Examining the Cyber Insurance Debate Around Ransomware Payments
Following talks with French officials, AXA announced in May that it would no longer write cyber insurance policies that reimburse customers for ransom payments made to ransomware hackers. The policy will only apply to French customers and does not affect existing policyholders or coverage for responding to and recovering from ransomware attacks. The decision appears to be an industry-first amongst cyber insurers.
Ransomware attacks rely on victims paying up to regain access to hacked IT systems. Only once ransoms are paid do the hackers provide details on how to recover encrypted networks. Aon estimates that some of the most sophisticated ransomware attacks now average over $780,000 per payment. In these scenarios, cyber insurers are faced with an extremely high claims payout.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataFollowing the Colonial Pipeline ransomware attack and the similar attack on Axa’s Asia division just days after this policy was announced, it is clear that we are experiencing a global ransomware epidemic. Cybersecurity firm Emsisoft estimates that the total cost of these cyberattacks to French businesses was roughly $5.5bn in 2020, based on over 4,400 attacks. This makes France the second most frequently targeted country by ransomware globally, with the US in first place.
An end to the ransomware cycle
While not reimbursing ransom payments could cripple victims of these cyberattacks, Axa’s decision could push clients to place a greater focus on their cybersecurity measures. Similar moves from other cyber insurers could help end the ransomware cycle, a problem perpetuated by continuous ransom payouts. While Axa’s policy is limited to France, a more global movement amongst insurers to end reimbursement for ransom payments could lead to a declining number of ransomware attacks.
Balancing profitability and accessibility will be a key priority
More generally, digitalization means cyberattacks are becoming increasingly common. The rising claims costs of these attacks mean that insurers face a trade-off between offering affordable premiums and providing extensive coverage for their customers. Cyber insurance premiums are already rising; data from Aon shows that from the start of April to mid-May 2021, premiums rose by 27% compared to 2020 levels.
While the Axa policy is the first of its kind, other insurers are placing increasingly stringent criteria on their cyber insurance policies. For example, to limit risk exposure, AIG will assess a business’s existing security measures before underwriting coverage. Balancing the profitability of cyber policies while maintaining insurance accessibility is likely to be a key focus for cyber insurers. If cyber risk grows too high, public-private insurance partnerships could emerge as the most practical way of protecting against cyberattacks.
Related Company Profiles
AXA SA
Aon Plc