You probably think of ransomware insurance as a safeguard against ransomware attacks and data loss – and it is, to a certain extent. But what if we told you cyber or ransomware insurance may not end up covering against financial losses you experience due to ransomware? Or that ransomware insurance is actually making the scourge of ransomware worse?
If those statements sound surprising, keep reading for details on why cyber insurance not only fails to offer the protections that companies often think they’re obtaining when they purchase cybersecurity policies, but also how it makes the overall problem of ransomware worse than it needs to be.
What is ransomware insurance?
Ransomware insurance – also sometimes called cyber insurance – is a type of insurance coverage designed to help protect businesses against the financial fallout of cyberattacks (technically, ransomware insurance is a subcategory of cyber insurance, since the latter can also offer financial protection against other types of cybersecurity risks).
Ransomware insurance works in a pretty straightforward fashion: Businesses pay premiums in exchange for coverage against data breaches. In the event that such an attack occurs, the affected business can file a claim to seek reimbursement of costs it incurred due to data loss. Assuming the insurer agrees that the incident was indeed covered, the business will receive a payout.
The history and evolution of cyber insurance
The first cyber insurance policy became available in 1997, when an innovative insurance broker named Steve Haase convinced a large insurance firm to offer a novel type of policy known at the time as Internet Security Liability (ISL) coverage. Then as now, the premise behind the cyber insurance coverage was simple – if a company experienced a cyberattack or data breach event, the insurer would pay out.
Over the following decades, cyber insurance grew gradually in popularity. As of 2024, 90 percent of businesses whose employee headcounts fell in the 100-5000 range had some form of cyber insurance coverage, a statistic that likely reflects widespread awareness of the high costs to businesses of ransomware attacks.
Escalating premiums in ransomware insurance
As ransomware insurance adoption has grown, so has the cost of cyber insurance. Over the past few years, average pricing policy has surged by as much as 100 percent per quarter, and cyber insurance premium costs have risen faster than costs for any other type of insurance.
You don’t need a Ph.D. in actuarial science to guess why the cost of ransomware insurance has risen so sharply in recent years. The increase in pricing coincides with steady growth in the frequency of ransomware attacks, which have increased on a year-over-year basis of 71 percent since the early 2020s. As of 2023, 72 percent of businesses had been impacted by a ransomware attack.
The more widespread ransomware becomes, the more insurers can charge for ransomware insurance.
Uncertain outcomes: No guarantee of data recovery
Unfortunately for businesses that have purchased cyber insurance in the hope that it will protect them against ransomware and other cybersecurity risks, having this type of policy in place is hardly a guarantee that your company will be able to weather a data breach event. For several reasons, cyber insurance may not offer the level of protection that businesses often expect.
Failure to recover data
Arguably the biggest pitfall of ransomware insurance is that it can never guarantee you’ll get your data back. It only offers payment to reimburse you for the costs of lost data.
This is a problem because without the ability to recover data, your business may experience long-term disruptions to its operations that no financial payout can fully alleviate. The information that ransomware attackers destroy could take years to generate, and once it’s gone, it’s gone.
Note, too, that even if you pay the ransom (and assume your insurance provider will reimburse you for the ransom payment), you may still not end up getting your data back. As many as 92 percent of businesses report that they were unable to recover data fully following a ransomware attack despite paying a ransom.
Lack of protection against third-party claims
There are multiple types of cyber insurance policies, and the scope of what they cover varies significantly.
One popular form of cyber insurance is what’s known as first-party insurance. This covers companies against losses that they experience directly – such as the destruction of important business data.
However, first-party cyber insurance doesn’t cover losses experienced by a business’s customers or partners. You need what’s known as third-party coverage for that type of protection. Companies often don’t purchase third-party policies because they’re more expensive.
This means that businesses may find themselves in a situation where they only obtained first-party coverage because they thought that was sufficient, but their clients end up suing them because the clients experienced financial harm due to a ransomware event for which they hold the business responsible. In this case, the cost of judgments against the business may end up being far higher than the cost of direct losses, and cyber insurance will be of no help.
Cyber insurance vs. silent cyber coverage
Some companies don’t purchase explicit cyber insurance at all; instead, they rely on generic property and casualty (P&L) insurance to protect them against cybersecurity incidents. This is known as silent cyber coverage.
