Claims History & Loss Data
Workplace Safety
Business & Industry Coding Systems
Geospatial & Environmental Risk
The 2025 Federato State of Underwriting Report is Here. Get it Now >
Explore the Federato platform at your own pace with our free interactive product tour.
Take a tourThe cyber insurance market has changed significantly over the past five years. Insurers are updating how they write policies, assess risk, and decide what events trigger coverage. These changes are largely driven by the rise and persistence of ransomware.
Ransomware continues to be one of the most expensive and disruptive types of cyberattacks. It affects organizations across sectors, with financial impacts that reach millions of dollars in losses per incident. As a result, insurance coverage terms and underwriting methods are evolving.
This article outlines current ransomware trends, how they influence insurance coverage triggers, and the ways insurers are responding.
In recent years, ransomware has become the most significant threat to cyber insurance profitability. These attacks lock organizations out of their systems until they pay a ransom, often causing business interruptions that last days or weeks.
Ransomware is malicious software that encrypts data and systems. Attackers typically gain access through weak spots like outdated firewalls, unpatched VPNs, or poorly secured remote access tools. Once inside, they encrypt critical files and demand payment for the decryption key.
While other cyber threats like email fraud exist, ransomware causes the highest financial losses per incident. This has led insurance carriers to rethink how they provide insurance for ransomware events.
Many insurers now apply:
A coverage trigger is the specific event that activates an insurance policy and allows you to file a claim. For ransomware, these triggers have become more precisely defined and conditional.
In the past, simply experiencing a ransomware attack might trigger coverage. Today, insurers require certain security measures to be in place at the time of the attack for coverage to apply. This shift aims to reduce risk and encourage better security practices.
Most cyber policies now require specific security controls before coverage kicks in. If these controls aren't in place when an attack happens, the insurer may deny the claim entirely.
Common required controls include:
For example, if your organization experiences a ransomware attack but wasn't using MFA for remote access, your claim might be denied even though you have cyber insurance.
When ransomware strikes, timing is critical. Newer policies include strict requirements about how and when you must respond to be eligible for coverage.
Most policies now require:
If you hire your own IT consultant without approval or wait too long to report the attack, the insurer might reduce or deny your claim. These requirements help insurers control costs and ensure proper incident handling.
Coinsurance means you share a percentage of the costs with your insurer. For example, with a 20% coinsurance clause, you pay 20% of the covered loss while the insurer pays 80%.
Many policies now include coinsurance specifically for ransom payments. This approach gives you financial incentive to maintain strong security and carefully consider whether paying a ransom is necessary.
Insurers also place conditions on ransom payments. They typically won't cover payments to sanctioned entities (like certain foreign governments or terrorist groups) and may require proof that you explored all recovery options before paying.
Insurers use sublimits and exclusions to manage their exposure to ransomware losses while still offering some protection.
A sublimit is a lower coverage limit for specific types of losses. For example, a policy might provide $10 million in overall coverage but only $2 million for ransomware events. This allows insurers to offer comprehensive coverage while limiting their exposure to the most costly threats.
Exclusions are specific scenarios or conditions that aren't covered. These help insurers avoid covering situations they consider too risky or legally problematic.
Common sublimit structures for ransomware coverage include:
These sublimits are often much lower than the policy's overall limit, reflecting the high cost and frequency of ransomware claims.
Cyber insurance underwriting has become more thorough and evidence-based. Instead of simply asking about your security practices, insurers now want proof that you're following them.
This shift moves cyber insurance from a reactive tool (helping after an attack) to a proactive one (encouraging better security before an attack). Insurers are using pricing incentives to reward organizations that demonstrate strong security practices.
Multi-factor authentication (MFA) requires multiple forms of verification before granting access to systems or data. This typically includes something you know (password), something you have (phone or security key), and sometimes something you are (fingerprint).
Zero-trust is a security approach that treats all users as potential threats until proven otherwise. It requires continuous verification regardless of whether users are inside or outside the network.
Insurers strongly favor these approaches because they significantly reduce the risk of unauthorized access. Many policies now explicitly require MFA for:
Organizations without these controls face higher premiums, lower coverage limits, or outright denial of coverage.
Modern cyber policies increasingly require active monitoring of your systems. This means using tools that watch for suspicious activity and alert you to potential threats before they cause damage.
Insurers may ask for evidence of:
These requirements reflect the understanding that preventing attacks is more effective than responding to them. Organizations with these capabilities in place often qualify for better coverage terms and lower premiums.
Some industries face higher ransomware risks due to their data value, operational importance, or security challenges. Insurers adjust their approach to ransomware coverage based on these industry-specific factors.
Healthcare organizations are prime targets because they need immediate access to patient data to provide care. Attacks can literally become life-or-death situations, increasing pressure to pay ransoms quickly.
Education institutions often have limited security budgets but store valuable personal information. Their open network environments and decentralized IT management create security challenges that attackers exploit.
Government agencies, especially at the local level, frequently rely on outdated technology and face budget constraints. When attacked, they must balance public service needs against the costs and ethical concerns of paying ransoms.
Financial services firms face sophisticated attacks due to their obvious financial value. However, they typically have stronger security measures in place, which can help them qualify for better ransomware coverage terms.
For each of these sectors, insurers are developing specialized approaches to ransomware coverage that reflect their unique risks and operational realities.
The cyber insurance industry is shifting from simply paying claims after attacks to actively helping prevent them. This change is driven by the ongoing financial impact of ransomware, which remains the most expensive type of cyber claim.
Modern underwriting platforms help insurers better assess and price ransomware risk. These platforms analyze security data from multiple sources to create a more complete picture of an organization's cyber defenses.
Data-driven approaches benefit both insurers and policyholders by: