcy. Ransomware is a national security danger, according to US officials, and some lawmakers are pushing for urgent financial assistance for local governments that are low on IT resources and operating insecure systems. “AXA France’s decision reflects the continuing tumult in the market,” according to Michael Phillips, chief claims officer at Resilience, a cyber-insurance company based in the United States and a co-chair of the task force. Insurance companies are grappling with successfully underwriting ransomware policies while facing rising payout costs that threaten profitability. While Philips does not foresee similar restrictions — or a flood of exits — in the United States, he does believe that the best carriers are becoming more stringent regarding their customers’ cybersecurity hygiene. Many victims, such as cash-strapped state and local governments, haven’t made sufficient security investments and are therefore easy targets for ransomware criminals. Those suspects have also collected information on possible targets ahead of time and are aware whether a victim has insurance that covers ransom payments. They might also be aware of a policy’s payment limit. AXA’s decision was wise, according to Emsisoft analyst Brett Callow, who noted that some companies are more willing to pay ransom if the money isn’t coming from their own pockets. “Cutting off the flow of cash is the only way to break this vicious loop, and ceasing to refund ransom demands can well do that.”
