Ransomware Insurance: What It Covers and What It Requires

According to the Sophos State of Ransomware 2024 report, the average cost to recover from a ransomware attack reached $2.73 million, not counting the ransom payment itself. For SMBs without the capital reserves to absorb that kind of loss, insurance is the obvious answer. The problem is that most businesses discover coverage gaps and claim denials only after the attack has already happened.

This guide covers what ransomware insurance actually pays for, the security controls underwriters require before issuing a policy, the exclusions most likely to kill a claim, and the sub-limit problem that leaves SMBs underinsured even when coverage technically exists.

Ransomware Insurance vs. Cyber Insurance: What’s the Difference?

Ransomware insurance is not a standalone product. The term refers to the cyber extortion and ransomware-specific provisions bundled inside a broader cyber liability policy. When businesses search for ransomware insurance, they almost always end up purchasing a full cyber liability policy that lists ransomware as a covered peril.

A standard cyber insurance policy covers multiple risk categories:

• First-party costs: ransom payments, forensic investigation, and system restoration
• Third-party liability: breach notification and regulatory defense
• Business interruption: lost revenue while systems are unavailable

Insurers call the ransomware component “cyber extortion coverage” or a “ransomware endorsement” within the broader policy, not a separate product category.

There is no ransomware-only insurance product on the market for SMBs. Understanding this distinction matters when reviewing the policy: ransomware sub-limits and exclusions are embedded within the broader cyber liability contract, not highlighted in a separate product summary.

What Ransomware Coverage Typically Pays For

A cyber policy with ransomware coverage addresses costs across multiple phases of an attack. The covered categories typically include:

• Ransom payment: the actual cryptocurrency demand paid to attackers, covered up to the policy limit or a cyber extortion sub-limit specific to ransomware events
• Incident response and forensics: the cost of an outside firm investigating how attackers gained access and whether data was exfiltrated before encryption
• Data and system restoration: labor, licensing, and tools required to rebuild encrypted or destroyed infrastructure from backup
• Business interruption: lost revenue during the period systems are unavailable, typically subject to a waiting period of 8 to 12 hours before coverage activates
• Breach notification and credit monitoring: regulated notification costs and monitoring services when personal data was stolen alongside the encryption event
• Regulatory defense: legal fees if a government agency investigates the incident, particularly relevant for healthcare, financial services, and retail SMBs subject to HIPAA or FTC Safeguards

Paying the ransom does not guarantee data recovery. Many businesses pay and still rebuild from backup. Coverage for system restoration is often more valuable than ransom payment coverage in practice.

What Underwriters Require Before They’ll Cover You

Carriers no longer issue cyber policies based on revenue and industry alone. Underwriting questionnaires now function as technical audits, and failing to meet the listed requirements does not just affect your premium. Misrepresentation on controls can void coverage entirely if an attack occurs.

The controls underwriters consistently require include:

1. Multi-factor authentication (MFA) active on every remote access path: VPN, RDP, Microsoft 365 admin accounts, and cloud-based line-of-business applications. This is a near-universal hard requirement, not a recommendation. For a detailed breakdown of exactly what carriers expect, see the guide to MFA requirements for cyber insurance.
2. Endpoint detection and response (EDR) deployed across all managed workstations and servers, not just behind a perimeter firewall.
3. Offsite, immutable backups tested on a regular schedule, with documented evidence that backups survive an encryption event.
4. Privileged access management limiting who can install software, change system configurations, or access sensitive data repositories.
5. Security awareness training completed by all staff within the past 12 months.
6. A written incident response plan. An increasing number of application questionnaires ask for confirmation that one exists, and some carriers request a copy.

Chicago-area SMBs that work with a provider of Chicago managed IT services can close most of these gaps before submitting an application. Addressing them proactively beats scrambling when an underwriter finds the shortfalls at renewal.

Why Ransomware Claims Get Denied

Filing a ransomware claim does not guarantee payment. Insurers examine the circumstances carefully, and several scenarios consistently lead to denial or policy voidance.

Misrepresentation on the application is the most severe outcome. If the business certified that MFA was deployed everywhere and it was not, the insurer can void the entire policy, not just deny the individual claim. The business recovers nothing.

The act of war exclusion became a flashpoint after the NotPetya attack was attributed to the Russian military. Lloyd’s of London and other major insurers invoked this clause to deny claims from businesses that were collateral damage in nation-state cyber operations. Current policy language continues to test whether destructive ransomware campaigns qualify as acts of war even when the target is a private SMB with no connection to the conflict.

