In early May, global insurer AXA made a landmark policy decision: The company would stop reimbursing French companies for ransomware payments to cybercriminals.
The decision, which reportedly came after French authorities questioned whether the practice had fueled the current epidemic in ransomware attacks, may be just the beginning of a general retreat that will force companies to reconsider their attempts to outsource cyber-risk to insurance firms. Already, the massive damages from one damaging crypto worm, NotPetya, caused multiple lawsuits when insurers refused to pay out on cyber-insurance claims.
AXA’s decision could signal the insurance industry agreeing that ransomware payments spur greater ransomware activity, forcing companies to deal with the direct damages of cyberattacks, said Ilia N. Kolochenko, founder and chief architect at security firm ImmuniWeb SA, in an assessment of the impact of the insurer’s decision.
“On one side, this decision will likely hinder flourishing ransomware business and indirectly incentivize would-be victims to implement better cybersecurity and enhance their cyber-resilience,” he said. “On the other side, the categorical ban will unfairly discriminate against enterprises who adequately care about their cyber defense but nonetheless fall victims to sophisticated attacks or because of their careless suppliers.”
Ransomware payments continue to be a controversial capitulation to cybercriminals. Already, governments have started pressuring companies to not pay ransomware, with the US Department of Treasury’s Office of Foreign Assets Control (OFAC) warning in October that businesses could be violating US law if they pay groups that have been put on the sanctions list. And almost two years ago, following attacks on many local governments and school districts, a group of more than 1,400 elected local mayors pledged to not pay ransomware groups.
Yet cyber insurance continues to be a popular way to mitigate risk. In the United States, direct cyber insurance premiums…