Ransomware Insurance: What’s Covered, What’s Excluded, and How Carriers Are Changing the Rules

Ransomware shows up in 44% of all breaches, up 37% year-over-year. The FBI’s IC3 logged 3,156 complaints in 2024. Akira, LockBit, RansomHub: these are hitting hard.

Here’s the shift: the median ransom dropped to $115,000. 64% of victims refused to pay. This matters because most companies think ransomware insurance covers only the ransom. It covers far more. Real costs are the killer: downtime, recovery, forensics, legal defense, notification, regulatory fines. These often exceed the ransom by five or ten times. Total cybercrime losses hit $16.6 billion in 2024, with ransomware driving it.

Ransomware insurance covers these downstream costs. But what’s covered, what’s excluded, and how rules have shifted due to geopolitical risk and underwriter discipline is complex. This article walks through what modern ransomware coverage delivers, where claims fail, and how to structure a program that survives an attack.

The Changing Threat: Who Gets Hit and How Much It Costs

Small and medium businesses get hit with ransomware in 88% of their breaches. Large enterprises see it in 39%. This gap matters for insurance: SMBs pay higher premiums because they’re statistically riskier.

The cost of a U.S. breach averages $10.22 million. Average time to contain: 241 days. That’s a quarter-year of downtime, plus forensics, restoration, and notification. The ransom becomes almost a rounding error.

The typical lifecycle: an attacker gets in through phishing, weak credentials, or an unpatched flaw. They move through the network, steal data, encrypt systems. You discover it days or weeks later. The ransom demand arrives. But damage is compounding: systems down, staff blocked, revenue stops, customers suffer, regulators watch. The ransom demand is just one line on a much longer bill.

What Ransomware Insurance Covers

Modern ransomware policies cover nine core areas. Know these and you’ll know what your policy does.

Ransom payment reimbursement. You pay the ransom, insurance reimburses. The catch: no payments to entities on the OFAC sanctions list. Verify the recipient before paying. More on this later.

Negotiation costs. Negotiators are expensive and effective. A skilled negotiator can cut a $500K demand to $200K. Insurance covers these pros, typically $15K to $50K per engagement.

Forensic investigation. After an attack, forensic experts determine what happened, what was stolen, how long the attacker stayed, and which systems were hit. Cost: $50K to $500K depending on network size. Insurance covers it. Most carriers have preferred vendors ready to deploy immediately.

Data recovery and system restoration. Restoring from clean backups, patching vulnerabilities, validating encryption removal. Costs often exceed $250K for mid-size firms. Insurance covers it, though many policies have 8-12 hour waiting periods before the next coverage kicks in.

Business interruption and lost revenue. Systems down means no revenue. A law firm can’t bill. A manufacturer can’t produce. An e-commerce site can’t sell. Insurance reimburses lost income during recovery. Limits are often the largest on the policy: $500K to millions for mid-market companies. But most policies wait 8-12 hours before coverage starts. The logic: you should get basic operations running in half a day.

Breach notification costs. If the attacker stole data, notification laws require you to inform affected people. Cost: mailings, call centers, credit monitoring, notification management. Can reach $100K to $500K depending on scope. Insurance covers it.

Legal defense. If customers, employees, or regulators sue, legal bills spike. Insurance covers third-party liability defense. Some policies pay outside your overall limit (better). Others carve out sublimits (worse). Check which.

Crisis management and PR. Reputational damage can exceed financial loss. Crisis firms help with media, stakeholder communication, and brand recovery. Insurance covers it, usually with separate sublimits.

Regulatory defense costs. Regulators investigate breaches. You need lawyers for subpoenas, depositions, and enforcement proceedings. Insurance covers it.

These nine areas form the core. Coverage only matters if exclusions don’t block your claim.

What Ransomware Insurance Does NOT Cover: The Exclusions That Sink Claims

Exclusions kill claims. Know them before an attack hits.

The biggest exclusion, and it’s changing fast. Lloyd’s of London tightened its war exclusion after NotPetya (over $10 billion in global damages, pinned on Russian military) and Russia’s invasion of Ukraine. Policies now say: no coverage for war, terrorism, or cyber operations directed by a state actor.

