Faced with a seemingly endless series of cyberattacks through ransomware, some businesses are now turning to insurers to make sure they are in a position to pay eventual ransoms. Insurers indeed realized a while back that some companies would pay to insure against the risk of facing cyberextortion and having to pay to recover their own data. Once insured with such coverage, a business can essentially have the insurer pay the ransom that cybercriminals are requesting once the business falls victim to ransomware that encrypts its data.
Recently, the European insurer AXA decided to stop offering this type of coverage, in France, including because of certain comments from French authorities about the fact this type of coverage was essentially counterproductive and, as such, may be something that France would soon prohibit. Indeed, according to many (including the FBI), the existence of insurance coverage of this type in fact encourages the ransomware industry, because it increases the odds of managing to convince the typical victim of such a cyberattack to pay a ransom.
In what may be a clue that not offering this type of coverage does play into the hands of criminals, shortly after its announcement, AXA’s Web servers were the object of a DDoS attack from criminals, in what may be seen as retaliation. It seems criminals do want insurers to keep paying ransoms, which may be a reason to rethink allowing it, in the future, if you ask me.
Even though forbidding payments by insurers is not likely to stop ransomware, many are now calling for a global strategy that may allow us to collectively fight the problem, including by stopping to throw oil on the fire, so to speak. Sure insuring against this risk is convenient but is it the right thing to do in the grand scheme of things? The question stands.