AXA ends ransomware payment coverage in France

In a purported industry first, the French insurer will no longer reimburse clients for extortion payments made to cybercriminals.

A French national flag and a flag displaying the AXA SA logo fly outside the insurance company’s headquarters in Paris, France, on March 6, 2018. (Photo: Christophe Morin/Bloomberg)

French insurer AXA announced on May 6 that it has stopped writing cyber insurance policies with reimbursement coverage for ransomware extortion payments made to cybercriminals, the Associated Press reported.

The move is an apparent first for the insurance industry, said the AP, which also noted that AXA informed them that the cessation only applies to France, does not affect existing policies, and does not impact coverage for responding and recovering from a ransomware attack.

It is unknown whether U.S. cyber insurers will follow AXA’s path; however, Michael Phillips, chief claims officer at Resilience, told the AP that he doesn’t expect insurers to impose restrictions stateside.

But, if U.S. insurers did decide to restrict cyber insurance coverage in a similar manner, Vincent E. Morgan, partner at Bracewell LLP, foresees possible claims arising from insureds.

“For example, carriers that drop ransomware coverage may face claims that they didn’t do so in a legally sufficient way, especially given the typical use of broad insuring agreements covering ‘loss,’” Morgan told PropertyCasualty360.com. “They may also face claims based on policyholder expectations in some jurisdictions, which is particularly challenging in renewal policies. As policyholder counsel, these are the conversations we’d expect to have with our clients who may be surprised by a sudden change from their insurers.”

Ransomware epidemic

According to anti-malware software company Emsisoft, France’s private and public sectors will face an estimated $638,955,546 in ransom demand costs in 2021 — the second-highest cost worldwide, only behind the U.S., which faces more than $2 billion in ransomware risk.

French justice and cybersecurity officials cited the sky-high expense of responding to ransomware during a Senate roundtable in Paris in April, the AP reported. There, cybercrime prosecutor Johanna Brousse said, “The word to get out today is that, regarding ransomware, we don’t pay, and we won’t pay.”

Ransomware payment coverage has been criticized in the past for fueling cyberattacks by incentivizing criminals to target businesses.

“Absolutely, that’s 100% why they [hackers] do it — to get the ransom,” said Dykema Gossett member Sean Griffin to PropertyCasualty360 sister site Legaltech News in December. “The more likely they’re to get the ransom, and the higher the ransom is going to be, the more likely they’re going to do it.”

Insurers, however, have pushed back on that notion.

Tim Francis, enterprise cyber lead at Travelers, also told Legaltech News that ransomware attacks would continue regardless of whether cyber insurance policies existed or not.

“I’m quite certain if cyber insurance went away tomorrow, ransomware attacks wouldn’t go away tomorrow,” Francis said. “I think threat actors will continue to take advantage of organizations, and frankly, whether a company is insured or not isn’t going to prevent a threat actor from taking over a company and trying to extort them for money.”

Related: