Should we negotiate with cyber criminals who demand ransoms?
Obviously, this is not the right solution.
Deputy Valéria Faure-Muntian, president of the Insurance study group of the National Assembly, presented last Wednesday a report expected by the sector.
He proposes to enshrine in law the prohibition for insurers "to guarantee, cover or compensate the ransom" in the event of a ransomware or "ransomware" attack.
Ransomware is malicious software that encrypts the data of an attacked company, making it unreadable.
The hackers then demand a ransom from their target in exchange for the key to recover the data.
In her report on the subject, Valéria Faure-Muntian argues that "the payment of ransoms feeds cybercrime" and that "nothing guarantees that the ransom paid is a pledge of a return to the initial situation" for the attacked company.
To read also Cyberattacks: "The worst is in front of us", warns the boss of Anssi
“Insurers have now been asking for a clarification of the subject for several years now, since guaranteeing the payment of ransoms is not illegal.
This is not prohibited by law, ”Franck Le Vallois, director general of the French Insurance Federation (FFA), told AFP.
“However, we have seen recently that insurers could be stigmatized by certain representatives of the public authorities and ranked at the level of cybercriminals.
(…) How can we blame insurers for respecting their contract and supporting their clients in difficult times?
He asks.
Almost half of the companies concerned
AXA France has suspended the marketing of the “cyber ransom” option since May 2021, while the insurance intervention framework is clarified.
“Today AXA France wants a quick and clear position from the public authorities on the insurability of ransoms in order to allow all market players to harmonize their practices,” the insurer told AFP.
Point of agreement with professionals in the sector: the parliamentary report emphasizes prevention and education in cyber risk.
In 2020, cyber risk was the first threat to the French economy according to Allianz's annual risk barometer.
Almost half of French companies have suffered a cyber attack according to the Hiscox 2021 report on cyber risk management, compared to a third (34%) the previous year.
The cyber risk market was estimated, in 2020, at 135 million euros in turnover, according to the FFA.
“It's very small, it's a growing market,” comments Franck Le Vallois.
“Cybercriminals did not wait for insurers to insure!
"
A risk for companies
Prohibition of ransom guarantee or not, he insists on the importance of "becoming aware of your exposure to cyber risk".
“Cyber contracts, and in particular those that include these ransom payment guarantees, have several virtuous effects.
(…) They make companies aware of cyber risk, they encourage companies to protect themselves.
"
Read also Gangs, extortion and ransomware ... Investigation into highly organized hackers
Marc-Henri Boydron, founder of Cyber Cover, a company specializing in cyber and fraud insurance, recalls that the payment of a ransom is only a last resort. “We never had to ask our partner insurance companies to pay [a] ransom,” he says. He wants a framework for the payment of ransoms rather than a ban, which risks damaging a company. "A company without the means to recover its data and which therefore has an information system at a standstill, that can [mean] in certain configurations the death of the company", he explains to the AFP.
For Guillaume Aksil, lawyer specializing in insurance law, another major risk remains in the event of a ban on the payment of ransoms by insurers: that which the attacked company takes care of itself.
“And if [the company] pays quietly, it will be less likely to look for lawyers and technical experts.
She will find herself lonely when she must be accompanied and communicate.
(…) Finding your data is fundamental.
"