AXA’s frustration at the lack of regulatory clarity is understandable given the ambiguous approaches that many governments have taken to the issue. In the United States, authorities have been discouraged, but have not been banned from paying ransoms, even though last October the Treasury Department issued a note warning that some ransom payments may be illegal if they are made to sanctioned organizations or individuals. In many ways, however, that advice only adds to the confusion, since it’s often not immediately clear exactly who is behind a cyberattack or who may receive a particular ransom payment.
Globally, it is “an area devoid of law,” says Ciaran Martin, a practice professor at Oxford University and former executive director of the UK’s National Cyber Security Center. “There is also no evidence that countries are moving to tell insurers not to pay ransoms,” says Martin. “France has a tradition of informally transmitting messages to large corporations, and that seems perhaps what is happening” in the AXA case.
Regulators aren’t the only ones worried about insurers paying risks. Carriers are also concerned about the number and size of claims related to ransomware. Growing claims have led to significant increases in premiums and deductibles for cybersecurity policies, says Matthew McCabe, senior advisor to global insurance broker Marsh. This week, meat processing company JBS confirmed it had he paid a $ 11 million ransom; Some recent requests for ransomware have been made up to $ 50 million.
McCabe and others in the insurance industry are skeptical that a ban on ransom payments would necessarily lower the prevalence of ransomware. They fear, however, that a ban could potentially mean that insurers will have to pay more claims for business interruptions and data restoration services.
“If you ban the ransomware payment, how does it look like that? Because if it seems a fine to companies 10 percent of what they paid to the ransomware gang, that doesn’t make it illegal, it’s just an addition of a premium to the payment, ”says Tarah Wheeler, a cybersecurity fellow at the Belfer Center for Science at Harvard Kennedy School. and International Affairs.
McCabe also suggests that preventing insurers from covering ransom payments could make it more difficult to ask their customers to take preventive security measures. He argues that insurance carriers are well positioned to encourage companies to back up their defenses, although there is little evidence to suggest that it worked in practice. Nor is it clear in all cases that insurers prefer not to pay risks on behalf of their policyholders. “Companies would rather pay a few million in ransoms rather than tens of millions for the loss of data guaranteed by the insurance policy taken out,” he said. he said Guillaume Poupard, director of the French cybersecurity agency ANSSI, at the round table that prompted the AXA decision. “We’re going to do a lot of work to break this vicious circle around the payment of ransoms.”
But while the issue of ransomware payments will finally come to regulators, governments have not been largely willing to do this work. “Unless governments decide to ban ransom payments, insurers are in a difficult position to invent quasi-public policies,” says Martin, adding that while he will “cautiously accept the AXA decision,” he should not not be left to insurers to make public policies ”.
Members of the Institute for Security and Technology Ransomware Task Force that Martin served earlier this year has been divided over the question of whether paying ransoms should be illegal, with many participants expressing concerns that such a decision would essentially “criminalize victimization.”
McCabe is skeptical of the idea that the ransomware is too large or an unpredictable risk for carriers to manage, even as it continues to grow. “I don’t think insurers have given up on that, or that the risk isn’t manageable, but it’s certainly taken its toll on the past year and beyond,” McCabe said. It continues to take a very direct payment to AXA, which the Asia Assistance division was hit by a ransomware attack a few weeks after his decision to suspend redemption payment coverage in France. It’s unclear if the attack is related to the company’s previous announcement, but it’s another reminder of how poorly equipped many insurers are even to protect their systems from ransomware – much less instruct their insurers on how. to do.
More Great Stories WIRED