Denys Rudyi - Fotolia
AXA France suspended ransom payment reimbursements as part of its cyber insurance policies, and infosec experts say others in the private industry may follow suit.
As ransomware attacks continue to rise at an alarming rate, and cybercriminals finance future operations with the profits, stopping them has become a priority for both the private sector and government agencies across the globe. Different methods have been employed by the government recently, from ramping up sanctions to disrupting the illicit economy of ransomware, and now AXA France is testing out a method of its own. The global company is one of the first cyber insurers to put a halt on ransom payment reimbursements, though other aspects of its policy will not change. Infosec experts and vendors say this could mark the beginning of informal bans amongst the private industry, in addition to government-imposed laws and regulations.
The move was first reported by the Associated Press last week. An AXA spokesperson told SearchSecurity that after recent comments made by the Paris Public Prosecutor's Office and the French National Agency for the Security of Information Systems during their hearing at the French National Assembly, the subject of ransom reimbursement has become a key issue for cyber insurance in France.
"In this context, AXA France, which had added an option to its range in this respect, deemed it appropriate to suspend marketing until the consequences of these analyses are drawn and the framework for insurance intervention is clarified. It is essential that the public authorities give concrete expression to their position on this subject in order to enable all market players to harmonize their practices," an AXA France spokesperson said in an email to SearchSecurity.
"While waiting for the decision of the public authorities, our customers keep all the other guarantees of their Cyber Secure contract to protect them in case of attacks, even by ransomware (costs of restoring the computer system and data, costs of expertise and computer assistance, consecutive operating losses, legal protection costs, major crisis service...)."
Emsisoft analyst Brett Callow said realistically, the only way to stop ransomware attacks is to make them unprofitable, and AXA's decision will go a little way towards that goal.
Morgan Wright, chief security adviser at SentinelOne, agreed that the only way ransomware gangs are able to operate is if they receive money. If the funds dried up, Wright said, they would cease to exist because the incentive would be gone. Again, the move by AXA is one step in that direction.
Other infosec experts are not surprised by the decision. Jared Phipps, senior vice president at SentinelOne, told SearchSecurity that ransom payments encourage further activity by the cybercrime community, so it's not surprising that insurers want to stop paying them. According to Phipps, insurers have paid because it was faster and cheaper than the cost of recovery otherwise.
"However, cybercrime greed has driven the ransoms so high that they are passing the inflection point and the cost savings for insurers is disappearing," Phipps said in an email to SearchSecurity.
Restricting ransom payments is becoming a more accepted concept, said Callow, and it is an important solution to the ransomware problem.
"I wouldn't be at all surprised to see other insurers follow AXA's lead," Callow said in an email to SearchSecurity.
An industry shift
The cyber insurance market has taken off in recent years, in part because enterprises want financial relief from expensive ransomware attacks. But some infosec experts have expressed concern that insurance policies that cover ransom payments may be leading to an increase in such payments -- and subsequent attacks.
But cyber insurance companies are already rethinking strategies, according to Richard Stiennon, chief analyst at analyst firm IT-Harvest, who said companies have started to include clauses that a covered entity could not publicize that they had ransomware insurance because that puts a target on their back. "Better to exclude ransomware from covered incidents. Force companies to self-insure," he said in an email to SearchSecurity.
Threat actors have become notorious for targeting specific entities, particularly vulnerable ones like critical infrastructures, hospitals and schools. Now, Ondrej Krehel, CEO and founder of LIFARS, a cybersecurity firm, said threat actors are targeting organizations with cyber insurance policies.
"I would say over the last two years, they target entities that they know have a policy and will pay. They pick their victims carefully," Krehel said. "It is not that hard to get data from brokers because they keep competitive analyses of who owns the policy and what the limit is so they can compete on pricing."
While AXA's suspension may work toward the goal of stopping cybercriminals' money flow, Ron Moritz, cybersecurity expert and member of The Analyst Syndicate, told SearchSecurity that it is likely a long overdue response.
"Hopefully the other insurance companies will respond, and, by doing so it will force the cyber insurance client to actually do something before the attack. Like the ever cliché, good cyber hygiene," he said in an email to SearchSecurity.
The only way AXA's new policy will have a tangible impact, said Phipps, would be for all insurers to issue the same policy, which would have legal ramifications as they are obligated by law in many locations to obtain restoration of business services in the most expedient manner.
"What would probably be more effective in stopping the ransomware pandemic is for insurers to require proof of effective cyber technologies and operations before issuing the policy," Phipps said. "At this point I simply see this as a move by an insurer to protect themselves from outsized losses after not having done full diligence prior to issuing the policy.”
While others in the private industry may follow AXA's lead, it will take much more to stop the influx of ransomware attacks. According to Wright, a combination of policy, technology and legislation is required.
Additionally, Callow said ransomware threats have come to the point where governments need to use every mechanism at their disposal to protect critical infrastructure, which is highly targeted in these attacks. A recent example occurred just last week when the DarkSide ransomware gang hit the U.S. Colonial oil pipeline.
"And taking steps to defund ransomware threat actors needs to be one of those mechanisms," Callow said.