Earlier this week, Colonial Pipeline CEO Joseph Blount testified before the House Homeland Security Committee that his company had filed a claim with its cyberinsurance carrier for the $4.4 million cryptocurrency ransom it paid last month. This week, US authorities announced that they had managed to recover $2.3 million of that ransom, raising further questions about who would receive that money—Colonial Pipeline or its insurance carriers—and what signal it would send to ransomware victims and their insurers.
In May, the same week that Colonial Pipeline made its ransom payment, the insurance carrier AXA announced that it would stop covering ransom payments under its cyberinsurance policies in France. Around the same time, Swiss Re CEO Christian Mumenthaler said in an interview that “overall the problem [of cybersecurity] is so big it’s not insurable.” But anyone hoping that insurance companies might be the ones to break the cycle of million-dollar ransom payments will likely end up disappointed.
In fact, paying a ransom claim is often more appealing to insurers than having to cover all of the costs associated with restoring compromised systems and any resulting downtime or lost business their policyholders suffer. Blount, for instance, confirmed in his testimony that he had discussed the ransom with Colonial’s insurer prior to making the payment, and that he believed the insurer would ultimately cover the claim, suggesting the carrier had likely signed off on the decision to pay.
The role of insurance carriers in responding to ransomware attacks and paying ransom demands is often difficult to pin down, but it shows few signs of abating. Cyberinsurance carriers acknowledge that they have seen a growing number of claims for ransomware attacks and that they offer coverage for ransom payments, but, understandably, neither they nor their customers are eager to publicize just how often they cover ransom payments or how much they pay out in these cases. That’s partly because they don’t want to attract attention from regulators and others trying to discourage the payment of ransoms, and partly because they don’t want to attract the attention of cybercriminals who might use that information to target organizations with good cyberinsurance coverage. DarkSide, the group believed to be responsible for the Colonial Pipeline attack, reportedly searches the systems it infiltrates—prior to encrypting them with ransomware—to find information about the victims’ cyberinsurance coverage, and adjusts ransom demands accordingly.
Insurance coverage for ransoms has been criticized for years for potentially making victims more likely to pay ransoms, therefore encouraging more attacks. But these criticisms have had little impact on insurers. Even AXA’s decision to stop covering ransom payments in France is not as much of a bellwether as it might seem. Instead, it appears to have been motivated by a French Senate roundtable in April at which several regulators indicated their disapproval of ransom payments. “We will have to toughen up the tone in terms of ransom,” said cybercrime prosecutor Johanna Brousse at the event. “We no longer want to pay and we will no longer pay. Hackers must realize that France is not the goose that lays the golden eggs.”
While French authorities did not explicitly outlaw the payment of ransoms, AXA France spokesperson Corinne Gaudoux said in an email to WIRED that they indicated sufficient ambiguity on the subject that AXA France decided to “temporarily suspend” their coverage for ransom payments “until the French authorities clarify their position on whether or not it is permitted for insurers to cover ransom payments.” In the meantime, AXA France will continue to cover other costs associated with ransomware—including the costs of restoring computer systems and data, hiring expert computer assistance, consecutive operating losses, and legal protection costs. AXA divisions in other countries are continuing to offer coverage for ransom payments.
AXA’s frustration with the lack of regulatory clarity is understandable given the ambiguous approaches many governments have taken to the issue. In the United States, authorities have discouraged but not outright forbidden the payment of ransoms, though last October the Treasury Department released a notice warning that some ransom payments might be illegal if they are made to sanctioned organizations or individuals. In many ways, though, that advisory only added to the confusion, since it’s often not immediately clear exactly who is behind a cyberattack or likely to receive a particular ransom payment.
Globally, it’s “an area devoid of law,” says Ciaran Martin, a professor of practice at Oxford University and former chief executive of the UK National Cyber Security Centre. “There’s no evidence yet that countries are moving toward telling insurers not to pay ransoms,” Martin says. “France has a tradition of informally conveying messages to large corporations, and that sounds like possibly what has happened" in the case of AXA.
Regulators aren’t the only ones worried about insurers paying ransoms. The carriers are also concerned about the number and size of ransomware-related claims. Rising claims have led to significant increases in cyberinsurance policy premiums and deductibles, says Matthew McCabe, a senior adviser at global insurance broker Marsh. This week, meat processing company JBS confirmed it had paid an $11 million ransom; some recent ransomware demands have reportedly been as high as $50 million.
McCabe and others in the insurance industry are skeptical that a ban on ransom payments would necessarily drive down the prevalence of ransomware. They fear that, instead, a ban could potentially mean that insurers would have to pay out more claims for business interruption and data restoration services.
“If you forbid payment of ransoms, what does that actually look like? Because if it looks like fining companies 10 percent of what they paid to the ransomware gang, that's not making it illegal, that's just adding a premium to the payment,” says Tarah Wheeler, a cybersecurity fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs.
McCabe also suggests that barring insurers from covering ransom payments might make it harder to require their customers to take preventive security measures. He argues that insurance carriers are well-positioned to encourage companies to shore up their defenses, although there’s little evidence to suggest that has worked in practice. Nor is it clear in every case that insurers would rather not pay ransoms on behalf of their policyholders. “Companies prefer to pay a few million ransoms rather than tens of millions for the loss of data guaranteed by the insurance policy taken out,” said Guillaume Poupard, director of French cybersecurity agency ANSSI, at the roundtable that prompted the AXA decision. “We must do a lot of work to break this vicious circle around the payment of ransoms.”
But while the ransomware payment question will ultimately lie with regulators, governments have been largely unwilling to do that work. “Unless governments decide to ban ransom payments, insurers are in a difficult position of having to invent quasi-public policy,” Martin says, adding that while he would “welcome the AXA decision cautiously” it “shouldn’t be left to insurers to make public policy.”
The members of the Institute for Security and Technology Ransomware Task Force that Martin served on earlier this year was split on the question of whether paying ransoms should be illegal, with several participants expressing concerns that such a decision would essentially “criminalize victimhood.”
McCabe is skeptical of the idea that ransomware is too big or unpredictable a risk for carriers to manage, even as it continues to grow. “I don’t think insurers have given up on it yet, or that the risk is unmanageable, but it’s certainly taken its toll in the past year and beyond,” McCabe said. It’s continuing to take a very direct toll on AXA, whose Asia Assistance division was hit by a ransomware attack just weeks after its decision to suspend ransom payment coverage in France. It’s unclear whether the attack is related to the firm’s earlier announcement, but it’s another reminder of just how ill-equipped many insurers still are to protect their own systems from ransomware—much less instruct their policyholders in how to do so.