Micro Focus is now part of OpenText. Learn more >

You are here

You are here

AXA axes ransomware insurance. Who’s next?

Richi Jennings Your humble blogwatcher, dba RJA
AXA logo

Huge multinational insurance firm AXA Group has announced it will no longer write cyber-insurance policies that pay out extortionate ransoms to hackers. So far, this applies only to France, but observers wonder if the strategy will spread.

It’s a start. The question is: Will other insurers follow suit in other countries? After all, an insurer’s willingness to pay up can only motivate the ransomware scrotes.

As the French say, pour encourager les autres. And, yes, it might well encourage other insurers to get serious about this knotty problem. In this week’s Security Blogwatch, we’re careful with that AXA, Eugene.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hilarious train remix.

End of the beginning?

What’s the craic? Frank Bajak and Elaine Ganley report—AXA halts ransomware crime reimbursement:

In an apparent industry first, the global insurance company AXA … will stop writing cyber-insurance policies … that reimburse customers for extortion payments made to ransomware criminals. [It] only applies to France and does not affect existing policies, said Christine Weirsky, a spokeswoman for the U.S. AXA subsidiary, a leading underwriter of cyber-insurance.

The insurance industry has come under considerable criticism for reimbursing ransom payments. [But] many victims, such as cash-strapped state and local governments, haven’t adequately invested in security and are easy prey for ransomware criminals. … U.S. officials call ransomware a national security threat.

An 81-page urgent action plan delivered to the White House … by a public-private task force noted that enriching ransomware criminals only fuels more global crime, including terrorism. But the authors stopped short of advocating a ban … saying paying up can sometimes be the only way for an afflicted business to avoid bankruptcy.

So Tim Starks and Sean Lyngaas wonder if it will set a precedent:

Ransomware and cyber insurance experts had two reactions. They wondered why it took so long, and how long it would take others to follow suit.

The more victims pay, the more criminals attack, and the more cash it takes out of victims’ and insurers’ pockets. AXA’s decision … appears to be the first time an insurer said it will no longer cover ransomware payments, though it was not a surprise to industry observers. … Even if the move starts a trend, though, more work will be necessary.

That France is the nation where an insurer first swore off of ransomware payouts makes sense. [It was] the subject of a French Senate hearing last week where a cybercrime prosecutor reportedly said, “The word [is] we don’t pay and we won’t pay.”

Even if insurers mimic AXA, it’s clear ransomware will still impose incident costs for victims and insurance companies alike. … A spokesperson for AXA XL, a U.S. subsidiary of the French company, said the announcement … doesn’t apply to ransomware-related incident cleanup costs.

Why not just make it illegal? In many ways, it already is—as paxys points out:

There are several laws already on the books which address this – various international sanctions … anti-terrorism laws (can't pay ransom to a known terrorist group), anti-money laundering laws and more. [But] there is nothing stopping the government from enacting more.

Or just privatize the fix? As suggested by Lab Rat Jason:

These ransoms are big enough now that someone could turn the tables by simply publishing a bounty: 50% of the ransom will be paid to the person who rats out his comrades. First one to squeal wins, and if that person cannot be brought to justice via international treaties, then perhaps we let the rules of war apply.

I'm sure there are lots of security researchers in the US who have the skills to identify these guys, but just lack the proper motivation. … Our government was unable to secure the OPM [and] FermiLab; they are absolutely incompetent. [They] should hand this off to the private sector just like [they’ve] basically ceded space launches to the private sector.

As Dan Aykroid said in the original Ghost Busters, "I've worked in the private sector. They expect results!"

And there might be another reason for insurance not to pay out. Here’s steerablesafe:

If an insurance pays off ransomware attackers, then it seems like a viable target for insurance fraud.

But Jan-Marten Spit wants insurers to ensure better security: [You’re fired—Ed.]

No one should be able to insure against having flimsy security and no protected backups — it stimulates bad practice.

The rabbit hole goes deeper. oneplane cuts to the chase:

If the interviews on infosec podcasts are any indication, insurance also means complacency on a management level because "we have insurance," and the insurers don't require you to actually make your security better. So being cyber-insured [means]:

- likely to have money to pay the ransom
- probably not really implementing strong security policies
- management more important than reality, so engineering buy-in unlikely which also means backups and redundancies unlikely to be effective at the target

This makes you wonder who ends up paying for all of this (with time, energy, money, mental health).

Wait. Pause. Joseph Cox picks up the next shoe to drop—Pipeline Hackers Say They’re ‘Apolitical’:

The criminal hacking group suspected of being behind the ransomware attack on the Colonial Pipeline … has published a new statement on its dark web site. … "Our goal is to make money, and not creating problems for society. … From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," it read.

Is that … an apology? Whatever it is, timholman’s not buying it:

These slimeballs have attacked plenty of critical infrastructure in the past, including hospitals. They aren't just apolitical; they are absolutely immoral.

What has happened behind the scenes to cause them to publish this message? Maybe they have received some anonymous emails along the lines of "We know who you are." Maybe one or two of their members have suddenly vanished.

The U.S. does not lack the resources or capability to retaliate. All it takes is sufficient motivation … and these guys may have finally crossed that line.

Meanwhile, gostsamo offers this translation:

We've discovered omissions in our processes that we've fixed now, and we promise much better service to our future victims.

The moral of the story?

Is this the start of a trend? If so, your organization can’t rely on insurance in the future.

And finally

Czech trains are so musical

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Laurent Grassin (cc:by)

Keep learning

Read more articles about: SecurityData Security