AXA’s frustration with the lack of regulatory clarity is understandable given the ambiguous approaches many governments have taken to the issue. In the US, ransom payments are discouraged but not entirely banned, although the Treasury issued a release last October. Notice Warning that some ransom payments may be illegal if made to sanctioned organizations or individuals. However, in many ways, this advice only added to the confusion, because it is often not immediately clear who is behind a cyber attack or who is likely to receive a particular ransom payment.
Globally, Kiaran Martin, Professor of Practice at Oxford University and former CEO of the UK’s National Cyber Security Centre, says it’s a “law-free zone”. “There is no evidence yet that countries are moving toward telling insurance companies not to pay the ransom,” Martin says. “France has a tradition of passing messages informally to large companies, and this looks like it may have happened” in the case of AXA.
Regulators aren’t the only ones worried about insurers paying the ransom. Carriers are also concerned about the number and volume of ransomware claims. The growing claims have led to significant increases in e-insurance premiums and deductibles, says Matthew McCabe, senior advisor at global insurance broker Marsh. This week, meat processing company JBS confirmed it A ransom of $11 million was paid; Some recent ransomware demands have been reported up to 50 million dollars.
McCabe and others in the insurance industry are skeptical that a ban on ransom payments will necessarily reduce the spread of ransomware. They fear, instead, that the ban could mean insurance companies will have to pay more claims for business disruption and data recovery services.
“If you block the ransom payment, what would that actually look like? Because if it looks like companies are fined 10 percent of what they paid the ransomware gang, that doesn’t make it illegal, it just adds a premium to the payment,” says Tara Wheeler, a fellow Cybersecurity at Harvard Kennedy School’s Belfer Science Center and International Affairs.
McCabe also suggests that preventing insurance companies from covering ransom payments may make it difficult to require their customers to take precautionary security measures. He argues that insurers are in a good position to encourage companies to bolster their defences, although there is little evidence to suggest that this has worked in practice. Nor is it clear in every case that insurance companies prefer not to pay the ransom on behalf of policyholders. “Companies would rather pay a few million ransoms than tens of millions for the loss of data guaranteed by the obtained insurance policy,” He said Guillaume Poupard, director of the French cybersecurity agency ANSSI, at the roundtable that prompted the AXA decision. “We have to do a lot of work to break this vicious circle around paying the ransom.”
But while the issue of paying the ransom will ultimately fall to the regulators, governments have been largely unwilling to do so. “Unless governments decide to ban ransom payments, insurance companies are in a difficult position of having to devise quasi-public policy,” Martin says, adding that while he would welcome AXA’s decision with caution, it “should not be left to insurers to make public policy.”
Members of the Institute of Security and Technology Ransomware Task Force which Martin worked on earlier this year split over the question of whether paying the ransom should be illegal, with several participants expressing concerns that such a decision would “incriminate the victim”.
McCabe questions the notion that ransomware is too large or unpredictable and poses a risk to carriers, even as they continue to grow. “I don’t think the insurers have given up on that yet, or that the risk is uncontrollable, but it certainly has taken its toll in the past year and beyond,” McCabe said. It continues to have a very direct impact on AXA, whose Asian Assistance Division was ransomware attacked Just weeks after it decided to suspend coverage of ransom payments in France. It’s unclear if the attack is related to the company’s previous announcement, but it’s another reminder of how poorly equipped many insurers are to protect their systems from ransomware — not to mention instruct policyholders on how to do so.
More great wired stories