“Directed by a state actor” is broad. It includes attacks enabled, encouraged, or tacitly approved by governments. If an attack gets attributed to a state-backed group, your claim faces exclusion risk.

Some policies split hairs: “state-backed” (a threat actor got funding from a government but acts independently) versus “state-directed” (government controls the operation). This distinction hasn’t settled. Litigation is coming. If an attack gets attributed to a state-sponsored group, expect exclusion risk.

Some carriers exclude state-backed attacks entirely, regardless of whether the state “directed” it. Aggressive approach. Mostly found in higher-limit or specialty programs.

Universal. Required basic controls missing? Carrier denies coverage. Required controls: MFA on all external access, EDR on all endpoints, offline backups, privileged access management for admin credentials, regular security patching. Some carriers now demand annual penetration testing reports. Can’t prove these controls existed at attack time? Coverage is at risk.

Paid a ransom to a sanctioned entity without carrier approval? Carrier denies reimbursement. Worse: your organization faces sanctions penalties.

Some policies exclude losses from your decision to shut down systems or cease operations during recovery. Business interruption coverage is meant for unavoidable downtime, not elective downtime. Board decides to shut down to investigate? You may not recover lost revenue if policy language is strict. Newer policies recognize some deliberate downtime during forensics is unavoidable.

Policies exclude losses from power grid failures, ISP outages, or other third-party infrastructure problems coinciding with the attack. The logic: these are force majeure events, not ransomware losses. This exclusion can create disputes if infrastructure failure and ransomware are simultaneous

Some policies sublimit or exclude social engineering, wire fraud, or BEC losses. If the entry vector was spear-phishing that compromised credentials, some carriers argue this was social engineering, not ransomware. Others apply separate sublimits. Contested boundary in the market.

Carriers increasingly exclude coverage if the attack exploited a publicly disclosed vulnerability with available patches. Vulnerability sits unpatched for 60 days and the attacker exploits it? The carrier argues the loss was foreseeable and preventable. This shifts security maintenance directly onto the insured.

The OFAC Problem: Sanctions Compliance and Ransomware Payment

In September 2021, Treasury’s OFAC issued Ransomware Advisory 2021-4. The position: any ransom payment to a sanctioned entity or jurisdiction violates the International Emergency Economic Powers Act (IEEPA) and can result in civil and criminal penalties.

This advisory upended the market. Carriers now require written OFAC screening and approval before paying any ransom. Most policies grant the carrier (or its counsel) authority to determine whether a proposed payment violates OFAC rules.

In practice: your organization discovers a ransomware attack. Attacker demands $250,000. You notify your carrier. The carrier assigns a breach coach and activates the claims team. Counsel and the carrier jointly engage a negotiator who cuts the demand to $150,000. The attacker provides wallet addresses. Before transfer, the carrier’s sanctions counsel checks the OFAC SDN list, Treasury’s terrorism list, and screening databases.

Entity clean? Payment authorized and reimbursed. Entity on the list? Payment forbidden. The victim can’t pay without violating federal law. The attacker remains uncompensated. The victim must choose between no payment (continued encryption) or paying and facing sanctions penalties.

Treasury has indicated it won’t bring enforcement action against victims who make good-faith OFAC screening efforts before payment. “Good-faith effort” means documented evidence of screening. A carrier’s compliance team memo evidencing the check is sufficient.

The second dimension: carriers themselves are subject to OFAC sanctions rules. If a carrier reimburses a ransom later found to be directed to a sanctioned entity, the carrier faces OFAC liability. This incentivizes extreme caution. Carriers screen ransom payments with the same rigor they apply to terrorist financing. Result: ransomware claims are slower, more documented, and more subject to denial if screening is incomplete.

For risk managers: don’t assume ransomware insurance will reimburse ransom payments. Coverage existing doesn’t guarantee the ability to pay without sanctions violations. Work with your broker and counsel to understand the carrier’s OFAC screening procedure and timeline. Every day of delay is a day of lost revenue.

