Does Cyber Insurance Drive Up Ransom Demands?

A ransomware attack can be financially ruinous for a company. In the first half of 2024, the average ransom demand was $5.2 million, according to Comparitech. Whether companies pay threat actors’ demands or not, they must contend with the financial fallout of downtime, remediation, and brand damage. Cyber insurance can help companies cover those costs. But does insurance company coverage of ransom encourage threat actors to continue extorting victims and upping their demands? 

Anne Neuberger, US deputy national security adviser for cyber and emerging tech, argues that it does. In an op-ed penned for the Financial Times, she calls for insurance companies to stop covering ransomware payments. “Some insurance company policies -- for example covering reimbursement of ransomware payments -- incentivize payment of ransoms that fuel cybercrime ecosystems,” she wrote.  

InformationWeek spoke to four cybersecurity and insurance experts about the cyber insurance market and ransomware trends to better understand the relationship between the two.  

Savvy Cybercriminals 

The value of the cyber insurance market is in the billions. Most organizations with 100 to 5,000 employees (90%) have some type of cyber insurance coverage, whether an individual policy or as a component of a more general policy, according to a report from cybersecurity company Sophos.  

Related:The Importance of Empowering CFOs Against Cyber Threats

The amount of cyber insurance coverage and policy details vary widely depending on the insured and its insurance carrier. But some cybercriminals could be savvy enough to find that information and use it to their advantage. If they know an insured’s policy limit, why not demand that exact amount?  

During his time as a cyber insurance underwriter, Andrew Correll, senior director, cyber insurability at SecurityScorecard, a cybersecurity ratings and response company, heard about this happening.   

“You could make a very strong inference that the threat actor was referring to policy documents in the course of their negotiations,” he shares.  

Of course, not all threat actors are going to be able to find policy documents or even take the time to seek them out. In many cases, ransomware attacks are opportunistic in nature. Cybercriminals scan for vulnerabilities and pounce on them, not necessarily knowing or caring if the victim has cyber insurance coverage.  

But the possibility that cybercriminals might sniff out insurance information is enough to consider the sensitivity of policy documents. Mark Millender, senior advisor of global executive engagement at endpoint management platform Tanium, says that keeping these documents offline is a standard recommendation from insurance carriers.  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

“Best practice is for anybody who has a cyber insurance policy to keep that policy in a paper file cabinet, not on their computer system,” he says. “In the modern world, we're just used to getting documents electronically and storing them electronically. So, I don't know … what the take up on that recommendation is.” Millender clarified that the standard recommendation from insurers is to keep their insurance policy offline, but as the industry gets familiar with keeping and storing materials electronically, that standard recommendation can be seen as outdated.

Insurance and Ransomware Payments 

Ransomware payments have skyrocketed. In 2024, blockchain analysis firm Chainalysis reported a $75 million ransomware payment. The firm describes a trend of “big game hunting” in which some ransomware groups are carrying out fewer attacks, instead of carefully selecting targets with more money for extortion.  

When ransom demands soar into the multi-millions, insurance is a no-brainer for enterprise leaders thinking about risk management. “Having a cyber insurance policy that covers some level of ransomware extortion, it's almost like a lifeline to most organizations that just don't have the cash on-hand,” says Correll.  

Related:Facing the Specter of Cyber Threats During the Holidays

But are insured companies more likely to pay a ransom demand? Insurance coverage could mean they don’t have to dig into their own pockets.   

“It's really hard to pull a data point to indicate whether that's true or false,” says Peter Hedberg, vice president, cyber underwriting at Corvus, a cyber insurance subsidiary of Travelers Insurance. After all, many ransomware attacks go unreported.  

One study included interviews with 96 professionals in cybersecurity, cyber insurance, policy, ransomware negotiation, and law enforcement. The interviews subjects were asked if they believed insureds would be more likely to pay ransoms. The answers varied.  

Some respondents noted that paying the ransom may ultimately be less expensive than the alternative: rebuilding after the damage caused by a ransomware attack. Others noted that paying doesn’t guarantee a smooth fix; decryption keys may not work, and root cause analysis and remediation are still necessary. Paying a ransom, or not, is a business decision.  

If an insured opts to pay a ransom and file a claim with their insurance carrier to cover the cost, that doesn’t necessarily mean the threat actors will get exactly what they demand. “There's a very, very large difference between what is demanded and what they actually get in the end, if anything,” says Hedberg.  

In his experience, ransom payouts in the cyber insurance industry are getting less frequent. “We don't pay them nearly as often as we once did,” Hedberg says. “The good news is whether it be just through awareness or whether it be from underwriting requirements coming from the cyber insurance industry, the general cyber hygiene of a lot of US businesses is getting much better.” 

Cybersecurity awareness may be improving, but there is still plenty of money to be made in ransomware. Thus far, the insurance industry has been able to manage even those eye-watering claims in the millions. “Bear in mind, these insurance companies are used to seeing hundreds of millions of dollars paid out in property claims if not billions of dollars in property claims. So, even a $40 million ransomware payout to them is … not a lot of capital,” says Blake Antrim, vice president of professional liability at Novatae Risk Group, a wholesale and specialty insurance brokerage.  

