Ransomware Coverage Gaps: What Your Clients' Cyber Policies Actually Pay

Clients who experience a ransomware attack frequently discover their cyber policy pays far less than the total loss. The reasons fall into four categories: sublimits on extortion payments that haven't kept pace with ransom demand growth, war and nation-state exclusions that became materially broader starting in 2023, business interruption waiting periods that don't match real-world recovery timelines, and silent cyber gaps in property policies that clients assumed provided backup coverage. According to the FBI Internet Crime Report (2024), ransomware remains the top-reported cyber crime by dollar loss for businesses. The gap between what clients lose and what their policies pay is a broker execution problem — not a coverage availability problem. Each of these gaps has a known pattern, a known audit method, and a known solution.

How a Ransomware Claim Actually Unfolds

A ransomware attack triggers costs across multiple categories simultaneously, and the timing matters for coverage purposes. Incident response costs begin within hours — forensic retainer fees, outside legal counsel, and initial containment work. The extortion demand arrives within 24–72 hours. System downtime accumulates during negotiation and remediation. Data restoration — from clean backups or through decryption — takes days to weeks depending on the environment. Regulatory notification deadlines begin running under state breach notification laws (typically 30–72 hours for covered entities, varying by state). Third-party liability for affected customers and vendors follows.

A standard cyber policy is designed to respond to all of these — but the coverage is not uniform across categories. Each component may carry separate sublimits, different triggering conditions, or distinct waiting periods. The most expensive surprises for clients are not coverage denials — they are coverage shortfalls that emerge from sublimits and exclusions the client never knew existed.

Understanding how first-party and third-party cyber coverage components interact is the foundation for explaining to a client why their $2 million aggregate limit may functionally provide far less than $2 million in ransomware coverage.

The Extortion Payment Sublimit Problem

Starting in 2021, as ransomware losses surged across healthcare, manufacturing, and financial services, carriers began carving ransomware extortion payments out of the primary cyber limit and assigning them a separate sublimit — typically 25%–50% of the per-occurrence limit on standard commercial forms, and in some cases fixed dollar caps ($250,000 or $500,000) regardless of the headline policy limit.

The Coveware Q4 2024 Quarterly Ransomware Report found that average ransom demands for mid-market businesses continue to run in the $500,000–$1,500,000 range, with threat actors increasingly tailoring demands to a percentage of the victim's estimated annual revenue. A manufacturing client with a $3 million cyber limit and a $500,000 ransomware sublimit carries a $500,000 ransomware policy — the remaining $2.5 million applies to forensic costs, business interruption, and third-party liability, but cannot be applied to the extortion payment itself.

The practical implication: for clients whose revenue or asset values make them material ransomware targets, verify that the ransomware sublimit is sized to the likely demand range, not to the carrier's default. Endorsements that increase the extortion sublimit to match the aggregate limit are available at most standard carriers, typically for an additional premium of 10%–20% of the base cyber premium. The alternative — a client paying the difference out of pocket while a claim is active — creates immediate pressure on the client relationship and significant E&O exposure for the broker.

What to audit: Pull the declarations page and all endorsements. Ransomware sublimits are frequently in endorsement schedules rather than on the face of the policy. Language to search for: "Cyber Extortion — sublimit as shown," "Ransomware Coverage — separate limit applies," or "Extortion Event — sublimited per policy schedule."

War Exclusions and the Post-2023 Landscape

The war exclusion — standard in virtually every cyber policy — became operationally significant after the NotPetya malware (attributed by the U.S. government to the Russian GRU) caused approximately $10 billion in global losses in 2017. Several carriers initially denied claims on war exclusion grounds. The pivotal case was Merck & Co. v. ACE American Insurance Co. (New Jersey Superior Court, 2022), where the court ruled that traditional war exclusion language requiring "hostile or warlike action" by a "sovereign" military power did not clearly apply to a cyberattack conducted by state intelligence services. Merck recovered approximately $1.4 billion under its all-risk property policies. The ruling was fact-specific and jurisdiction-dependent, but it exposed the ambiguity in existing war exclusion language.

