Ransomware Coverage
Cyber policy provision covering ransom payments, negotiation costs, and related expenses when malware encrypts an insured's systems.
What It Is
Ransomware coverage is a first-party insuring agreement within a cyber liability policy that responds when malicious software encrypts an insured's data or systems and the threat actor demands payment in exchange for a decryption key. Coverage typically includes the ransom payment itself (usually in cryptocurrency), fees for professional ransom negotiators, and costs to restore systems if decryption fails or is incomplete.
Since the ransomware surge of 2020-2022, carriers have significantly tightened underwriting for this coverage. Most now require proof of multi-factor authentication on all remote access points, offline backups tested within the past 90 days, endpoint detection and response tools, and employee phishing training. Failure to maintain these controls can result in claim denial or policy rescission.
Ransomware sublimits have become standard practice. While a policy may carry a $5M aggregate, the ransomware sublimit might be $1M or even $500,000. Some carriers also impose coinsurance provisions requiring the insured to bear 10-20% of the ransom payment, and waiting periods of 8-24 hours before business interruption coverage attaches.
Why It Matters for Brokers
Ransomware is now the most frequent and severe cyber claim type for commercial insureds. Brokers must carefully review ransomware sublimits, coinsurance requirements, and waiting periods because clients often assume their full policy limit applies to ransomware events. Additionally, OFAC sanctions compliance has become a real concern, as paying a ransom to a sanctioned entity can expose both the insured and the broker's agency to federal penalties.
Real-World Example
A manufacturing company with $75M in revenue is hit by a ransomware gang demanding $2.3M in Bitcoin. Their cyber policy has a $3M aggregate but a $1M ransomware sublimit with 20% coinsurance. The carrier's breach coach and negotiator reduce the demand to $800,000. After coinsurance, the policy pays $640,000 and the insured pays $160,000. Business interruption during the 18-day recovery adds another $420,000 against the remaining $2M of aggregate limit, subject to a 12-hour waiting period.
Common Mistakes
- 1Failing to disclose a sublimit or coinsurance on ransomware to the client, leading to surprise out-of-pocket costs during an active attack.
- 2Not confirming that the client's security controls match the warranty requirements in the application, which carriers increasingly use to deny ransomware claims.
- 3Ignoring the OFAC sanctions screening requirement that most policies now include as a condition of paying any ransom.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker specifically flags ransomware sublimits, coinsurance provisions, and waiting periods in uploaded cyber policies, comparing them against the client's revenue tier. The Submission Intake module pre-fills security control attestations and highlights where client responses may trigger underwriting concerns or exclusions related to ransomware.