When French insurer AXA signaled last week that it would no longer write new cyber-insurance policies covering extortion payouts to criminals, ransomware and cyber insurance experts had two reactions. They wondered why it took so long, and how long it would take others to follow suit.
Ransomware is an ever-increasing cause of cyber-insurance claims, according to industry estimates, and having such insurance may make policyholders more likely to be attacked. A representative of the REvil ransomware gang said in a March interview that the group specifically targets victims known to have cyber insurance, because they’re “one of the tastiest morsels” who can more easily afford to pay. In perhaps the biggest ransomware payment of 2020, smartwatch maker Garmin paid a reported $10 million and said it wasn’t sure how much its insurance would cover of all the costs, which it didn’t enumerate by type of expense.
Those conditions can perpetuate themselves. The more victims pay, the more criminals attack, and the more cash it takes out of victims’ and insurers’ pockets. AXA’s decision, announced Thursday, appears to be the first time an insurer said it will no longer cover ransomware payments, though it was not a surprise to industry observers.
“I’m surprised it hasn’t happened sooner,” said Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1. “These insurance companies don’t like to spend money and we’re going the opposite direction that they want to go, so I think we’re going to see more companies getting out of it.”
A spokesperson for AXA XL, a U.S. subsidiary of the French company, said the announcement doesn’t apply outside France, and doesn’t apply to ransomware-related incident cleanup costs. (The decision occurred before hackers breached a U.S. pipeline company, an incident that warranted a briefing to President Joe Biden.)
“As is standard market practice in the U.S., we provide ransomware cover as part of a broader cyber policy,” the spokesperson, Christine Weirsky, said via email.
“The current cyber insurance market is very challenging prompting many markets to look carefully at coverage and capacity,” she said. “We also continue to monitor the evolving regulatory environment regarding ransom payments. We’re committed to working with our brokers and clients, in addition to regulators, law enforcement, cyber security professionals and others, to find appropriate protections and risk mitigation/reduction strategies to meet this evolving landscape.”
AXA’s move could be a positive one, said Megan Stifel, executive director of the Americas at the Global Cyber Alliance. Even if the move starts a trend, though, more work will be necessary, said Stifel, who served on a Ransomware Task Force that recently released recommendations on cyber insurance and more. Furthermore, it’s not clear if insurance companies are responsible for very many ransomware payouts.
“It’s a great first step,” Stifel said. “Hopefully more will follow and then hopefully the chokehold on ransomware payments will begin to follow.”
If the trend of insurers cutting off such payments happens too quickly, though, it could be bad for businesses, said Austin Berglas, former head of the FBI’s cyber unit in New York City and global head of professional services at cybersecurity firm, BlueVoyant. Other insurers might take a more moderate approach.
“I think they’re going to put more restrictions around payment, and say, ‘We will make payments. We will cover you for ransomware pain and if you do X, Y and Z, which is a good thing,'” Berglas said “Chopping it off and saying, as of today, ‘We’re not making payments anymore,’ that puts a lot of companies in a bad spot.
“Whereas, if you do it slow roll, and say ‘Hey look guys over the next six months, we’re going to change our policies for renewal, saying we’ll cover you if you do these things, like two-factor authentication,'” that would be a better way forward, he said.
Today, some companies do impose baseline security steps from policyholders as part of their cyber coverage, but Stifel said some also require nothing.
At least one fellow cyber insurance provider, Cowbell Cyber, said it doesn’t plan to do what AXA did. Founder and CEO Jack Kudale said companies still need protection from ransomware, and that better risk assessments and more closely aligning coverage to threats is a better way to respond to cyber extortion than simply halting payments.
That France is the nation where an insurer first swore off of ransomware payouts makes sense, DiMaggio said, given its aggressive posture compared to other countries in tackling the phenomenon. France was at the forefront of the operation this year to arrest alleged hackers who use the Egregor ransowmare, for instance.
Ransomware was also the subject of a French Senate hearing last week where a cybercrime prosecutor reportedly said, “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay.” And Emsisoft estimated that France was second to the U.S. in ransomware damages to businesses, hospitals, local governments and schools, incurring more than $5.5 billion in costs last year.
Even if insurers mimic AXA, it’s clear ransomware will still impose incident costs for victims and insurance companies alike. Benchmark Electronics, an Arizona-based manufacturer of medical and aerospace equipment, said in a May 6 Securities and Exchange Commission filing that it had collected $10 million in insurance payments stemming from a 2019 ransomware attack on its systems. The incident cost the firm $12.7 million in legal, IT forensics and other fees.
Sean Lyngaas contributed to this story.