AXA France, regional division of European insurance giant AXA Group and France’s largest general insurer, has announced that it will no longer reimburse ransomware payments for customers within the country. The new terms apply to new insurance policies going forward as average payout costs have spiked in the past year and world governments grapple with the idea of banning ransomware payments as a means of stemming the rising tide of attacks.
Ransomware payments halted amidst national uncertainty
The move is a first for the cyber insurance industry, which generally covers at least some portion of ransomware payments for policyholders. AXA told the media that it was making the change in response to uncertainty within the French government about the legal status of ransomware payments going forward. At a Senate meeting in Paris last month, some legal and cybersecurity officials raised the prospect of making these payments illegal in an attempt to cool off the hottest recent sector of cyber crime.
Ransomware has been a plague across the world during the pandemic, but France has been unusually hard-hit. It stands second only to the United States in terms of total losses in the past year at $5.5 billion in both ransomware payments and recovery costs. AXA will continue to assist customers with damage and recovery costs, and existing customers that are grandfathered in with their policies will continue to have their current ransomware payment coverage as well. But AXA will no longer offer this form of coverage to new policyholders in France, at least until further notice.
Arguments for and against ransomware payments
While there is hardly a universal consensus on the issue, some cybersecurity experts are advising that ransomware payments be stopped entirely regardless of the circumstances. The primary argument from this camp is that ransomware has become so common that businesses are building the cost of payments into their risk management models, something that ultimately only encourages more ransomware attempts. If the ransomware gangs know that targets have a policy of paying to resolve the issue, they’ll swarm to the money.
The counter-argument is that some organizations find themselves with no real option but to pay. That might be due to the severity of consequence, for example when a hospital’s patient care equipment becomes inoperable due to a ransomware strike. In other cases, the company may be at risk of going bankrupt unless there is an immediate resolution. Considerations such as these appear to be staying the Biden administration’s hand on outlawing ransomware payments in the United States, in spite of a policy push to classify it as a national security threat.
Some industry analysts expect that nations will attempt legislation that mandates better cybersecurity practices before introducing penalties for ransomware payments. While the investigation is still ongoing, the recent Colonial Pipeline incident illustrates how much room for improvement there is. Prior incidents with water utilities in the United States were traced back to remote access software used by engineers that was outdated and not properly secured, something that is a distinct possibility in this case. France has an advantage in being governed by the EU’s General Data Protection Regulation (GDPR), but the record amount of damage caused by ransomware in the country in 2020 indicates that there are still ample weaknesses for attackers to exploit.
Cost of ransomware attacks
In France, the average amount for ransomware payments has risen to €250,000 (over $300,000 USD). However, recovery costs are often four to five times that amount. The average recovery time in the country now sits at three weeks. Ransomware had been enjoying a renaissance just prior to the start of 2020, but the pandemic supercharged it as organizations rushed to implement work-from-home strategies and move to unfamiliar cloud-based services. New vulnerable endpoints and targets of social engineering abound, and ransomware gangs often only need to compromise one device to get in the door and lock down a network.
Damages and cleanup costs have also been compounded by a rising trend among ransomware attackers of first exfiltrating sensitive data before encrypting drives, then threatening to release it to the public if the ransom is not paid. In addition to putting extra pressure on the target, this added layer can put companies on the hook for large fines and civil actions when personal data is released as part of a breach.
The issue of whether or not to put an end to ransomware payments is not easy to resolve with theory alone; it may take experimentation by several nations willing to go ahead with a legislative ban to prove out whether or not it actually cools off the criminal market. Ilia Kolochenko, Founder and Chief Architect of ImmuniWeb, sees both sides of the issue but views the ultimate solution as a culture of cybersecurity that motivates individuals to take care of their own houses: “On one side, this decision will likely hinder flourishing ransomware business and indirectly incentivize would-be victims to implement better cybersecurity and enhance their cyber resilience. On the other side, the categorical ban will unfairly discriminate against enterprises who adequately care about their cyber defense but nonetheless fall victims to sophisticated attacks or because of their careless suppliers. Moreover, the total amount of ransom payments – paid in France and covered by cyber insurances – is a drop in the ocean of global ransomware business and will highly unlikely cause any material effect on cybercriminals. This move may also indicate that the cyber insurance business, at its very nascence, is not fully aware of the underlying risks of growing complexity and scale, and eventually refuse to cover them under the pretext of a legislative trend. The only reliable way to combat ransomware is to motivate organizations to implement and maintain cybersecurity best practices, otherwise we are treating the outcome rather than the root cause.”