The War Exclusion Evolution: Lloyd’s, NotPetya, and the State-Backed Question

In June 2022, Lloyd’s Market Bulletin L062/22 revised cyber war exclusion language in most policies. The shift was significant and remains poorly understood across the market.

Before the revision, many policies either lacked a cyber war exclusion or contained language so narrow it rarely applied. NotPetya changed this. NotPetya (2017) was a ransomware worm attributed to Russian military intelligence (GRU). It spread globally and caused an estimated $10 billion in losses. Ukrainian infrastructure was the primary target, but collateral damage was immense. Merck, Maersk, WPP, and hundreds of others were hit. Insurance claims totaled hundreds of millions.

Lloyd’s response: tighten the war exclusion. New language (most policies after mid-2022): “This section does not cover loss, damage, liability or expense of whatsoever nature directly or indirectly caused by, arising from or occasioned by acts of war or cyber operations directed or carried out by a state or nation, or acts of terrorism.”

This sweeps broader than prior versions. “Cyber operations directed or carried out by a state or nation” captures state-directed attacks. But “occasioned by” state activity is ambiguous and litigatable. Is an attack “occasioned by” state activity if the nation-state provides exploit code but doesn’t direct the attack? If a state permits a cybercriminal gang to operate freely within its borders?

The distinction between “state-backed” and “state-directed” is critical. State-backed: funded or supported by a nation-state but executed independently. State-directed: controlled by the state. Under strict interpretations, Akira (state-backed but not state-directed) would be covered; NotPetya (state-directed) would not. Carriers disagree on where to draw the line. The market is fractured.

Some carriers offer explicit carve-outs for state-backed groups (provided the group isn’t sanctioned and the attack isn’t state-directed). Others maintain any state connection voids coverage. A few have introduced “high-risk actor” exclusions for specific variants including LockBit, Akira, and others deemed to have state links.

For risk managers: a Chubb policy and a Zurich policy may have dramatically different coverage for the same Akira attack. Review the exact war exclusion language. Ask your carrier directly: “If Akira is the attack vector and attributed to a state-backed actor, is this claim covered?” Document the response. That documentation is your record of the carrier’s interpretation.

Underwriting Tightening: How Carriers Separated Serious Programs from Pretenders

Before 2020, the cyber insurance market was a free-for-all. Carriers competed on premium. Underwriting was loose. Many organizations purchased coverage without demonstrating any meaningful security controls.

The ransomware surge of 2020-2021 destroyed this model. Carriers paid millions in claims for preventable attacks. They learned a hard lesson: underwriting discipline directly impacts claims frequency and severity.

The response: radical tightening. Today, carriers maintain underwriting matrices defining required controls by company size and industry. For a mid-market manufacturer seeking $5M in ransomware limits, typical requirements: MFA on all internet-facing systems, EDR deployed on 100% of endpoints, offline backups tested quarterly, privileged access management for administrative credentials, documented vulnerability management with patching thresholds (30 days for critical, 90 days for others), and annual security awareness training for all staff.

Can’t demonstrate these controls? Carrier either declines or applies 25%-50% surcharge. Some demand active proof: firewall logs showing MFA logins, EDR dashboards showing endpoint coverage, backup documentation. Self-assessment is no longer sufficient.

Prior claims history is heavily weighted. Filed a ransomware claim five years ago? Renewal scrutinized carefully. Carrier demands evidence that prior vulnerabilities have been remediated. Hit by the same attack vector twice in five years? Renewal may be declined.

This tightening pushes risk to smaller organizations. A 50-person firm with a $2M security budget is unlikely to implement the full matrix. That firm faces denial or severe surcharges. Larger enterprises with dedicated security teams meet requirements and get coverage at reasonable rates. The market has bifurcated.

Ransomware-Specific Sublimits and How They Work

Modern policies deploy sublimits as a primary underwriting tool. Sublimits cap recovery for specific coverage types within your overall limit. Understanding the math is essential.

Consider a $10M cyber policy: $10M aggregate, $2M per-occurrence. Within that, ransomware sublimits: $1M per-occurrence for ransom payment, $3M for business interruption, $500K for crisis management, $2M for legal defense.