Additional denial triggers to understand before a claim occurs:

• Late reporting: most policies require notification to the insurer within 48 to 72 hours of discovering a breach; businesses that attempted quiet internal remediation before calling the carrier have had claims denied on this basis alone
• Prior known incidents: if the attacker established persistent access before the policy’s inception date, the insurer can argue the event predates coverage and deny accordingly
• Lapsed controls: MFA or EDR that was active at application time but later removed or misconfigured gives the insurer grounds to deny on the basis that required controls were not continuously maintained
• Uncovered systems: legacy OT equipment, unmanaged IoT devices, and third-party SaaS platforms not listed in the application often fall outside the policy’s covered system definitions

These are not the only exclusions that can sink a claim. The full cyber insurance exclusions guide walks through the additional categories that routinely catch SMBs off guard.

The Ransomware Sub-Limit Problem

Following the surge in ransomware losses between 2020 and 2022, most cyber insurers introduced ransomware sub-limits: a per-event cap on ransomware-related payments that sits below the policy’s overall aggregate limit.

A business carrying a $2 million cyber insurance policy may discover at claim time that its ransomware sub-limit is $500,000 or less. The gap comes out of pocket, and this is not a rare scenario.

Sub-limits are not always prominently disclosed in policy summaries. Ask your broker explicitly before binding coverage:

• Is ransomware or cyber extortion subject to a sub-limit?
• What is the per-event cap?
• What restoration costs fall inside versus outside that cap?

Strong backup and recovery infrastructure reduces sub-limit exposure directly. If systems restore cleanly from tested backups, the ransom payment sub-limit matters far less than the data restoration coverage does.

Ransomware Insurance for Healthcare and Manufacturing

Two verticals face more acute ransomware exposure than most SMB sectors, and their coverage needs differ from a standard business policy in important ways.

Healthcare triggers HIPAA breach notification obligations alongside the insurance claim process. Underwriters writing healthcare cyber policies apply stricter controls and often require EHR-specific access controls and audit logging that general-purpose SMB policies skip.

The larger financial risk for medical practices and clinics is regulatory: penalties from the HHS Office for Civil Rights can exceed the ransom demand itself. Cyber extortion coverage combined with regulatory defense coverage is a necessity for healthcare SMBs, not an optional add-on.

Manufacturing faces a structural coverage gap. Operational technology (OT) and industrial control systems (ICS) are frequently excluded from standard cyber liability policies. Manufacturers need to confirm before an incident that shop-floor systems are either explicitly listed as covered systems or protected under a separate OT endorsement.

Attackers understand that downtime in production environments or patient-care settings creates immediate pressure to pay. According to Sophos sector research, ransom demands in healthcare and manufacturing consistently run higher than in other SMB sectors. Coverage gaps are therefore most expensive in exactly the settings where they’re most common.

Steps to Take Before You Apply or Renew

The application process is when most SMBs discover they are not as covered as they assumed. These steps close the gap before the underwriter does it for you.

1. Audit MFA coverage across every remote access path before submitting an application. Gaps discovered post-claim carry financial and legal consequences that premiums alone cannot address.
2. Run and document a backup restoration test. Insurers increasingly ask for evidence of recovery testing, not just confirmation that backups exist.
3. Write or update your incident response plan before the application deadline, not after the attack. Carriers are starting to ask for plans, not promises.
4. Work with a cyber-specialist insurance broker rather than a generalist property and casualty agent. Underwriting questions for ransomware coverage require technical context a generalist won’t capture accurately on your behalf.
5. Ask every prospective carrier three questions: Is ransomware sub-limited? What is the per-event cap? What security controls must be continuously maintained for coverage to remain valid?
6. Consider a pre-application security assessment to identify and close control gaps that would otherwise trigger exclusions, premium surcharges, or restrictive coverage conditions at binding.

For businesses across the Chicago area, outsourced IT support services can incorporate these steps into routine IT management, making renewal documentation a non-event.

Where to Go from Here

Ransomware insurance protects against a specific, high-consequence risk. Getting covered is the first step. Staying covered, and making sure the policy pays when needed, requires ongoing attention to the controls underwriters track from application date through claim date.

The businesses most likely to have ransomware claims paid are the ones that treated their insurance application as a security checklist. They deployed MFA before submitting. Backups were tested and documented before renewal. When the attack came, a written incident response plan was already in place.

When ransomware exposure becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

Before your next application or renewal, talk to LeadingIT about Chicago cybersecurity services to see which security gaps would matter most to an underwriter, or call 815-788-6041.