AXA announced in May it will stop writing cyber insurance coverage in France that reimburses customers for making payments to ransomware criminals. Cyber insurance policies have long covered these ransom costs, and it is widely anticipated that other insurance companies will follow suit. In this new environment, the strategic calculus for attackers and victims will change. In this article, published in Insurance Journal, we ponder the question of whether companies make the payments at all, and take a look at the ransomware landscape. We also note how cyber risk needs to be analyzed in a way that allows companies to examine the appropriate controls and mitigation techniques, and how causal-based models are a proven way to account for the decisions of both the company and the attacker.