Canadian Underwriter

Should insurers (and others) be banned from making cyber ransom payments?

May 30, 2021   by David Gambrill

Print this page Share

Editor’s Note: A previous verison of this article incorrectly stated that a cyberattack against AXA had happened after AXA’s announcement that it was suspecnding insurance coverage in France for ransomeware extortion payments. In fact, as per a Financial Times report in May 16, the ransomware attack happened before AXA’s decision to change its approach, a fact that AXA does not dispute. Canadian Underwriter apologizes for the error.


When insurers reimburse clients for ransom payments paid out to cybercriminals, they may be emboldening cybercriminals to escalate their ransomware attacks, legal experts from Bennett Jones suggested in a blog published in Mondaq Thursday.

In support of their theory, Ruth Promislow, Michael Whitt, and Kees de Ridder of Bennett Jones LLP in Canada cited the May pull-out of AXA from offering coverage in France for ransomware extortion payments.

“AXA said it made this decision in response to concerns raised by French justice and cybersecurity officials during a recent Senate roundtable in Paris about the global epidemic of ransomware,” the authors wrote in their blog. “Notably, days before AXA’s announcement, the insurer was hit by a ransomware attack.”

AXA’s move “reflects a growing sentiment around the world that the current state of insurance coverage for ransomware payments is fueling the ransomware business,” the writers continued.

“Earlier this year, The Guardian interviewed the founding head of the United States National Cyber Security Centre, Ciaran Martin, who asserted that the ransomware problem is being exacerbated by insurance coverage for extortion payments and suggested it was time to consider a legal ban on ransom payments.

“The FBI has stated, ‘[p]aying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’”

Several cyber insurers have cited escalating ransomware extortion payments as a factor in why cyber insurance claims costs have created hard market conditions in cyber lines. Ransomware incident response platform Coveware reported in 2020 Q4 that the average ransom payment was $154,000.

In part because of escalating ransomware claims costs, the profitability of Canadian federally-regulated cyber insurers has taken a steep tumble during the pandemic.

Cyber loss ratios in Canada have skyrocketed, starting with a whopping 207% increase in 2019 Q4. With cyber-attackers attempting to take advantage of people working from home to avoid the spread of COVID-19, the cyber liability loss ratio jumped even higher in 2020 Q4 — up to 307%.

Even insurers that sell cyber insurance have reportedly paid out ransomware extortion demands, the Bennett Jones authors note. Insurance companies made up 2.8% of cybercrime targets, according to data collected by Coveware.

U.S. insurer CNA reported in March that it sustained a cyberattack against some of its systems. In a May 12 update, the insurer said its “forensic investigation and root cause determination have revealed no indication that this was a targeted attack or that CNA or policyholder data was specifically targeted by the threat actor.”

Citing anonymous sources, several media outlets reported that CNA paid out a ransom of $40 million for the attack. Canadian Underwriter is unable to verify the authenticity of the media reports.

“It is conceivable that other insurers may follow AXA’s approach in removing insurance coverage for ransomware, or limiting coverage for these payments,” the Bennet Jones authors write. “At present, there are several indications that the market for coverage of ransomware payments is contracting.

“In the shorter term, it is reasonable to expect that insurers will consistently require a particular level of security standards as a precondition to insurability. It is also reasonable to expect that ultimately, the insurance industry will adopt security baseline requirements as a standard for cyber insurance.”


Feature photo courtesy of