Carriers responded directly. Lloyd's Market Bulletin Y5258, effective January 1, 2023, required all Lloyd's syndicates to include mandatory exclusions for losses attributable to state-sponsored cyberattacks — using language that does not require a formal declaration of war or uniformed military involvement. The corresponding LMA5567 cyber war exclusion clause series defined "state-sponsored" broadly enough to include attacks by groups acting with state authorization, direction, or support, even without direct government involvement in the attack itself. Non-Lloyd's admitted market carriers followed with similar language updates across many standard cyber forms.

The practical problem for clients is attribution timing. During the acute phase of an incident, forensic teams cannot reliably determine whether an attacker is a state actor, a criminal group with state ties, or an independent threat actor using tools associated with a specific government. Attribution investigations take months — and carriers have the right to investigate post-claim. Some carriers are using that right aggressively, particularly for clients in critical infrastructure sectors (energy, water, healthcare, financial services) that are disproportionately targeted by state-affiliated threat groups.

What to advise: Review the specific war exclusion language, not the category. Exclusions that define excluded attacks as requiring "armed forces" involvement or "formal government direction" offer materially stronger protection than exclusions covering attacks "attributed to" or "facilitated by" a state actor — a standard that can be applied retroactively and is inherently difficult for an insured to disprove. For clients in high-risk sectors, document the exclusion analysis and discuss it explicitly at placement.

Business Interruption Waiting Periods and Recovery Caps

Cyber business interruption coverage carries two mechanisms that create uninsured exposure gaps during ransomware recovery: retention hours and recovery period caps.

Retention hours are the cyber equivalent of a property BI deductible — a waiting period (typically 8–24 hours) before BI coverage activates. For a professional services firm that can redirect client work to unaffected staff, a 12-hour retention period is manageable. For a manufacturer whose production line stops entirely, 24 hours of uninsured downtime at full production capacity can produce six-figure uninsured losses before the policy triggers.

Recovery period caps limit how long BI payments continue after the attack date — most policies cap the restoration period at 30, 60, or 90 days from the incident date, regardless of actual recovery time. Ransomware incidents involving encrypted backup systems, compromised operational technology (OT) environments, or deeply embedded supply chain dependencies routinely take 60–120 days to achieve functional (not full) recovery. Clients in manufacturing, logistics, healthcare, and process industries face the highest exposure to this gap.

A related gap: contingent business interruption for cloud and SaaS provider outages. Most cyber policies either exclude dependency failures entirely or sublimit them to $250,000–$500,000. For clients whose operations are substantially dependent on a single cloud provider or a small set of SaaS platforms, a cloud outage — including those caused by ransomware attacks on service providers rather than on the client directly — may produce BI losses that are either excluded or severely sublimited. This exposure class extends beyond ransomware into non-malicious technology failures; see Tech Outage Liability Coverage: How to Close the Business Interruption Gap for the full framework on system failure coverage grants, waiting periods, and dependent systems endorsements.

Silent Cyber in Property and GL Policies

"Silent cyber" refers to cyber loss exposure in policies that were not specifically designed to address — or exclude — cyber events. Before ISO introduced explicit cyber exclusion endorsements, commercial property policies covering business interruption typically required "direct physical loss or damage" to trigger coverage. Courts split on whether ransomware — which renders systems unusable without physically damaging hardware — met that standard. Some courts applied a broader interpretation of "loss of use" as functional physical loss; others required tangible damage.

ISO addressed the ambiguity through exclusion endorsements rather than coverage grants: the CP 01 40 (Commercial Property Cyber Exclusion) and CG 21 06 (CGL Cyber Exclusion) forms, which carriers began adding at commercial policy renewals starting in 2021–2022. These endorsements explicitly exclude cyber-related losses from standard commercial property and general liability policies — removing any ambiguity about whether ransomware losses trigger property BI or CGL coverage.

