Some Good News on Cyber Liability Insurance: Ransomware Coverage Remains Available

February 23, 2022

If you’re looking for good news amid the ever-increasing threat of cyber attack, escalating ransomware demands and Cyber Liability Insurance rate hikes, here it is: Despite all the bad news, ransomware coverage is still available to most businesses through major insurance carriers. 

This was hardly a given. As homeowners in Florida and anyone seeking insurance coverage for pandemic-caused business interruption know all too well, the frequency and severity of claims can lead carriers to deem some risks uninsurable.  

Cyber claims have brought ransomware coverage uncomfortably close to that category. 

As stated in a November 2021 release by the U.S. House Committee on Oversight and Reform: “Ransomware is now a multi-billion-dollar criminal industry. In 2020, the estimated cost of ransomware attacks on both public and private institutions in the United States was $19.5 billion. Additionally, recent data shows that in the first six months of 2021, financial institutions reported $590 million in ransomware-related transactions. Current trends indicate that ransomware-related transactions in 2021 will be higher than the previous 10 years combined.”   

So while market trends for Cyber Liability Insurance continue to be largely unfavorable toward the consumer, the fact that ransomware coverage is available at all should be at least somewhat reassuring. 

Market Outlook for 2022 

Here’s what Alera Group had to say about Cyber Liability Insurance in our Property and Casualty 2022 Market Outlook

“The market will continue to harden as hackers become more sophisticated in their attacks and increase their financial demands.  

  • Rates will continue to rise for most organizations. In the latter half of 2021, 100%-plus rate increases were the norm, being driven by the dramatic rise in the number and scope of ransomware attacks. This trend is expected to continue in 2022. While the surge in pricing may not be as severe, most organizations will face increases. The percentage will be on a risk-by-risk basis.  

  • Higher pricing will be offset somewhat by reductions in coverage. Buyers should anticipate lower available limits of liability, restricted coverage terms, increased deductibles and the addition of coinsurance.  

  • Insurance companies will be more selective. While the marketplace does have capacity, insurers will reserve it for what they view as the best risks. For example, some companies will require that businesses use multifactor authentication even to offer a proposal. Be ready for underwriters to assess your organization’s cyber security, preparedness and recovery plan in the event of an attack.  

  • Some industries will be affected more than others. Loss data shows that the most frequently targeted industries are public entities, government, education, manufacturing, construction and healthcare.  

  • Small and medium-sized businesses, not just large corporations, will feel the impact of the challenging market conditions. Small to medium businesses are not immune to cyberattack. Data from the Chubb Cyber Index shows that close to 75% of all 2020 claims were filed by businesses with less than $500 million in revenue.  

  • Risk management will be critical. Insurance is only part of the solution. Organizations will need to shift their focus from a reactive position of relying on insurance to address the threat to a proactive approach of preventing incidents and recovering quickly after an event.  

  • Your cyber insurance protection could be affected by U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) regulation. The government has identified a list of “designated nationals and blocked persons” (see: If your organization pays ransom to entities/individuals on the list, your insurance policy is ‘considered to be such a blocked or frozen contract, and all insurance provisions are immediately subject to OFAC.’” 

Who Needs Cyber Insurance? 

In today’s hyperconnected world, the question isn’t “Who needs Cyber Liability Insurance?” but rather “Who doesn’t?” 

As Forbes Advisor editor Lucy Lazarony wrote in September 2021, “Any business that stores or processes sensitive information should consider protecting their business with cyber liability insurance. Consider coverage if you store data such as customer names and addresses, Social Security numbers, medical records, and financial information such as credit card information.” 

In other words, every business is at risk, regardless of size or industry. There’s a persistent belief among some in small or medium-size businesses that their online activities are so limited as to exclude them from exposure to breaches. But to embrace that belief requires overlooking exposures through a client or vendor. 

“We are noticing a drastic increase in both likelihood and severity of all types of cyber attack. We have seen a marked increase in ransomware attacks, their complexity and in the appetite to target smaller organizations,” cyber security specialist Isaac Guasch, the author of Tokio Marine HCC International’s recent report on cyber incidents, told Insurance Journal.  

“But whether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies is a key threat,” Guasch added. “Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your parameter.” 

With such interconnectedness come certain responsibilities — to protect not only your own business but your associates and clients, as well. When a business doesn’t include cybersecurity and Cyber Insurance as part of a robust risk management program, it usually winds up hurting everyone associated with it. 

What You Can Do 

Once readily available and inexpensive, Cyber Liability Insurance was due for a market correction before the dramatic escalation in claims frequency and severity. Today, stricter underwriting guidelines require having certain cybersecurity protocols in place as prerequisites for coverage, and they typically necessitate stacking policy layers — Excess Insurance atop the primary policy — to provide full coverage. Many carriers also are requiring coinsurance, with policyholders responsible for paying a percentage of any ransomware claims, usually from a reserve fund created for that purpose. 

In a 2021 article for Forbes, the CEO of cybersecurity firm Towerwall, Michelle Drolet, offered these steps to control costs when creating or adapting a Cyber Insurance program: 

  1. Assess the potential damage of a cyber incident. 

  2. Strengthen your security policies. 

  3. Educate your people. 

  4. Plan for the worst. 

  5. Test defenses. 

  6. Ask the right questions. “Delve into precisely what is covered and consider what coverage you need carefully,” Drolet writes. “If anything isn’t clear, ask your agent for confirmation.” 

The right insurance agent or broker — one who knows your industry and understands your business — can help in the process earlier than Step 6, providing you with information and resources to perform the other five steps. 

For a more in-depth look at strategies for navigating P&C marketing conditions in general and Cyber Insurance conditions in particular, read Alera Group’s Property and Casualty 2022 Market Outlook, where you’ll find valuable information on factors driving the current P&C market and analysis categorized by industry and lines of coverage.  

To obtain the whitepaper, click on the link below. 


About the Author 

Drew Bolger  

Legacy Risk & Insurance Services, an Alera Group Company

Drew Bolger joined Legacy Risk & Insurance Services in 2015, focused on extending the firm’s client base in strategic client segments. A 2014 recipient of Business Insurance Magazine’s 40 under 40 award, he most recently worked for Wells Fargo Insurance Services (WFIS) in San Francisco. At Legacy, he focuses on developing and providing risk management and insurance brokerage services for a range of companies, including businesses in the technology, life sciences and real estate industries.  

Contact information: