French insurer AXA’s withdrawal from writing extortion payment policies is an unmistakable sign that the Goldilocks years of cyber-insurance are coming to an end
In many ways the status quo of the insurance ecosystem has suited every player involved with the sector, from insurers and those they insure, to the criminals whose activities result in many a claim being made.
Insurers benefit because, as it’s a new frontier in the sector, cyber-security underwriting cannot rely on any historic data, and the market’s volatility defies traditional risk modelling. Some analysts also suggest that in this emerging market insurers could also achieve better loss ratios (insurance claims paid per total premiums) than, for example, in the traditional property and casualty line of business.
Extortion and cyber-insurance in general – the latter also including data breaches and financial scams – have been a hit with businesses because they offer a discounted alternative to cyber-risk management. Instead of building firewalls, filtering emails and scanning for malware, all businesses need to do is take out an insurance policy and throw any cyber-security concerns to the wind.
Cyber-criminals have set great store in both finding the most suitable victims – preferably ones with an extortion payment policy – and demanding ransoms in alignment with the company’s financial stature. Charities are, for example, easier to hack but can, for obvious reasons, pay relatively modest amounts.
As the payment of a ransom, unless the payees are terrorists, is not illegal in the UK, insurers have gone out of their way to create an all-inclusive service that not only reimburses the amount of the ransom but also frees victims from having to negotiate with cyber-criminals or convert fiat currencies into cryptos, primarily bitcoin, to ensure untraceability. And similarly to how insureds have found it easier to pay a premium rather than putting all the aspects of a strong cyber-security posture in place, it has been more advantageous for insurers to haggle with cyber-criminals and deal with crypto-exchanges than paying extortionate compensations for business interruption and remediation.
There has recently been a lot of pressure on insurers to break the vicious spiral that has led from five-digit ransoms to seven-digit ones. In May, Colonial Pipeleine, the largest fuel pipeline in the US, confirmed that it had paid $4.4 million (£3.1 million) to an Eastern European hacker group to minimise the disruption to critical infrastructure – although recovery from the attack took two weeks even with the fast-lane option of paying the ransom.
AXA, whose American subsidiary AXA XL, was one of the underwriters of Colonial Pipeline’s cyber-risk, has probably stopped its cyber-extortion payment line primarily in response to pressure coming from French justice and cyber-security officials.
However, the fact that slowly rising premiums have failed to keep up with the scale of ransom payouts and the standalone cyber-security loss ratio soared from 34.3 per cent in 2018 to 72.8 per cent in 2020, have also been negatively impacting underwriting performance to the point of making the arrangement unsustainable in its present form.
The duty to mitigate
Although AXA’s announcement to stop reimbursing cyber-ransom payments triggered a similar attack on its Asian offices, its withdrawal only applies to new policies underwritten by its French operation, and even there, AXA emphasised, it won’t affect coverage for responding and recovering from ransomware attacks.
AXA’s move, if copied by other leading insurers, has the potential to take ransomware, as well as cyber-insurance, back to the drawing board. According to the “duty to mitigate” principle, unless the insured takes every reasonable step to avert or minimise its loss, it won’t be able to recover any damages.
Taking out insurance instead of making a cyber-defence system impregnable, at least in theory, is clearly an approach that goes against the principle to mitigate. Bringing an analogy, no insurer will pay out on any home insurance if you only have a rusty padlock on the front door – an equivalent of obsolete anti-malware software.
If businesses large and small were nudged to invest more in improving their security posture, resilient cyber-security systems combined with employee education and the 3-2-1 backup rule – always store three copies across two different media, keeping one copy off-site – could surely cut the ground from under the feet of bad actors.
Critics of insurers have managed to put their fingers on the stakeholder key to tackling the ransomware pandemic. But the solution to the problem is not refusing to pay the extortion money, but going back to the drawing board and redesigning cyber-security policies in accordance with the time-tested rules of mainstream insurance.
That could also have the bonus of sparing national and federal governments the laborious legislative effort of banning ransomware payments.