Under this structure, $5M in business interruption losses recover only $3M. The sublimit caps recovery regardless of overall limits. A $1.5M ransom demand reimburses only $1M.

Business interruption sublimits often include waiting periods. Common: “coverage does not apply to losses within the first 8 hours of loss discovery.” The rationale: most organizations should restore basic operations (email, files, communications) within 8 hours. Losses during that window are yours. Losses after are covered up to the sublimit.

Waiting periods can be contested. If forensics reveals the attacker was in the network 48 hours before encryption, when does the clock start? Most policies say: when the loss is discovered or reported to the carrier. If your monitoring takes 36 hours to detect and the waiting period is 8 hours, you may recover only 16 hours of 48 hours of downtime.

Aggregate sublimits are common too. A policy might state: “$10M aggregate for all cyber claims, $2M sublimit per occurrence.” Ransomware causes $3M in losses? You recover $2M (per-occurrence limit). Second attack or unrelated cyber loss the same year? Recovery comes from the remaining $8M aggregate, minus the $2M paid.

For ransomware-only programs, some carriers offer separate ransomware limits. A $10M general cyber policy might exclude ransomware entirely, with a separate $3M ransomware-specific policy alongside it. This isolates ransomware risk and lets companies buy the combination matching their profile.

How to Prepare for a Ransomware Claim: Incident Response and Insurance Activation

The difference between a $200,000 resolution and a $2M denial often comes down to preparation made months before the attack.

Define roles: who activates the plan, who commands the incident, who leads forensics, who handles external communications, who interfaces with law enforcement and regulators. Include contact information for forensic vendors, legal counsel, breach counsel, and your broker. Define decision trees: encryption detected, do you shut down the network or let forensics proceed online? Data exfiltrated, who decides whether to negotiate or refuse?

Tabletop exercise once a year. Key stakeholders walk through a ransomware scenario and find where the plan breaks. Legal counsel, security team, and CFO should attend. Insurance disputes often arise because legal and financial considerations weren’t integrated into the response. A tabletop surfaces these conflicts early.

Ransomware succeeds because backups are inaccessible, infected, or missing. Use the 3-2-1 rule: three copies of critical data, two storage media, one offsite. Critical data: email, files, databases, financial systems, manufacturing controls. At least one backup should be offline and disconnected from the network at all times.

Test backup restoration quarterly. Not metadata recovery. Actual system restore. Mock recovery of your ERP from the offline backup. Can you restore fully? How long? What staff expertise is required? Document findings. During a real attack, test results become evidence of recovery capability affecting claim eligibility and settlement timelines.

When an attack occurs, you’ll need forensic experts, incident response counsel, and possibly negotiators. These relationships should be attorney-client privileged where possible.

Work with outside counsel now to establish engagement protocols. When the attack occurs, forensic or incident response work should flow through counsel. The forensic firm is retained by counsel on your behalf, making the report potential attorney work product. This protection is valuable if regulators subpoena communications or third parties sue.

Your policy requires notification “as soon as practicable” upon discovery. Practice standard: within 24 hours. Written notification (email is fine) to the claims email in your policy. Include: date and time of discovery, nature of loss, systems or data affected, estimated financial impact, and contact person.

Don’t delay notification to investigate. Don’t wait for forensic confirmation. Ransomware suspected? Notify immediately. Late notification gives carriers grounds to deny coverage for the period between discovery and notification under “failure to mitigate” doctrine.

Upon notification, carriers assign a breach coach who coordinates the response: forensic vendors, negotiators, notification services. The coach communicates between your organization and the claims team and coordinates coverage decisions. Your incident commander should establish a direct relationship with the breach coach. This person becomes your primary interface for claim decisions.

The Economics of Ransomware Insurance: Premium, Pricing, and the Cost-Benefit of Payment

Premiums vary by company size, industry, and security posture. A manufacturer with 500 employees, EDR, MFA, and offline backups tested quarterly might pay $25,000 per year for $5M in ransomware coverage. A technology company with weaker controls might pay $60,000 for the same limit. A small healthcare practice with 20 employees might pay $3,000 to $5,000 for $1M.

