Ransomware: Ransom payment, a dangerous game insurers continue to play…under certain conditions

Not everyone is reacting like the Corbeil-Essonnes hospital, which suffered a ransomware cyber attack in August and claims it will never pay the ransom demanded of it by the hackers (even if GIGN cut it from $10 million to $1 million).

62% of French companies that were victims of ransomware paid the ransom, according to a report from insurance company Hiscox, for which Forrester conducted a survey of 900 French companies in late 2021 and early 2022. This is 3 points less than last year, and all the better, according to the latest research published on the subject.

Paying a ransom is not always profitable

Indeed, an IBM report evaluating average cost of cyberattacks between March 2021 and March 2022, indicates that paying the ransom is not always beneficial for the company. This will lower the cyberattack rating by $610,000 globally, but not including ransomware, which Sophos says is higher on average.

Another study from a cybersecurity company from April 2022. cyberseason, conducted among 1456 companies with more than 700 employees (including 10% in France), shows that 68% of paid companies are re-attacked less than a month after the first cyber attack. And only 42% recovered all their data and information about the use of their information systems.

However, there is no longer any talk of a ban on the payment of ransoms in France. On the other hand, Proposed Bill (LOPMI) before the presidential elections to clarify this issue by stipulating their reimbursement cyber insurance lodging a complaint within 48 hours so that “the competent authorities have the information necessary to bring the perpetrators of the offense to justice”.

A minority of insurers refuse to cover ransoms

Although Generali France and Axa France (with the exception of the large companies still insured by Axa XL) have declined to reimburse the ransom, they do not represent the position of most insurers. On July 21, 2022, the Geneva Association, the international insurance lobby, announced that it was opposed to government bans on ransom payments. “Prohibiting ransom payments or reimbursement by insurers will most likely lead to transactions being hidden, making it impossible for the authorities to record and analyze incidents and prosecute criminals,” she said.

“There are a good dozen top-tier insurers in the segment, and they generally cover costs arising from ransomware, including ransomware,” Guillaume Deschamps, director of financial risk for France and Eastern Europe at broker Willis Towers Watson (WTW) tells Usine Digitale. . Among them are AIG, Chubb, Zurich, Axa XL, SMA, Hiscox, as well as, for example, Groupama and MMA.

“The ransom refund is automatically included in the damages incurred as a result of our cyber contracts, as well as in the business interruption option. We believe it is extremely important to be able to pay the ransom as this can limit or avoid operational losses. here to help our clients, but in certain situations it is the best solution, and it can be more cost-effective,” justifies Hiscox, one of the oldest insurers in the French cyber insurance market, in which it owns about 10%.

The final decision always remains with the appraiser of the insurance company.

But be careful, “the idea is not to pay at any cost,” says Nicolas Kaddeche, CTO of Hiscox Assurances France. “First, we are trying to find out what is the sensitivity of the encrypted data, is there a backup or other solution. We work with partners based on client types and attacks to qualify, contain and prevent an incident. worse. The final decision is made by the expert. The decision is made taking into account operational and economic interests. If the client decides to pay alone without the consent of the insurer, he is not reimbursed. If the insurer gives the green light, we help the client pay and negotiate,” Less than 60% of Hiscox customers pay the ransom.

Guillaume Deschamps of WTW fully understands this position. “In our opinion, the ransom should be part of the cyber insurance policy. Since this will never be a decision solely by the client, this is not shocking.”

In addition to damage coverage and possibly equipment purchases, repairs and third party damage (civil liability), the cyber attack management assistance services mentioned by Hiscox constitute another big benefit of cyber insurance. , especially for VSE and SME. Focusing only on paying the ransom would be shortsighted, and it’s usually not what a company decides to sign a contract with.

Selected policyholders

But these insurances cost them more and more. According to Amrae, the amount of premiums paid by companies increased by more than 44% in 2021, despite the fact that signed capacity (the maximum amount of guarantees) decreased by 32%. For large companies, for example, premium rates have doubled. Amrae’s “horse cure” to restore the profitability of cyber insurance for insurers. In Hiscox, which targets the main target of small and medium-sized businesses (up to 50 million euros in turnover), premiums have risen by an average of 15-25%.

Limits also multiplied with the increase in franchises (average €4 million for large companies, €7,670 for small companies and €32,217 for mid-sized companies), supplemented non-guaranteed quotas”. For example, an insurer only covers 50% of ransomware-related costs and applies “sublimits” (indemnity ceilings by damage category).

“Cyber ​​insurance is complex. Insurers are very cautious, there are not so many solutions on the market, they are very demanding on the quality of risks. It is not uncommon for questionnaires of 300 to 500 questions designed to assess the quality of SMEs to start moving, but the technical expectations are so high that sometimes they cannot insure themselves,” explains Guillaume Deschamps.

Stoik, the insurance company that says no to ransom payments

Stoick, new to the cyber-insurance market, doesn’t have a lengthy questionnaire. The startup, which has recently raised 11 million euros, aims to become a cyber insurance leader in the VSE-SME market (turnover up to 50 million euros) with a concept: insurance linked to software for detecting security vulnerabilities, which it also uses to qualify subscription files. Another feature of Stoik is that it flatly refuses to integrate ransom payments into its product. For its president, Jules Weir, this is tantamount to “shooting yourself in the foot by fomenting crime” and “disenfranchising”. He prefers to bet on prevention.

The startup covers companies up to 1 million euros. Distributed by brokers, it provides between 800 and 1,000 contracts signed in 2022 and ensures that the non-payment of the ransom in no way becomes an obstacle to its development.

In any case, all indicators converge towards an increase in demand for cyber insurance from the VSE-SME, which today is covered by less than 1%. Unfortunately, demand exceeds supply.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.