AXA’s frustration with the lack of regulatory clarity is understandable given the ambiguous approaches many governments have taken to the issue. In the United States, authorities have discouraged but not outright forbidden the payment of ransoms, though last October the Treasury Department released a notice warning that some ransom payments might be illegal if they are made to sanctioned organizations or individuals. In many ways, though, that advisory only added to the confusion, since it’s often not immediately clear exactly who is behind a cyberattack or likely to receive a particular ransom payment.
Globally, it’s “an area devoid of law,” says Ciaran Martin, a professor of practice at Oxford University and former chief executive of the UK National Cyber Security Centre. “There’s no evidence yet that countries are moving toward telling insurers not to pay ransoms,” Martin says. “France has a tradition of informally conveying messages to large corporations, and that sounds like possibly what has happened” in the case of AXA.
Regulators aren’t the only ones worried about insurers paying ransoms. The carriers are also concerned about the number and size of ransomware-related claims. Rising claims have led to significant increases in cyberinsurance policy premiums and deductibles, says Matthew McCabe, a senior adviser at global insurance broker Marsh. This week, meat processing company JBS confirmed it had paid an $11 million ransom; some recent ransomware demands have reportedly been as high as $50 million.
McCabe and others in the insurance industry are skeptical that a ban on ransom payments would necessarily drive down the prevalence of ransomware. They fear that, instead, a ban could potentially mean that insurers would have to pay out more claims for business interruption and data restoration services.
“If you forbid payment of ransoms, what does that actually look like? Because if it looks like fining companies 10 percent of what they paid to the ransomware gang, that’s not making it illegal, that’s just adding a premium to the payment,” says Tarah Wheeler, a cybersecurity fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs.
McCabe also suggests that barring insurers from covering ransom payments might make it harder to require their customers to take preventive security measures. He argues that insurance carriers are well-positioned to encourage companies to shore up their defenses, although there’s little evidence to suggest that has worked in practice. Nor is it clear in every case that insurers would rather not pay ransoms on behalf of their policyholders. “Companies prefer to pay a few million ransoms rather than tens of millions for the loss of data guaranteed by the insurance policy taken out,” said Guillaume Poupard, director of French cybersecurity agency ANSSI, at the roundtable that prompted the AXA decision. “We must do a lot of work to break this vicious circle around the payment of ransoms.”
But while the ransomware payment question will ultimately lie with regulators, governments have been largely unwilling to do that work. “Unless governments decide to ban ransom payments, insurers are in a difficult position of having to invent quasi-public policy,” Martin says, adding that while he would “welcome the AXA decision cautiously” it “shouldn’t be left to insurers to make public policy.”
The members of the Institute for Security and Technology Ransomware Task Force that Martin served on earlier this year was split on the question of whether paying ransoms should be illegal, with several participants expressing concerns that such a decision would essentially “criminalize victimhood.”
McCabe is skeptical of the idea that ransomware is too big or unpredictable a risk for carriers to manage, even as it continues to grow. “I don’t think insurers have given up on it yet, or that the risk is unmanageable, but it’s certainly taken its toll in the past year and beyond,” McCabe said. It’s continuing to take a very direct toll on AXA, whose Asia Assistance division was hit by a ransomware attack just weeks after its decision to suspend ransom payment coverage in France. It’s unclear whether the attack is related to the firm’s earlier announcement, but it’s another reminder of just how ill-equipped many insurers still are to protect their own systems from ransomware—much less instruct their policyholders in how to do so.
More Great WIRED Stories