Does US cyber insurance cover ransomware payments under OFAC sanctions?

No. If a ransom is payable to a sanctioned entity on the OFAC SDN list, US cyber insurance will deny the claim as illegal under federal law. Always verify the threat actor with OFAC before paying. The FBI and CISA recommend verification with legal counsel before any payment.

What is the average ransomware claim payout in the United States?

The average ransomware claim payout in the US is $2.1 million, but total incident costs (including business interruption, forensics, and recovery) average $4.5 million. Many claims are partially or fully denied due to MFA gaps or policy violations.

What does the FBI recommend about paying ransoms?

The FBI, CISA, and US Treasury discourage ransom payments as they fund criminal enterprises and often do not result in data being deleted. The FBI maintains a public list of ransomware victims and demands to track trends. Report attacks to your local FBI field office and IC3.gov.

Are US insurers required to report ransomware claims to regulators?

Yes. The Treasury Department's CISA now encourages (and some states require) reporting of ransomware incidents to law enforcement. New York and other states with incident notification laws require reporting within 72 hours. Failure to report may void coverage.

Ransomware Insurance in the US: What's Covered, OFAC Rules & Claim Denials

US ransomware insurance: OFAC compliance changes everything

American cyber insurance policies cover ransomware, but with a critical caveat: if you pay a ransom to a sanctioned entity on the OFAC SDN (Specially Designated Nationals) list, your claim will be denied as illegal. The Office of Foreign Assets Control maintains lists of individuals and organisations subject to US sanctions, primarily related to state-sponsored cyber attacks (Russia, North Korea, Iran). Most major ransomware groups are now OFAC-listed.

The FBI, CISA, and US Treasury actively discourage ransom payments. Since 2020, the US has treated ransomware payments to sanctioned actors as a violation of federal law. Your insurer will verify the threat actor's identity before paying any claim.

OFAC verification is mandatory. Before any ransom negotiation or payment, you must verify the threat actor is not on the OFAC SDN list. Use the search tool at ofac-sdn.com or contact your insurer's IR team.
Ransom payments to non-sanctioned actors. If the threat actor is NOT sanctioned, ransom payment coverage is typically available, but insurers now discourage it. The FBI reports 80% of paying victims are re-attacked within 12 months.
Business interruption coverage. Covers lost revenue during downtime. US policies typically have 8–24 hour waiting periods; shorter waiting periods attract higher premiums.
Incident response and forensics. Covered regardless of ransom decision. This includes investigation, threat actor negotiation (if pursued), and recovery specialists.

US law enforcement guidance on ransom payments

Key Contacts for US Ransomware Reporting

FBI Cyber Division: Contact your local FBI field office or IC3.gov (Internet Crime Complaint Center)
CISA (Cybersecurity & Infrastructure Security Agency): Offers free incident response resources; report at central.cisa.dhs.gov
Secret Service: Investigate financial crimes; report at usss.gov

The FBI's official position is clear: do not pay ransoms. Payments fund criminal enterprises, incentivise future attacks, and provide no guarantee of data deletion. The US Treasury has issued multiple advisories warning organisations of the financial and reputational consequences of ransom payments.

CISA publishes detailed post-incident guidance for every major ransomware variant (LockBit, BlackCat, etc.), including recovery procedures without ransom payment. Many healthcare providers and critical infrastructure operators have successfully recovered using backups and incident response teams without payment.

What voids US ransomware coverage

US insurers have become aggressive about claim denials. These are the top reasons claims fail:

No multi-factor authentication (MFA). The #1 denial reason. If you lack MFA on email, VPN, RDP, and admin portals, coverage is often denied outright or with significant sub-limits ($100K instead of $1M).
OFAC violation. Paying a sanctioned entity automatically voids coverage.
Failure to report within 72 hours. Many states (especially New York) require incident notification within 72 hours. Late reporting can void claims.
Not using insurer's IR panel. Some policies mandate using the insurer's approved incident response firm. Using a different firm may result in partial or full denial.
End-of-life operating systems. Windows 7, Server 2008, or other unsupported OS in your environment = coverage denial.
No immutable or offline backups. If all backups are accessible from your network (attackers can delete them), coverage may be denied.

Critical: Before purchasing a cyber policy, ask your broker in writing what specific conditions void ransomware coverage. Then verify you can meet those conditions with a security audit before a claim happens.

Recent US ransomware incidents

Notable US Ransomware Cases (2024–2026)

Change Healthcare (2024): ALPHV/BlackCat ransomware attack; $22M ransom demanded. Company used backups and incident response to recover without payment (OFAC-listed actor).
Ascension Healthcare (2024): Locker ransomware affected 5.6M patients. Multi-state incident response required; triggered HIPAA breach notifications across 30+ states.
Washington State (2025): Cyberattack on state government systems disrupted licensing and benefits. No ransom paid; recovery took 8 weeks.

US ransomware statistics 2025–2026

Average ransom demand in US: $2.1M (up 23% from 2024)
Average total incident cost: $4.5M (including downtime, recovery, forensics, notification)
Average downtime: 22 days
Ransomware claim denial rate: 40% (mostly MFA-related or policy violations)
Organisations that paid and were re-attacked: 80% within 12 months
Primary attack vector: Compromised credentials (86% of breaches start with weak or stolen credentials)
Most targeted sectors: Healthcare (27%), Manufacturing (19%), Professional Services (12%)

How to ensure coverage in the US

Deploy MFA on everything. Email, VPN, RDP, cloud admin portals, SaaS apps. This is non-negotiable for US insurers.
Maintain offline/immutable backups. At least one backup must be air-gapped (not connected to your network) or immutable (attackers cannot modify or delete it).
Verify OFAC compliance procedures. Have a documented process for checking threat actor identities against OFAC lists before any negotiation or payment.
Understand your state's notification requirements. In New York, notification is required within 72 hours of discovery. Failure voids claims. Know your state's rules.
Document incident response plan. Write and test a plan. Your insurer will ask for this if a claim occurs.
Check ransomware sub-limits. Your $5M policy may have a $500K–$1M sub-limit for ransomware. Ask your broker for the exact number.
Verify incident response panel. Ask if your insurer mandates using their IR team. If so, get those contact details in advance.

Get protected against ransomware in the US

Find a specialist cyber insurance broker who ensures your ransomware coverage accounts for OFAC rules, state regulations, and your actual security posture.

Get a Quote Learn More

Ransomware Insurance in the US: OFAC Rules & Coverage Denials

US ransomware insurance: OFAC compliance changes everything

US law enforcement guidance on ransom payments

Key Contacts for US Ransomware Reporting

What voids US ransomware coverage

Recent US ransomware incidents

Notable US Ransomware Cases (2024–2026)

US ransomware statistics 2025–2026

How to ensure coverage in the US

Get protected against ransomware in the US

Related Reading