Following talks with French officials, Axa announced in May that it would no longer write cyber insurance policies that reimburse customers for ransom payments made to ransomware hackers. The policy will only apply to French customers and does not affect existing policyholders or coverage for responding to and recovering from ransomware attacks. The decision appears to be an industry-first amongst cyber insurers.
Ransomware attacks rely on victims paying up to regain access to hacked IT systems. Only once ransoms are paid do the hackers provide details on how to recover encrypted networks. Aon estimates that some of the most sophisticated ransomware attacks now average over $780,000 per payment. In these scenarios, cyber insurers are faced with an extremely high claims payout.
Following the Colonial Pipeline ransomware attack and the similar attack on Axa’s Asia division just days after this policy was announced, it is clear that we are experiencing a global ransomware epidemic. Cybersecurity firm Emsisoft estimates that the total cost of these cyberattacks to French businesses was roughly $5.5bn in 2020, based on over 4,400 attacks. This makes France the second most frequently targeted country by ransomware globally, with the US in first place.
An end to the ransomware cycle
While not reimbursing ransom payments could cripple victims of these cyberattacks, Axa’s decision could push clients to place a greater focus on their cybersecurity measures. Similar moves from other cyber insurers could help end the ransomware cycle, a problem perpetuated by continuous ransom payouts. While Axa’s policy is limited to France, a more global movement amongst insurers to end reimbursement for ransom payments could lead to a declining number of ransomware attacks.
Balancing profitability and accessibility will be a key priority
More generally, digitalization means cyberattacks are becoming increasingly common. The rising claims costs of these attacks mean that insurers face a trade-off between offering affordable premiums and providing extensive coverage for their customers. Cyber insurance premiums are already rising; data from Aon shows that from the start of April to mid-May 2021, premiums rose by 27% compared to 2020 levels.
While the Axa policy is the first of its kind, other insurers are placing increasingly stringent criteria on their cyber insurance policies. For example, to limit risk exposure, AIG will assess a business’s existing security measures before underwriting coverage. Balancing the profitability of cyber policies while maintaining insurance accessibility is likely to be a key focus for cyber insurers. If cyber risk grows too high, public-private insurance partnerships could emerge as the most practical way of protecting against cyberattacks.