At first glance, ransomware insurance seems a good idea. Designed to protect businesses against financial losses from the encrypt-and-extort attacks that now plague both the public and private sectors, companies pay monthly or annual premiums for coverage against data breaches and, if an attack occurs, they can file claims for the reimbursement of associated costs.
The basic concept dates back to 1997 when the first cyber insurance policy emerged as “Internet Security Liability” coverage. Since then, its adoption has grown dramatically. By 2024, approximately 90% of businesses with 100-5,000 employees had some form of cyber insurance coverage, reflecting the growing awareness of ransomware risks.
Insurance premiums also shot up in this period, with some quarters seeing increases of up to 100%. This trend makes perfect sense – ransomware attacks, after all, have grown 71% year-on-year since the early 2020s. By 2023, nearly three-quarters of businesses had experienced such an incident, making this a critical concern for organisations of all sizes. However, far from teaching a valuable lesson about basic cybersecurity to the private sector, many businesses have instead chosen to rely on ransomware insurance as the linchpin of their response to major breaches.
This is extremely dangerous. For one thing, relying on an insurance provider to offset the cost of a ransom does nothing to aid in the restitution of any data stolen in such an attack or guarantee the restoration of access to your company’s systems.
Many ransomware insurance packages also do not protect against third-party claims – a concerning phenomenon when so many ransomware gangs infiltrate enterprises through third parties via supply chain attacks. The third-party policies that do exist, meanwhile, are often expensive and overlooked by the majority of potential customers.
Indeed, some organisations don’t even bother with ransomware insurance, relying on general property and casualty insurance that supposedly includes cyber protection. Providers of “silent cyber coverage” are rarely explicit in what they cover, which can lead to lengthy disputes when ransomware attacks do end up happening. Common exclusions include intellectual property loss, future profit losses and damage to systems caused by breaches triggered by company insiders.
Even when payouts are agreed in principle, the amounts shelled out by insurance providers rarely cover the full damage inflicted by a ransomware attack. While the average cost of a data breach is around $5 million as of 2024, some incidents can result in billions in damages if you take into account time and effort spent getting back up and running, forensics costs, loss of customer base – even potentially shutting down an entire company.
Perhaps most concerning of all is how cyber insurance might actually contribute to the ransomware epidemic. When attackers know a company has insurance coverage for ransomware payments, they’re more likely to target that organization in the expectation that a payment from the victim’s insurance provider is an inevitability, thereby creating a vicious cycle where coverage ironically leads to more attacks and higher ransom demands.
Is ransomware insurance completely bad?
My position, based on the thousands of companies I have helped prepare for a cyberattack, is that cyber insurance isn’t inherently a bad thing if requirements are in place to encourage businesses to demonstrate robust security practices. This means that before providing coverage – much like life insurance requires a doctor’s check-up – cyber security health checks must be in place to ensure there is a comprehensive ransomware protection strategy. This approach not only creates a more sustainable security ecosystem but also reduces incentives for cybercriminals to attack an organisation in the first place.
But what can a company do that will effectively establish a last line of defence against ransomware? At the very least, organisations need to invest in backup and disaster recovery management tools that simplify preventive measures and recovery capabilities. This also means enforcing zero-trust authentication and access controls, developing and regularly testing full-environment incident response plans and maintaining up-to-date security patches and system updates.
In other words, if a company can recover from a breach immediately, restore backups from an off-site location and ensure a healthy failover, there is no need to pay the ransom. By that point, the very concept of ransomware insurance becomes – hopefully – a moot point.
Sebastian Straub is a principal solutions architect at N2WS
Read more: The North is ready to capitalise on the AI Opportunities Action Plan
