Insurance giant AXA has said that it is no longer writing cyberinsurance policies in France that cover ransom payments to extortionists.
AXA’s decision, which appears to be a first for the cyberinsurance industry, will still it still reimburse companies for the cost of responding and recovering from a ransomware attack – but will not cover the often significant sums of cryptocurrency demanded by criminal gangs after they have compromised a network, and encrypted or stolen data.
In addition, it will not affect existing policies that companies may have with the insurer.
Interestingly, AXA has only made the decision to stop writing policies that cover ransomware payments in France – and not the rest of the world.
France, which is estimated to have lost more than $5.5 billion to ransomware last year, is believed to be second only to the United States in terms of the financial damage caused by cybercriminal extortionists.
The issue of “to pay or not to pay” has become a controversial one.
Ciaran Martin, former head of the UK’s National Cyber Security Centre (NCSC) and now a professor at Oxford University, believes that insurers are “funding organised crime” by accepting ransomware claims.
Marcus Willett, who works at the International Institute for Strategic Studies (IISS) but used to have a senior role at GCHQ, argues in a recently published article that payments fund criminal organisations and only make ransomware attacks more likely.
However, paying a ransom can get your company out of a sticky situation. If your extortionists keep their word you will receive a method of decrypting your data, and they will – hopefully – not release your stolen data to the wider world.
Sometimes, as we saw with the ransomware attack against British fashion retailer FatFace, the criminals will even give your business advice on how to improve its security in future.
AXA’s lack of desire to cover ransomware payments in France appears to be at odds with insurers across the Channel. In fact, the British Association of Insurers says that paying the ransom demand may be the quickest and most effective way of getting businesses back to work as quickly as possible.
Internationally there have been some efforts to warn organisations against paying ransoms – whether it be for themselves or their clients.
In October 2020 the U.S. Department of the Treasury issued an advisory alerting organisations that help victims of ransomware attacks that they risk breaching sanctions by facilitating ransomware payments.
But ultimately, if you have the choice of paying a ransom or losing your company, you’re probably going to try to find a way to pay up. The only question then is – will your insurance company cover you for that ransom payment, or not?