A medium-sized company takes out insurance against cyber risks, and then falls victim to a ransomware attack. Begrudgingly, its administrators cough up the ransom.
Should the insurer reimburse the company? This is a question that divides the industry.
Foyer’s cyber insurance product, for example, covers assistance, property damage and civil liability--but not ransom. “For the simple reason that paying a ransom doesn’t solve the customer’s problem in the vast majority of cases,” explains Kris Van Roye . “We prefer to concentrate on the solution rather than paying a sum without any certainty that the situation will be resolved.”
Luxembourg’s Insurance and Reinsurance Company Association (Aca) does not have a clear-cut position on the subject, says its managing director , who nevertheless expressed doubt over the prospect of covering ransom: “Personally, I fear that this will encourage crime and lead to a relaxation of vigilance.”
Of course, Hengen continues, “paying the ransom is most often the only way to recover the data.” The problem, in his view, is that insurers who cover this payment run the risk of being subject to criminal prosecution because of anti-money laundering provisions. “Giving a legal appearance to income of criminal origin is not really in line with the AML provisions,” he says, adding that the issue should be further clarified with legislation.
The stance in France
In France, the situation is clearer: the government passed legislation on 24 January 2023 that allows insurance companies to compensate policyholders after payment of a ransom, on the sole condition that the victim of a ransomware attack lodges a complaint within 72 hours of becoming aware of the attack.
France Assureurs is pleased with the law. The industry federation has vigorously defended the insurer’s right to compensate victims of cyber attacks. Christophe Delcamp, director of property and casualty insurance, draws a parallel to a well-established product: “Coverage for vehicle theft has existed since the 1950s, and covering it doesn’t mean we encourage the development of mafias.”
“The main objective is to provide solutions for policyholders,” he continues. “Payment of compensation is the last resort. Insurers carry out a risk analysis at the time of underwriting. They check that the company has adopted the right preventive measures, that it is properly protected. This creates a positive dynamic.”
No country, with the recent exception of Portugal, has prohibited the coverage of ransomware attacks.
Delcamp argues that, if the law prohibited compensation for cyber breaches, “there would be much less incentive to take out insurance and implement preventive measures.” This, in turn, would make companies even easier targets for cyber attacks. “What’s more, when we made a comparison with other countries, we realised that no country--with the recent exception of Portugal--has prohibited the coverage of ransomware attacks.”
The mandatory reporting of cyber claims by victims is a central point of the argument. “It really is a virtuous circle of good intelligence between policyholders, insurers and public authorities,” says Delcamp. In other words, this practice would not only lead to better risk management, but also to a more effective fight against cybercrime, by providing the authorities with the information they need to apprehend criminals.
“There is demand”
The French law has been in force for over a year. Was the fear that cybercriminals would get a free ride unfounded? Delcamp remains cautious. “At first sight, there has been no deterioration in the claims experience,” he says, referring to feedback compiled by the ministry of the interior.
The decision to offer cyber coverage rests with each company, and France Assureurs does not yet have data for the past year. However, Delcamp believes that “if this coverage is being sold, there is demand for it.”
This article in Paperjam. It has been translated and edited for Delano.