Premium-to-limit ratio: typically 0.5% to 1.5% per year. A $5M policy costs $25,000 to $75,000 annually. Factors reducing premium: certified compliance (ISO 27001, SOC 2), clean threat intelligence, strong industry security reputation, five or more claims-free years. Factors increasing premium: prior claims, known vulnerabilities, weak controls, high turnover, or high-risk sector (healthcare, finance, government).

The economics of ransom payment merit analysis. A simple calculation might conclude: “$150K ransom vs. $2M recovery? Paying is rational.” This logic is sound but narrow.

Negotiators don’t guarantee success. They can sometimes cut demands 30%-50%, but not always. Some attackers have fixed pricing. Some increase demands if they see capacity to pay. Negotiations take 3-14 days. Business stays offline.

Paying may not result in decryption. Emsisoft’s 2024 analysis: roughly 30% of organizations that paid failed to recover all encrypted data. Some attackers provided incomplete keys. Some corrupted the decryption process. Others disappeared after payment.

Paying certain actors carries legal and reputational risk. Akira accumulated $244.17 million in proceeds as of September 2025 and has ties to Russian state actors. Paying Akira potentially violates OFAC rules and creates reputational liability if the payment becomes public.

Total recovery cost without ransom is often lower than expected. Tested offline backups: recovery in days, not weeks. EDR and network segmentation: restore critical systems while continuing forensics. A healthcare provider with proper backup discipline can restore operations in 48-72 hours without paying a cent.

The decision to pay (or authorize payment via insurance) shouldn’t be a panic response. It should be the product of pre-attack analysis. Walk through scenarios with incident response counsel before purchasing insurance. Recovery timeline with backups? Cost vs. likely demand? Reputational impact? OFAC considerations? For some organizations, paying makes sense. For others, refusing and recovering from backups is the rational choice. Make that choice calmly, in advance.

The Future of Ransomware Insurance: Emerging Coverage Challenges

Three developments merit attention.

First, carriers are beginning to require incident response insurance as a prerequisite for ransomware coverage. Incident response insurance covers forensic expert and negotiator costs before any ransom demand. Carriers view organizations with this coverage as more likely to detect early, respond well, and avoid catastrophic negotiation failures. This bundling is spreading.

Second, the war exclusion landscape remains unsettled. NotPetya litigation is ongoing. Lloyd’s and carriers will keep refining “state-directed” vs. “state-backed” definitions. New variants attributed to state-sponsored actors will trigger new exclusions and carve-outs. Expect coverage disputes for high-profile state-connected attacks. Expect to litigate or negotiate extensively.

Third, carriers are experimenting with usage-based pricing. Lower premiums in exchange for continuous monitoring of security controls. MFA or EDR drops below stated minimums? Premium automatically increases or coverage suspends. This shift from annual assessment to continuous monitoring reflects carrier demand for real-time visibility. Some organizations will view this as invasive. It’s the direction the market is moving.

Get Your Ransomware Coverage Review

Surviving a ransomware attack depends on what your policy covers before the encryption starts: business interruption length, ransom sublimits, extortion terms, war exclusions, and OFAC compliance. Alliance Risk reviews your current program and markets your risk to carriers that specialize in cyber and ransomware coverage, delivering proposals in a few business days.

• Company revenue, industry, and daily revenue at risk if operations go dark
• Security controls: MFA everywhere, EDR, immutable offline backups, patch SLA, PAM, training
• Backup strategy (3-2-1, immutability, tested restore times)
• Incident response plan (written, tested, with pre-engaged counsel and forensics)
• Current cyber coverage, limits, ransomware sublimits, waiting periods, and carrier
• 5-year ransomware, extortion, and cyber claims history

Speak with a cyber specialist about your ransomware exposure at no cost.

Already have coverage? We’ll review your existing policy at no charge, flagging thin ransomware sublimits, long waiting periods, broad war exclusions, shared-limit erosion, and gaps in extortion and business interruption coverage.

Complete our online form or contact us directly to begin the quote process.

Want coverage that holds up when the encryption hits? Let’s talk. Alliance Risk: your specialized partner for ransomware insurance.