Yes โ a broad cyber policy responds to a ransomware attack on several fronts at once: cyber-extortion coverage for the response and any negotiated payment, business-interruption coverage for downtime, data-restoration coverage to rebuild systems, and forensics and legal costs. But coverage increasingly depends on the security controls you had in place โ carriers now verify them, and some make specific controls a condition of the extortion coverage.
What ransomware coverage includes
Ransomware isn't a single line item โ it triggers a cluster of coverages that work together during an incident:
- Cyber extortion. Covers the cost of responding to the threat, including specialist ransom negotiation and, where lawful and approved, the payment itself.
- Business interruption. Reimburses lost income and extra expense while your systems are down โ usually the largest part of a ransomware loss.
- Data and system restoration. Pays to rebuild, decrypt or restore corrupted data and software from backups.
- Digital forensics & incident response. Funds the specialists who contain the attack, determine what was taken, and get you operating again.
- Breach response & notification. If data was exfiltrated, this covers legally required notifications, credit monitoring and regulatory defense.
The 2026 ransomware picture
Ransomware remains the most expensive claim type in cyber. The average ransom demand now exceeds $400,000, and total event cost โ ransom plus recovery, business interruption and legal โ routinely reaches $1Mโ$5M for mid-size businesses. Attackers have also shifted tactics: rather than only encrypting systems, most now steal data first and threaten to publish it (so-called double extortion), which turns every ransomware event into a potential privacy breach as well. Encouragingly, more victims are refusing to pay โ the share of organizations declining ransom demands has continued to rise โ which makes tested backups and a rehearsed response plan more valuable than ever.
What carriers require before they'll cover ransomware
Ransomware losses reshaped the market, and carriers responded by making a baseline set of controls a condition of coverage. Expect to demonstrate โ and document โ most of the following before a carrier will offer meaningful ransomware terms:
- Multi-factor authentication on email, VPN, remote access and all administrative accounts.
- Endpoint detection and response (EDR) that is actively monitored โ not just legacy antivirus.
- Tested, segregated backups โ ideally offline or immutable โ with restoration you've actually verified.
- A written, rehearsed incident-response plan with defined roles.
- Privileged access management and prompt patching of known vulnerabilities.
- Email filtering and security-awareness training, since phishing is the most common way in.
To pay or not to pay
Paying a ransom is a business, legal and ethical decision โ not a foregone conclusion. A good policy gives you a panel of specialists (a "breach coach," forensics firm and negotiator) who help you decide. Two realities shape the choice: first, payment doesn't guarantee clean recovery โ decryption tools are often slow or incomplete, which is why restorable backups matter so much. Second, paying certain sanctioned threat actors can itself violate U.S. Treasury (OFAC) rules, so payments are screened for sanctions exposure before any funds move. Insurers and their panels manage this process, which is one of the practical reasons to carry the coverage rather than face an extortion event alone.
How a ransomware claim unfolds
- Hour zero. You discover encrypted systems and a ransom note. You call the carrier's 24/7 incident hotline โ reporting promptly is usually a policy condition.
- Containment. A breach coach and forensics firm engage immediately to isolate affected systems and stop the spread.
- Assessment. Investigators determine what was encrypted, whether data was exfiltrated, and your restoration options.
- Decision. With counsel and negotiators, you weigh restoring from backups versus negotiating โ with sanctions screening if payment is considered.
- Recovery. Systems are rebuilt or decrypted; business-interruption losses are documented for the claim.
- Notification. If personal data was exposed, breach-notification obligations are triggered under the applicable state laws.
See our state breach-notification reference for what the last step requires, and our cost guide for how ransomware exposure factors into pricing.
Reducing your ransomware risk โ and your premium
The controls that keep ransomware out are the same ones that earn you better terms. Prioritizing MFA, monitored EDR, immutable backups you actually test, prompt patching and phishing-resistant training does double duty: it lowers the odds of a claim and lowers your premium. In a market that rewards documented security, prevention is the best pricing strategy you have.
Frequently asked
Will insurance pay the ransom?
A policy with cyber-extortion coverage can fund a negotiated payment where it's lawful and approved, subject to your sub-limit and any coinsurance โ but only after sanctions screening and a deliberate decision with the insurer's panel. It is not automatic.
Does ransomware coverage include downtime?
Yes, through business-interruption coverage, which reimburses lost income and extra expense while systems are impaired. It's typically the largest component of a ransomware loss, so check the waiting period and limit.
Can a claim be denied if I get hit by ransomware?
It can, most often when a control you declared on the application wasn't actually in place at the time of loss. Keep your declared controls genuinely operating and documented.