Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cybercriminals.
While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organizations across the world. ZDNet reported last month that AXA is the cyber insurance market share leader based on standalone policies.
The changes were made only in France after cybersecurity leaders within the French government and French Senators aired concerns about the massive payouts going to cybercriminals during a roundtable in Paris in April.
French companies and enterprises, like those in the US, lost billions in 2020 due to devastating ransomware attacks that left organizations crippled for days or weeks, with some estimates showing the country suffered up to $5.5 billion in losses.
Only the US had more ransomware attacks in 2020 than France, according to French cybercrime prosecutor Johanna Brousse, who spoke at the Paris roundtable according to The Associated Press.
Christine Weirsky, a spokeswoman for the US AXA subsidiary, told The Associated Press that their cyber insurance policies would still cover the costs of recovery.
A report from cyber insurance provider Coalition in September noted that ransomware incidents represented 41% of all cyber insurance claims filed in the first half of 2020. The company said there was a 260% increase in the frequency of ransomware attacks among their policyholders and they found that the average ransom demand increased 47%. Claims ranged from as low as $1,000 to $2 million.
Cybersecurity experts have long complained that the emergence of cyber insurance policies that included coverage for ransom payouts was having a disastrous effect on the popularity of ransomware incidents and was actually spurring more attacks. Knowing that insurance companies would cover company payouts, ransomware attackers became more and more brazen throughout 2020 and 2021.
Many of the attacks in 2020 specifically targeted crucial government institutions like hospitals or K-12 schools, knowing they were more likely to have to pay in order to regain control of systems and important data.
"This decision is not a surprise to us. In fact, other carriers may follow the suit. However, businesses need protection from these events and in some cases even from going bankrupt due to ransomware," said Cowbell Cyber CEO Jack Kudale, adding that often the cost of the ransom itself equals other damaging attack costs like business interruption, notification, restoration, credit monitoring, forensics, and crisis management.
Other experts, like Digital Shadows senior cyber threat intelligence analyst Xue Yin Peh, explained that even when organizations are forced to pay ransoms, there is no guarantee that encrypted files and systems will be recovered.
Even premiums associated with cyber insurance may increase as a result of a ransomware attack, she added.
Sean Cordero, security advisor at Netenrich, said he expects more cyber insurance providers like AXA to seek to minimize their exposure from high-risk policies they've written or are considering underwriting, making it more difficult to secure or renew policies.
For the first time, some insurers will request new evidence and validation from their policyholders to prove the policyholders' controls' adequacy, Cordero explained.
"This validation is complex, and many insurers still rely on client self-attestation as the primary input to risk and policy determination. These insurers will hopefully transition to more data-driven models specific to the cybersecurity industry. For huge organizations, this may translate into third-party audits before completing underwriting," Cordero said.
Cordero added that some cyber insurers are now using attack surface intelligence, data science, cyber-specific actuarial models, and more to address the increase in attacks and reduce premiums.
This, Cordero said, may "lead to broader coverage when the insured can prove their controls and readiness."