Dennis Underwood
Published on
July 15, 2022

Cyber Liability Insurance for Ransomware: What's Necessary?

In this article, we split up the calculations between downtime and insurance on purpose, because potential downtime risks should feed into the insurance discussion. While of course entire careers are based on the types of calculation involved in insurance pricing, coverage, or protection, we prepared good high level numbers for your risk management planning.

In 2020, companies filed approximately 27% more cyber insurance claims than in 2019. In 2019, losses paid out by cyber insurance companies resulted in over $1.8 billion; we expect 2020 numbers to be significantly higher once final numbers are in. Let’s take a look at what these numbers could mean for rising premiums, and how you can mitigate this cost by implementing effective preventative measures.

Cyber liability insurance attempts to assist your organization after a ransomware attack by paying out large sums that could potentially be used to reimburse ransom costs, extortion-related costs, and recovery costs. While cyber insurance can be helpful after an attack, it’s important that you have other protection against ransomware in place. Like any insurance, you want to understand how much expense and financial risk you want to accept, and how much to rely on insurance shouldering costs. Robust risk management internally (through products like Ransomware Rewind) can allow you to minimize your reliance on insurance expense, but really the first step is to understand how much, if any, out-of-pocket expenses you want. The risk of not planning that first “who pays when” cost model is bankruptcy or force merger/acquisition! As we mentioned above, cyber liability insurance is helpful in three areas: ransom costs, extortion-related costs, and recovery costs. To temporarily simplify this discussion, let’s (for now) include all of the lost revenue costs in “recovery”. Ransom costs cover the amount of ransom requested by the criminals, however, it is important to note that many cyber insurance companies require you to obtain permission from your insurer before you decide to make a ransom payment. The reason for this is to ensure that your insurance will cover your ransom payment, whether it be partially or completely. It’s also important to consider that ransom amounts have doubled in the past two years, so the ransom payment may itself consume a large portion or even be greater than the insurance payout.

A Quick Sidebar on OFAC fines...

No alt text provided for this image

While we’re discussing ransom payments, let’s also discuss OFAC compliance. OFAC is the shortened term for Office of Foreign Asset Control, and it is in place to ensure that businesses in the U.S. aren’t unknowingly collaborating with terrorist organizations. The OFAC claims that organizations that pay ransoms during an attack are supporting criminals by providing them with funds to act in against the efforts of the United States national security interest. So, what happens if you pay the ransom? Well, violations of OFAC sanction regulations can result in drastic fines -- up to $20mil.

This is a compliance check that, in Cyber Crucible’s attacker tradecraft assessment, is only skin-deep, so the odds of a transaction with the ransomware attackers not being allowed or covered is near 0%. However, the regulations do open the possibility for significant fines or penalties to be levied against the victim if the transaction was discovered to violate the OFAC compliance check afterwards. Make sure you have this discussion with your legal time and check with your insurer what happens if a payment:

  1. Is denied due to OFAC non-compliance (very small probability)
  2. OFAC non-compliance fines are levied against your business months later

Extortion Costs

Extortion-related costs sound similar, but these are costs that you may inquire during the negotiation process; for example, hiring a consultant to assist in the negotiating. This is another step where you’ll have to obtain permission, as hiring a consultant may not be covered by your policy, so be sure to check in with your provider first. You may find that the negotiation is performed by the insurer themselves. This may be favorable to you, because you get to outsource finding and working with a negotiator during a ransomware crisis. This also may move some of the liability involved in payment (correct decryption keys, OFAC compliance, movement of funds) to the insurer. Asking these questions now, while all is calm, is the best strategy.

Recovery Costs

Lastly, there are recovery costs -- these are costs that you acquire while you rebuild and re-enable revenue generating activities in the business, such as covering any lost critical machines or data after an attack. Remember, while the criminals may have given you a decryptor in return for a ransom, that does not always mean it is going to be completely without corruption. In fact, Cyber Crucible’s Unlocked decryptors were built for customers after we found that criminal decryptors are slow, often buggy, tend to corrupt files, and are sometimes infected with “zero day” malware, leaving room for further attacks in the future - yikes!

Many cyber insurance companies encourage the payment of ransoms if covered, as it is assumed that this is the least expensive option with the least amount of downtime, however, this can easily backfire. As we mentioned before, you are dealing with criminals -- it is unlikely that they will make good on their promises, leading to an increase in overall costs when they choose to take your money but not release your data and files without corruption. Additionally with cyber insurance claims, there’s an added cost of investigation to determine if sensitive information is leaked, yet again racking up the final total.

No alt text provided for this image

How much does insurance cost?

You may be wondering: how much does this type of coverage cost? And to that, we give the most political answer ever: it depends. The cost of your organization’s required coverage varies based on the type of business you run and the level of risk you’re exposed to -- but in 2019, it was found that the average cost for a cyber insurance policy was $1,500 per year for $1M in coverage, with a $10,000 deductible. However, it is important to note that with the frequency of successful ransomware attacks increasing (a 70% success rate currently), many premiums have increased throughout 2020.

Additionally, if you recall from our last blog post on downtime, the average cost of a ransomware attack for a company with an 8,000 employee average is now $2.2M, resulting in an easily doubled premium cost. A great example to showcase these costs on a larger scale post-attack would be the ransomware attack on the city of Baltimore in 2019 -- after the attack, the city purchased $20M in cyber insurance, with $500k in premiums and a $1M deductible. That’s a 33,233% increase over the friendly insurance sales pitches you normally see of $1,500!

How can I make my insurance provider, and CFO, happier?

So, how can you help mitigate this cost? Let’s see how our low-cost prevention product could save you money on your cyber insurance policy.

Cyber insurance providers often base your premium on the amount of risk you’re exposed to -- the more vulnerable you are to an attack, the more you’ll be charged for coverage. It is important, then, to make sure that you have the proper prevention strategies in place to mitigate the risk of ransomware. We’ll cover some of these calculations more in-depth in future blog posts, so keep an eye out on and subscribe to get the latest threat intel!

Ransomware Rewind is a ransomware-specific tool designed to completely prevent file corruption during an attack, responding to threats within milliseconds. This patented tool that uses behavioral analytics to detect these threats has withstood the test of dozens of 0-day forms of ransomware, giving you the results needed to prove to your insurance provider that you are protected with the latest-and-greatest tools designed to prevent an attack.

By being prepared and mitigating ransomware risk, your premiums could decrease substantially, giving you affordable and secure coverage from all angles, including both preventative and responsive. In fact, Ransomware Rewind dramatically reduces the likelihood of you needing cyber insurance at all. Because downtime and lost revenue are dropped to 0 with Ransomware Rewind, the cost of an attack is lower than your deductible. Amazing, right?! We’ll be walking through some of this math, insurance included, in a future article, so be on the lookout!

About the author
Dennis Underwood

Dennis Underwood is a veteran, cybersecurity leader, inventor, and entrepreneur with over 20 years of experience. He is an expert at cryptography, intrusion discovery and analysis, having discovered multiple previously unreported intrusions to clients throughout his career. Currently, he is leading a team of like-minded experts delivering next generation intrusion discovery and ransomware response automation tools to consumers.

Start a free trial today

Sign up for Cyber Crucible today to protect your system against ransomware extortion.

Create an account