Global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
AXA said it was suspending the option in response to concerns raised by French justice and cybersecurity officials during a Senate roundtable in Paris about the devastating effects of ransomware, ABC News reports.
“The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” cybercrime prosecutor Johanna Brousse said at the hearing.
Only the U.S. surpassed France last year in damage from ransomware to businesses, hospitals, schools and local governments, according to the cybersecurity firm Emsisoft, estimating France's related overall losses at more than $5.5 billion, says ABC News.
Christine Weirsky, spokeswoman for the U.S. AXA subsidiary, a leading underwriter of cyber insurance in the U.S., said the suspension only applies to France, does not affect existing policies, and doesn't affect coverage for responding and recovering from ransomware attacks.
Jack Kudale, founder and CEO of Cowbell Cyber, says, "This decision is not a surprise to us. In fact, other carriers may follow the suit. However, businesses need protection from these events and in some cases even from going bankrupt due to ransomware. Ransomware attacks trigger losses beyond just ransom payments - business interruption that follows the ransom event, notification, restoration, credit monitoring, forensics, crisis management etc…, collectively, usually costs more than the actual demand for ransom. Closed-loop risk management, continuous risk assessment and aligning cyber insurance coverages more closely to evolving exposures are more comprehensive and long term solutions than deciding not to pay.“