Silent cyber coverage may seem sensible because it’s a way to fold cybersecurity coverage in with broader policies. The problem, though, is that because generic P&L policies are often not specific about which types of cyber events they cover, companies can end up in protracted battles with insurers over whether a given ransomware event qualifies for reimbursement. Such battles could drag on for years, and without a fast payout, your business may not be able to recover quickly enough to restore normal operations.
Non-covered losses
Even when you do have explicit first- or third-party cyber insurance, it’s likely that certain types of attacks or losses are not covered. The details vary between policies, but common examples of items that cyber insurance doesn’t address include loss of intellectual property, loss of future profits, and loss due to attacks caused by a malicious insider.
For these reasons, it’s problematic to assume that as long as you have a cyber policy, you can expect to go to your insurer following an attack and be made fully whole. You may end up discovering that the attack wasn’t covered at all, or that your payout is much smaller than you expected because the insurer doesn’t reimburse for all of your losses.
Losses that exceed payouts
Having an air-tight claim based on a fully covered event is also no guarantee of complete financial recovery from a ransomware attack because your losses may exceed your insurance coverage limits.
Recent data about average coverage limits is elusive, but a 2013 study found that among companies with revenues in excess of $1 billion, cyber insurance limits averaged $11.5 million. Let’s go out on a limb and say that since 2013, average coverage limits have increased ten-fold (the number is probably actually much lower), to $115 million.
That’s a lot, and it’s enough to cover the average cost of a data breach, which is a little over $5 million as of 2024. But it falls far short of protecting against attacks that result in above-average costs – such as a February 2024 attack against Change Healthcare whose total costs are expected to exceed $1.5 billion.
In short, cyber insurance may protect you if you’re lucky enough to experience a breach whose total costs are just a few million dollars. But breaches can be much, much more expensive than that, and your policy likely won’t protect you.
Incentivizing criminals: The dilemma of ransomware payments
We just explained why ransomware insurance may not be enough to protect the typical company against ransomware and other risks.
But this is only part of the reason why excess faith in cyber insurance as a salve against ransomware misses the mark. The problem is even worse when you consider that cyber insurance is likely a key factor in triggering cyber attacks in the first place.
The reason why is simple: When threat actors believe that a company has a cyber insurance policy that will cover ransomware payments, they are more likely to assume that they’ll receive payment if they hold the company’s data for ransom. This means that as more and more companies obtain cyber insurance – and as premiums and coverage limits for those policies increase – the bad guys are increasingly incentivized to do what bad guys do: Launch ransomware attacks and demand ever-higher ransoms.
Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, put it this way: “Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.”
She goes on to call for insurance companies to demand that businesses demonstrate responsible cyber hygiene and data protection practices – such as regular backups of their data – as a condition for obtaining cyber insurance.
So, Neuberger’s position is not that cyber insurance is inherently a bad thing. She only believes it’s bad when policies merely reimburse businesses for ransoms they pay to threat actors, without doing much to encourage the businesses to protect themselves against ransomware in the first place or invest in techniques that would allow them to restore data without paying ransoms.
Alternative strategies to mitigate ransomware attacks
At N2WS, we agree with Neuberger. We believe that the best way to prevent ransomware attacks and mitigate the fallout of those that do occur is not to invest in expensive insurance policies that will (maybe) reimburse your business in the event that you experience a data breach and need to pay a ransom to restore operations.
Instead, it’s to invest in data backup and recovery solutions that enable reliable, fast restoration of business operations following a breach. And we’re not talking here simply about periodic data backups. We’re also referring to capabilities such as cross-cloud and cross-account recovery, which can speed recovery operations in the event that one of your cloud environments or accounts is compromised.
We’re also thinking of features like network environment cloning, which helps speed recovery operations by allowing businesses to back up and restore the network settings that their workloads depend on, instead of having to recreate them from scratch.
Coupled with other cybersecurity best practices – like enforcing zero-trust authentication and training employees in recognizing threats – advanced backup and recovery capabilities are the true key to ransomware defense.
You should certainly feel free to purchase cyber insurance coverage as an additional safeguard. But if your ransomware defense strategy hinges on ransomware insurance alone, you’re likely setting yourself up for a rude awakening.
Author Bio: Sebastian Straub, Principal Solutions Architect at N2WS
Sebastian is the Principal Solutions Architect at N2WS bringing in more than 2 decades of experience in enterprise technology, data protection and cybersecurity. With previous critical roles at Dell, Oracle, the FBI and the Department of Defense, he has established himself as a leading expert in enterprise security, backup & DR and identity management solutions.
