With immediate effect, the French Axa group no longer sells cyber insurance policies in France that cover payments to cyber criminals. However, this does not yet apply to Germany: “We have not yet decided to change our subscription behavior for the German market,” said the German Axa subsidiary when asked by heise Security. However, you are also observing developments in this area here.
After the USA, more and more companies in Germany have started to cover their IT risks with insurance. They may even pay the ransom demands if extortionists have encrypted and stolen large amounts of data. But the ongoing ransomware boom is causing concern for insurance companies, as the amounts of damage are sometimes enormous and the risk is difficult to calculate. On top of that, Axa has now become a victim of a blackmail trojan herself.
The discussion about extortion with ransomware is mainly about the fact that cybercrime should not be fueled by ransom payments; some even believe that the criminal networks should be “financially dried up”. Both the Federal Criminal Police Office (BKA) and the Federal Office for Information Security (BSI) argue on this line: “BSI, law enforcement authorities, security experts and G4C urgently advise against paying ransom,” explains the German Competence Center against Cybercrime in its Information brochure on ransomware and justifies it like this: “This should no longer promote criminal business models.”
Cyber criminals have themselves stated on various occasions that they prefer their victims to have cyber insurance. Such companies are generally more willing to pay and the whole process is carried out very professionally. Some security experts even see insurance companies as a fire accelerator in an escalating dangerous situation. Others point out that insurance companies are by no means intended to replace IT security measures, but can only fulfill their task within the framework of an IT security concept.
Cyber insurance in transition
In any case, Axa’s withdrawal comes as no surprise. The whole industry is struggling with the problem of ransomware, which on the one hand inspires interest in their offers, on the other hand is becoming more and more expensive and above all risky due to the increasing amounts of damage. In the USA, insurers have therefore increased their fees significantly. They are also trying to minimize risk through stricter IT security requirements for policyholders. Both trends are already spilling over to Germany.
Whether cyber insurance actually makes sense and what needs to be taken into account is also an important topic at heise Security: The security expert Linus Neumann has advised the Association of German Insurers (GDV) on the conception of cyber insurances and is well aware of them Problems and hidden pitfalls. He’s one of the few experts in the field who doesn’t make a living selling insurance. In his Lecture on the heise Security Tour “Cyber! Insurance! Do I really want this?” he explains what is important.