One company in five is the victim of at least one ransomware attack
According to the 6th annual Barometer published by CESIN (Club des Experts de la Sécurité de l'Informatique et du Numérique), 19% of French companies claim to have fallen victim to at least one ransomware attack in the course of 2020. Another study by insurer Hiscox found that two-thirds of companies are willing to pay a ransom to recover their data or unblock their information systems, a figure that illustrates the scale of the phenomenon. France is one of the world's top payers of ransomware.
This startling observation has alerted the public authorities. During a Senate hearing on the cybersecurity of SMEs on April 15, ANSSI and the Paris Public Prosecutor's Office attacked the role of insurers in the increase in ransomware cyberattacks.
The French market is divided on the issue of ransom payments
Guillaume Poupard, Director General of France's national information systems security agency (ANSSI), describes the ransom payment guarantee included in some insurers' policies as a "shady game". They "prefer to pay a few million in ransoms rather than a few tens of millions for the loss of data guaranteed by the insurance policy they have taken out" - a vicious circle that needs to be broken, in his view.
In response to these accusations, the French Insurance Federation (FFA) points out that "the payment of ransom is not an offence". While some insurance companies admit that paying ransom as a last resort is part of the promise of assistance made to customers, others choose to systematically refuse this action, even if it means missing out on several cases.
The French market is therefore divided on the question of ransom payments. For the ANSSI Director General, it is essential to"regulate these intermediaries".
Towards a ban on ransom payments by insurers
Faced with this situation, the authorities are considering an outright ban on ransom payments. In fact, the French Treasury has entrusted a mission to the High Legal Committee of the Paris Financial Center (HCJP) to work on this issue and draw up recommendations.
If this ban becomes effective, "it goes without saying that all economic players, insurers and companies alike, will comply with it", says the FFA. This decision will alsoencourage companies to invest in a genuine cybersecurity policy.