Despite the prevalence of ransomware and other cyber risks, cyber insurance rates are dropping. Rates soared in 2021 and 2022, but they are down 15% from the peak in mid-2022, according to the Global Cyber Insurance Pricing Index from global insurance group Howden.  

“It's a great time for buyers to get in and start buying higher limits and buying better coverage,” says Antrim. 

Inevitably, the insurance market changes. What if the industry experiences an uptick in catastrophic (CAT) exposure related to ransomware?  

“When we start seeing more aggregated claims and more limit losses for aggregated software providers like a CrowdStrike [or] the car dealership exposure that we recently had … we're going to start seeing claims hitting $100 - $200 million in the CAT exposure,” says Antrim. “I think that's going to be where we start seeing that affect rate structure as a whole.” 

When Cyber Insurance Doesn’t Pay 

Just because an organization has cyber insurance does not guarantee that it will be picking up the tab for a ransom demand. Law enforcement discourages paying ransom demands, but it is not illegal, except when the group demanding payment is on the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. For example, the ransomware group Conti and several individuals involved in it were sanctioned by the US and UK.  

Insurance companies are not going to make illegal payments on behalf of their insureds. But threat actor groups are well aware of the consequences of sanctions. “When these groups do get identified by Treasury, they tend to just disband and reconstitute as a new group,” says Hedberg.  

There have also been legislative efforts to prohibit ransom payments. For example, North Carolina passed a law that bans state and local government entities from paying ransom demands following a ransomware attack, according to GovTech. Florida has a similar law.  

As with any type of insurance coverage, the devil is in the details. An insurance company could deny a claim and not pay a ransom demand based on an entity’s policy terms. Organizations need to understand those potential gaps in coverage. 

“People really need to dig in and understand what are those exclusions, when are they not going to get covered,” says Millender. “The worst thing to happen is to figure out after the fact that you weren't covered for something that you thought you were covered for.” 

If an enterprise’s policy will cover a ransom payment, arriving at that decision is not immediate.  

“Paying the ransom is typically the last resort,” says Antrim. “They will try any and all means to regain control of the system before they even consider that as an option.” 

If an organization has offline backups, it may have the ability to bounce back from a ransomware attack without paying a threat actor’s ransom demand in exchange for a decryption key, which may or may not work.  

An Evolving Cyber Insurance Market  

In her op-ed, national security advisor Neuberger calls out insurance companies for paying ransom demands, but she also notes the positive impact the industry can have on combatting ransomware. She calls for requiring effective cybersecurity measures as a part of the underwriting process.  

“Cyber insurers … don't want to be seen as continuing to fuel the ransomware epidemic,” says Correll. And there is an appetite for more stringent underwriting requirements.  

Cyber insurance carriers, of course, ask prospective insureds about their cybersecurity posture. Do they have multi-factor authentication in place? Do they encrypt their data? Do they leverage an endpoint detection and response system? Do they keep up with patching vulnerabilities? The answers to these questions are typically given via self-attestation. But self-attestation has its weaknesses.  

“Even on a perfect day that questionnaire, that view of what an applicant’s environment looks like it's likely to change tomorrow, the next week, the next month,” says Correll.  

The industry could see changes to underwriting that paint a more accurate picture of an organization’s risk. “What the insurers that I [talk] to want is … validation from actual reports,” says Millender. “The trend is the insurers want that better data to make their underwriting decisions, but they're not there yet in terms of ability to get that data.” 

As cyber insurance underwriting evolves, carriers will need to take into consideration new technology that could rewrite the cyber threat and defense landscape. AI and quantum computing, for example, are going to be in the hands of ransomware groups and in the hands of their would-be victims. How could this impact the future of ransomware payments? 

On one hand, AI and quantum computing could fuel a higher volume of even more effective ransomware campaigns. The more victims, the more potential payouts. 

On the other hand, these technologies give defenders the opportunity to thwart threats. AI is being used to detect deepfakes. Quantum computing might give people the power to break encryption. “Does that theoretically make ransomware less potent?” asks Correll.  

Insurers could also use promising new technology to improve underwriting by gaining more insight into risk and make the process more efficient. That combination of better analysis and speed could potentially mean lower premiums for companies that have strong cyber defenses in place.  

AI and quantum computing are tools that represent both risks and opportunities, but the impact they will have on the still thriving ransomware ecosystem are not yet known.   

“We're evaluating what happens, and I can't say so far materially anything major has happened,” says Hedberg. “The answer right now from the insurance industry is cognizance, vigilance, caution, [and] awareness.” 

New technology, legislative changes, and more stringent underwriting could impact the ransomware ecosystem, but for now, it seems there is still money to be made for threat actors.  And cyber insurance is going to be a tool for enterprises to offset that risk.