Axa has for its French home market announced that it will temporally stop underwriting ransomware coverage in its cyber insurance policies (), waiting for clarification of the local French regulator with regards to the lawfulness of ransomware payments. While the ransomware related incident response expenses are still covered, the measure is limited to the French market, and legacy policyholders are not affected, this nevertheless sets the precedent for the first major cyber insurance player to stop paying ransomware demands. The debate of the meaningfulness and legality of ransomware payments has been an ongoing point of discussion for the cyber insurance industry, researchers, regulators, and policymakers (See for example or ) for a great summary of the topic).
From an economic perspective, if the act of entering an insurance contract has a negative impact on the underlying risk, it often results in a net welfare loss for the entire economy. This interaction is in the insurance context most often found in a moral hazard setup, whereby a person that has, for example, insured its bike might not be as vigilant over it anymore as without the insurance policy in force. In the case of ransomware, however, it is not the insured that changes his or her behavior, but the ransomware attackers , that face an increased payout through the ransomware cover that is a standard offering of current cyber insurance policies around the globe.
It will be very interesting to see if other carriers and jurisdictions follow the lead of AXA France here.
Daniel Kasper is the principal of Cyber Economics.