AXA’s frustration with the lack of regulatory clarity is understandable given the ambiguous approaches many governments have taken on the issue. In the United States, authorities have discouraged but not outright prohibited the payment of ransoms, although last October the Treasury Department issued a note warning that some ransom payments could be illegal if made to sanctioned organizations or individuals. In many ways, however, this review has only added to the confusion, as it is often not immediately clear who is behind a cyber attack or who is likely to receive a particular ransom payment.
Globally, this is “a lawless area,” says Ciaran Martin, professor of practice at the University of Oxford and former managing director of the UK National Cyber Security Center. “There is no evidence yet that countries are moving towards telling insurers not to pay ransoms,” Martin says. “France has a tradition of informally passing messages on to big companies, and this may be similar to what happened” in the case of AXA.
Regulators aren’t the only ones who fear insurers are paying ransoms. Carriers are also concerned about the number and size of ransomware claims. The increase in claims has led to a significant increase in premiums and deductibles for cyber insurance policies, says Matthew McCabe, senior advisor at global insurance broker Marsh. This week, the meat processing company JBS confirmed that it has paid a ransom of 11 million dollars; some recent ransomware requests have reportedly been up to $ 50 million.
McCabe and others in the insurance industry are skeptical that a ban on ransom payments would necessarily reduce the prevalence of ransomware. They fear that instead, a ban will mean insurers would have to pay more claims for business interruption and data restoration services.
“If you forbid the payment of ransoms, what does it really look like? Because while it looks like companies are fining 10% of what they paid the ransomware gang, that doesn’t make it illegal, it just adds a premium to the payment, ”says Tarah Wheeler, cybersecurity researcher at the Belfer Center for Science at Harvard Kennedy School. and International Affairs.
McCabe also suggests that banning insurers from covering ransom payments could make it harder for their clients to take preventative security measures. He argues that insurance companies are in a good position to encourage companies to strengthen their defenses, although there is little evidence to suggest that this has worked in practice. It is also not clear in all cases that insurers would prefer not to pay ransoms on behalf of their policyholders. “Companies prefer to pay a few million ransoms rather than tens of millions for the loss of data guaranteed by the insurance policy taken out”, mentionned Guillaume Poupard, director of the French cybersecurity agency ANSSI, at the round table which motivated AXA’s decision. “We have to do a lot of work to break this vicious cycle around paying ransoms. “
But while the issue of ransomware payment will ultimately fall to regulators, governments have been largely reluctant to do this job. “Unless governments decide to ban ransom payments, insurers are in a difficult position of having to invent a quasi-public policy,” Martin said, adding that even if he “would welcome the decision of AXA with caution ”, it“ should not be left to insurers to make public policy.
Members of the Institute for Security and Technology Ransomware Working Group that Martin served earlier this year was divided over whether paying ransoms should be illegal, with several participants expressing concerns that such a move would “essentially criminalize victimization.”
McCabe is skeptical that ransomware is too great or unpredictable a risk for operators to handle, even if it continues to grow. “I don’t think insurers have given up on it yet, or that the risk is unmanageable, but it has certainly taken its toll over the past year and beyond,” McCabe said. It continues to weigh very directly on AXA, whose Asia Assistance division has been affected by a ransomware attack just weeks after its decision to suspend ransom payment coverage in France. It’s not clear if the attack is related to the company’s previous announcement, but it’s another reminder how ill-equipped many insurers are still to protect their own systems from ransomware – and still less to explain to their policyholders how to do it.
More great WIRED stories