What if cyberinsurance didn’t cover ransomware payments?

Seth Rosenblatt -

Thank you for subscribing to the reader-sponsored edition of the twice-weekly Parallax View newsletter. If you are a legacy subscriber of The Parallax View, we are so grateful for your support over the past six years that we have gifted you a premium subscription. If you like our reporting, please share it! This project depends and thrives on your contributions.

If you're a new subscriber to our newsletter, welcome to The Parallax View. Thank you for your support! The free edition of The Parallax View lands in your inbox on Tuesdays and the reader-sponsored edition on Fridays. If you'd like to support us in other ways, please email seth@the-parallax.com.

Following a French Senate hearing on ransomware held in April, at which French cybercrime prosecutor Johanna Brousse reportedly stated that “we don’t pay, and we won’t pay'' ransomware demands, a global insurance company made a momentous—and potentially trend-setting—corporate announcement.

On May 6, AXA said it would stop writing new cyberinsurance policies covering ransomware attack payouts in France. The decision does not affect existing insurance policies covering ransomware attacks, AXA spokeswoman Christine Weirsky told the Associated Press. (A week later, perhaps not coincidentally, AXA’s Asian division was hit by a ransomware attack.)

Nevertheless, AXA’s rescission in France—second only to the United States in incurred overall ransom demands and downtime costs across domestic organizations, according to an analysis published in April by researchers at cybersecurity company Emsisoft—could have wide-ranging ramifications for organizations across the world that are routinely targeted by ransomware.

In the first half of 2020, ransomware accounted for 41 percent of all cyberinsurance payouts. And as we reported in March, ransomware attacks against health care are on track to surpass those in 2020, a banner year. A skyrocketing rise in ransomware incidents and costs across sectors, combined with a country’s stated vow not to capitulate to ransomware gangs’ demands, has at least AXA starting to back away from its cyberinsurance business model.

"The way things are going in this space, we’ll see an insurer who cannot afford [to cover the cyberattacks] against their clients" —Kate Fazzini, CEO, Flore Albo