A major global insurer has said it will stop reimbursing French clients who fall victim to ransomware, for any costs they incur paying their extorters.
AXA said it had taken the decision after listening to the concerns of French officials and cybersecurity experts last month, according to AP.
Ransom and associated downtime costs for French corporate victims stood at over $5.5 billion last year, off the back of over 4400 attacks, according to one estimate. That makes the country the second most frequently targeted by ransomware globally, although it still lies some way behind the US in first place.
The new AXA rules will apparently not affect existing policies and will only apply to ransom payments, not reimbursements for the cost of responding to and recovering from attacks.
However, the move could be followed by other insurers, given the increasingly large pay-outs many are being forced to issue. Cyber-insurance provider Coalition last year estimated that ransomware accounted for over two-fifths (41%) of claims in North America in the first half of 2020.
The practice of reimbursing corporate policyholders to pay-off their extorters has also come in for criticism by lawmakers and police, who see it as perpetuating the problem. As long as policies continue to pay-out, victims will be happy to pay-up and cyber-criminals will continue to target them.
Another train of thought has it that the insurance industry can use its influence to improve baseline corporate security and therefore make life tougher for the threat actors, by writing rules into policies that stipulate payments will only be made if the customer has followed strict security best practices.
ImmuniWeb CEO, Ilia Kolochenko, argued that if AXA’s decision is limited to France, it’s unlikely to have a material impact on the global ransomware business.
“On one side, this decision will likely hinder flourishing ransomware business and indirectly incentivize would-be victims to implement better cybersecurity and enhance their cyber resilience,” he added.
“On the other, the categorical ban will unfairly discriminate against enterprises who adequately care about their cyber-defense but nonetheless fall victim to sophisticated attacks, perhaps because of their careless suppliers.”