Insurance Cyber Attacks: Insurers allowed to reimburse ransoms paid by their customers!
The Ministry of Economy and Finance has taken a decision that puts an end to a gray area.
Insurers will be able to reimburse the ransoms paid by their customers, Bercy decided. A decision that puts an end to a gray area but which risks encouraging cybercrime, denounces a former parliamentarian, author of a report on the subject. The general directorate of the Treasury thus proposes to "condition the insurability of cyber ransoms on the filing of a complaint by the victim", a measure present in the draft law on orientation and programming of the Ministry of the Interior (LOPMI) presented this Wednesday in the Council of Ministers, specifies the Ministry of the Economy in a statement.
And "a task force dedicated to cyber risk insurance, involving the relevant actors, will be set up by the end of September", also indicates Bercy. Until now, a gray area remained on this topic. If the compensation by the insurers of the ransoms was not illegal, a parliamentary report had proposed a year ago to prohibit it.
Insurance Cyber Attacks
The obligation to file a complaint in order to be compensated "is a good thing", reacted Valeria Faure-Muntian, former LREM deputy and author of the report. But according to her, the payment of ransoms is "counterproductive". "I stand by what I said in my report: through this, crime is fuelled and some companies may see this as irresponsible and not make enough investment in prevention," she explains.
Moreover, there is no guarantee that the recovered data will be usable or will not contain a new virus, once the ransom has been paid, notes Valeria Faure-Muntian. All the companies "who kindly testified about the recovery of the data (after paying the ransom) said that they were not in a condition to be exploited immediately" and took a long time to recover their pre-crisis situation, she emphasizes. A point of view also shared by Stoik, a company offering insurance and cybersecurity software to companies, and which claims not to pay ransoms.
For Florence Lustman, president of France Assureur, the industry federation, "any inaccuracy in a contract, anyway, is bad for the insured and for the insurer. So everything that goes in the direction of clarification goes in the right direction," she estimated in front of journalists on Wednesday.
Insurance Cyber Attacks details
In May 2021, Axa France suspended the marketing of the "cyber ransom" option, while the insurance intervention framework was specified, and was followed by Generali France at the beginning of 2022. In its report, the Treasury stresses that in order to develop cyber insurance, which accounts for only 3% of professionals' damage insurance premiums, it is necessary, among other things, to better measure the damage and therefore the cyber risk, by sharing data between the public and the private sector, and to "increase the awareness efforts of companies".
According to Mickaël Robart, director in charge of development at the broker Diot-Siaci, the majority of uninsured companies are small and medium-sized enterprises, which until recently had a poor understanding of this risk. Today, they are the ones "that must be ensured as a priority" in the face of the ransomware threat, he believes. They are the ones who are tempted to pay the ransom while "in 99% of cases, the big groups refuse," he adds.
Insurance Cyber Attacks data
For Alain Assouline, digital president of the Confederation of Small and Medium-sized Enterprises (CPME), this is "an important step forward", but it remains to be seen whether insurers will take up the recommendations made to develop the offer. Because on the side of the latter, "it is a risk that we still have a little difficulty understanding," explained Bertrand Romagné, president of the Association of Reinsurance Professionals in France (Apref) a few days ago, to justify the sector's shyness in this regard.
He cited the example of the NotPetya virus, which targeted a number of companies a few years ago and reportedly cost $10 billion. And on August 21, the South Francilian Hospital Center (CHSF) in Corbeil-Essonnes was the victim of a computer attack that significantly affected its activity. A ransom note of $10 million was demanded by the hacker(s).
