In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
AXA,
among Europe’s top five insurers, said it was suspending the option in response
to concerns aired by French justice and cybersecurity officials during a Senate
roundtable in Paris last month about the devastating global epidemic of
ransomware.
“The
word to get out today is that, regarding ransomware, we don’t pay and we won’t
pay,” cybercrime prosecutor Johanna Brousse said at the hearing. Only the U.S.
surpassed France last year in damage from ransomware to businesses, hospitals,
schools and local governments, according to the cybersecurity firm
Emsisoft, estimating France’s related overall losses at more than $5.5 billion.
The
suspension only applies to France and does not affect existing policies, said
Christine Weirsky, a spokeswoman for the U.S. AXA subsidiary, a leading
underwriter of cyber-insurance in the United States. She said it also does not
affect coverage for responding and recovering from ransomware attacks, in which
criminals based in safe havens including Russia break into networks, seed
malware and cripple them by scrambling data.
Only
after ransoms are paid do the criminals provide software keys to decode the
data. And last year, many began stealing sensitive data before encrypting
networks and threatening to dump it online unless victims paid up. That helped
drive ransom payments up nearly threefold to an average of more than $300,000.
The average recover time from a ransomware attack is three weeks.
The
insurance industry has come under considerable criticism for reimbursing ransom
payments. Cybersecurity expert Josephine Wolff of Tufts University said it has
come to be built into organizations’ risk-management practices “as one of the
costs of doing business. And I think that’s really worrisome because that is
what fuels the continued ransomware business — people keep paying ransom.”
An
81-page urgent action plan delivered to the White House last week by
a public-private task force noted that enriching ransomware criminals only
fuels more global crime, including terrorism. But the authors stopped short of
advocating a ban on ransom payments, saying paying up can sometimes be the only
way for an afflicted business to avoid bankruptcy. U.S. officials call
ransomware a national security threat, and some lawmakers are calling for
immediate financial relief for stricken local authorities short on IT resources
and running vulnerable systems.
Michael
Phillips, chief claims officer at the U.S. cyber-insurance firm Resilience and
a co-chair of the task force, said “AXA France’s decision highlights the
continued tumult in the market” as insurance firms grapple with successfully
underwriting ransomware policies while confronted with rising payout costs that
threaten profitability.
Philips
said he doesn’t expect U.S. insurers to impose similar restrictions — or a wave
of exits — but did say that the best carriers are becoming more exacting about
customers’ cybersecurity hygiene. Many victims, such as cash-strapped state and
local governments, haven’t adequately invested in security and are easy prey
for ransomware criminals.
Often,
those criminals have gathered intelligence about potential targets in advance
and know when a victim carries insurance that covers ransom payments. Sometimes
they even know a policy’s payment ceiling.
Emsisoft
analyst Brett Callow called AXA’s decision smart, noting that some
organizations seem more inclined to pay ransom if the money isn’t coming from
their own pockets. “The only way to break this vicious cycle is to cut off the
flow of cash — and ceasing to reimburse ransom demands may well do that.”
Comments
Post a Comment