Ransomware Insurance: Are You Actually Covered?

Ransomware is the #1 driver of cyber insurance claims. But coverage isn't automatic — and the details matter.

Last updated: March 2026

Does cyber insurance cover ransomware?

Yes, most cyber insurance policies cover ransomware-related losses. But the coverage has tightened significantly since 2020. Here are the key things to understand:

  • Ransom payment coverage (extortion payments) — Most policies still cover this where legal. OFAC sanctions compliance is critical. You cannot legally pay a ransom to a sanctioned entity, and your insurer will deny the claim if you do.
  • Business interruption — Covers lost revenue during downtime. Usually has a waiting period (8-12 hours typical). This waiting period can mean the difference between a minor incident and a major loss.
  • Data recovery costs — Forensic investigation, system restoration, and recovery specialist fees.
  • Incident response — Access to specialist incident response teams, negotiators, legal counsel, and public relations support.

Critical sub-limits to check

This is where most ransomware claims go sideways. Your policy might have a $5M overall limit, but ransomware might be sub-capped at $1M or even $500K. Always ask your broker:

  • What is the ransomware-specific sub-limit on my policy?
  • What is my business interruption waiting period (8, 12, or 24 hours)?
  • Do I have contingent business interruption coverage (if your cloud provider or key supplier gets hit)?
  • Are there separate sub-limits for data recovery, incident response, or legal fees?

Key Policy Term: Waiting Period

A 24-hour waiting period sounds harmless until ransomware locks you down. With modern attacks spreading in hours, that waiting period might mean $100K-$500K in uncovered losses. Ask your broker about policies with 4-8 hour waiting periods if you handle time-sensitive transactions.

What can void your ransomware coverage

Insurers have become more aggressive about denying ransomware claims. These are the most common reasons:

  • No multi-factor authentication (MFA) deployed — This is the #1 reason for denied ransomware claims. If you don't have MFA on email, VPN, and remote access, many insurers won't cover you. Some policies now require MFA on 100% of staff accounts.
  • End-of-life operating systems — Windows 7 still running somewhere? Coverage may be denied.
  • No offline or immutable backups — If you can't prove you have backups that attackers can't delete, you lose coverage.
  • Failure to report within the notification window — Most policies require notification within 30 days. Some require it within 72 hours.
  • Paying a sanctioned entity without checking OFAC — Your payment becomes illegal, and the insurer denies the claim.
  • Not using the insurer's panel incident response firm — Some policies require you to use their approved IR team. Use anyone else and you lose coverage.
Important: Before signing a cyber insurance policy, ask your broker for the specific conditions under which ransomware coverage is denied. Get it in writing. Then verify you can meet those conditions before the attack happens.

The ransomware payment debate

Some countries and regions are considering restricting ransom payments outright. The UK Home Office consultation on ransomware payments, combined with evolving US stances through the FBI and CISA, has created uncertainty. Even where ransom payments remain legal, insurers increasingly encourage NOT paying. The focus has shifted to rapid recovery using backups and incident response specialists.

The logic is simple: paying ransoms funds criminal enterprises, attracts repeat attacks, and 80% of businesses that pay are attacked again within the year. Most modern cyber insurance policies now emphasize recovery rather than payment.

Ransomware statistics (2025–2026)

  • Average ransom demand: $1.5M+
  • Average total cost of attack: $4.5M+ (including downtime, recovery, and incident response)
  • Average downtime: 22 days
  • Repeat attack rate: 80% of businesses that pay are attacked again
  • Primary attack vector: Compromised credentials (especially without MFA)
  • Target priority: SMBs are disproportionately targeted — higher success rate, less sophisticated defenses

How to ensure you're covered

Don't discover a coverage gap when you need it most. Verify these things now:

  • Deploy MFA on everything. Non-negotiable. Email, VPN, RDP, admin portals, SaaS applications. If you're not on MFA, insurers won't cover you.
  • Maintain offline/immutable backups. At least one backup must be air-gapped or immutable so attackers can't delete it. Test this regularly.
  • Test your backups regularly. A backup that hasn't been tested is just a false sense of security. Run a quarterly restore test.
  • Have a documented incident response plan. Who calls who? What's the process? Your insurer will ask for this if a claim happens.
  • Check your policy sub-limits for ransomware. Call your broker. Get the specific dollar amount for ransomware coverage. If it's too low, consider raising it.
  • Understand your waiting period. Know exactly how long business interruption coverage is suspended. If it's too long, shop around.
  • Know your insurer's notification requirements. Can you call them? Email them? Is there a specific claims form? Get the contact details in advance.

Ready to get covered?

Get matched with a specialist cyber insurance broker who'll ensure your ransomware coverage actually works for your business.

Get a Quote Learn More About Coverage

Related Reading