Cyber attacks and ransoms: what role do insurers play?

A recent report by the Haut Comité Juridique de la Place Financière de Paris, on the insurability of cyber risks, opposes a possible ban on ransom payments by insurers. The High Committee had been asked by the French Ministry of the Economy and Finance to examine the issue, in light of the growing number of cyber-attacks on companies by hackers demanding ransom payments.

Insurers accused of encouraging ransom demands

France tops the list of countries targeted by ransomware, malicious software that blocks access to files or an entire computer system, in exchange for a ransom.

 

Last April, insurers, although few in number, were singled out for cyber-attack coverage by Guillaume Poupard, Director of the French National Agency for Information Systems Security (Anssi), and Johanna Brousse, Deputy Public Prosecutor in charge of cybersecurity at the Paris Public Prosecutor's Office.

According to them, by agreeing to pay the ransoms demanded to allow companies to access their data again, insurers were playing into the hands of hackers. More specifically, Anssi and the Paris Public Prosecutor's Office accused insurers of preferring to pay ransoms rather than much higher compensation for damage in the event of permanent data loss.

Insurers had defended themselves by explaining that they only paid ransoms as a last resort, leaving the final decision on whether or not to accept payment to the customer who was the victim of the cyber attack.

Haut Comité warns of risk of "competitive imbalance

Despite the insurers' counter-arguments, the criticisms levelled by Anssi and the Paris public prosecutor's office had been heard. Last October, for example, a parliamentary report published by a LREM MP advocated a ban on ransom payments by insurers, as well as sanctions for " companies, administrations or local authorities that proceed with ransom payments ".

In response, several insurers, including AXA France, decided to stop offering this cover to their customers, at least temporarily, pending a decision from the French authorities.

The Haut Comité Juridique de la Place Financière de Paris (High Legal Committee of the Paris Financial Market), asked by Bercy to rule against a ban on ransom payments by insurers, argued in particular that " insurers cover the consequences of theft for victims, even if the theft is criminally reprehensible ".

However, according to the January 28, 2022 report by the Haut Comité sur l'assurabilité des risques cyber, " insurers have never been accused of being behind the development of theft because they compensate the victims of these offences. On the contrary, insurers have played and continue to play an active role in the development of a whole ecosystem of prevention and protection of economic players against theft ".

Furthermore, the report points out that prohibiting the insurability of ransoms at national level would result in " a competitive imbalance ", if the same rules did not apply " to foreign insurers covering cyber risks located in France ". French companies that fall victim to cyber attacks would also be penalized compared to those located in another member state that allows ransomware insurability.

The High Committee does, however, suggest a number of areas for improvement, including :

  • making it compulsory to file a complaint,
  • strengthening public measures in favor of cyber protection,
  • In this context, we are calling for " cooperation between insurers and the judicial and police authorities to provide the best possible framework for ransom payments ".