The compounding problem: for clients whose property and cyber policies renewed simultaneously, cyber exclusions may have been added to the property policy at the same renewal where ransomware sublimits were tightened on the cyber policy. Some clients effectively lost a coverage layer — property-side backup coverage — at the same time their primary cyber coverage was narrowed, without a clear notification that both changes occurred in the same policy year.

The audit question for existing clients: Has the property policy been endorsed with CP 01 40 since the client's last renewal? If so, what coverage tier did the client believe the property policy provided for a ransomware-related BI loss? A broker who understands the distinction between E&O and cyber coverage is well positioned to explain the parallel problem with property/cyber overlaps — neither the E&O nor the property policy was designed to cover network security losses, and both have now been updated to say so explicitly.

Which Carriers Are Still Actively Writing Ransomware-Inclusive Cyber

Ransomware-inclusive cyber coverage is available in the 2026 market, but underwriting criteria have tightened significantly since 2020 and the segmentation by industry, security posture, and limits tier is sharper than it was. Understanding carrier appetite helps brokers place coverage at the right price rather than shopping the wrong markets.

Industry segmentation. Healthcare, education, municipalities, and government contractors face the most aggressive declination rates and mandatory sublimits across most standard admitted carriers. Manufacturing, professional services, and financial services firms with documented security controls remain competitive. Technology firms face a bifurcated market: companies with demonstrated security maturity access standard market terms; technology companies with broad third-party access or software-as-a-service delivery models face E&S pricing or narrow sublimits. Cryptocurrency exchanges, digital asset custodians, and blockchain businesses occupy a distinct category: standard admitted carriers have largely exited crypto-specific coverage since 2021, and the ransomware exposure for crypto-native businesses — where compromised hot wallets directly translate to realizable asset losses — requires specialized coverage structures separate from standard cyber policies. For clients in this category, see Cryptocurrency and Blockchain Insurance: What Coverage Your Clients Actually Need.

Security control requirements. For limits above $1 million, most standard admitted carriers treat the following as underwriting conditions — not just underwriting questions:

• Multifactor authentication (MFA) on all remote access (VPN, RDP) and email systems
• Active endpoint detection and response (EDR) with 24/7 monitoring or managed detection and response (MDR) service
• Immutable, tested offsite backups with documentation of the last test date
• A documented and exercised incident response plan
• Privileged access management (PAM) controls for administrator accounts

Missing any of these typically results in a mandatory ransomware sublimit, a premium surcharge, or both. Missing two or more can produce a declination from most standard markets.

E&S market as an alternative. For smaller clients (under $10 million in revenue) or for clients in declination-risk industries, the surplus lines market frequently provides broader ransomware coverage language than standard admitted forms at equivalent or competitive premium. E&S carriers are not subject to ISO form filing requirements, so they can write manuscript endorsements that bring ransomware sublimits back in line with the aggregate limit, remove or narrow state-sponsored exclusions, and extend BI recovery periods. The tradeoff is that E&S policies lack the consumer protection backstop of admitted market guaranty funds — a disclosure clients should receive in writing.

For the complete framework on evaluating and recommending cyber coverage — including how to assess client security posture, set limits, and coordinate cyber with the client's existing program — see How to Evaluate and Recommend Cyber Liability Coverage for Small Business Clients.

What to Audit at Every Renewal

Ransomware coverage gaps are not static. Carrier forms change at renewal, sublimits shift, and exclusion language evolves. The annual review cyber audit should cover:

1. Ransomware sublimit: Is the extortion sublimit proportionate to the client's likely demand range given their industry and revenue? Has the carrier changed it since last year?
2. War exclusion language: Has the carrier updated the exclusion language since the prior policy year? What standard does the carrier use for "state-sponsored" — armed forces only, or broader?
3. BI waiting period and recovery cap: Does the waiting period match the client's realistic detection time? Is the recovery cap adequate given the client's system complexity and backup posture?
4. Property and GL cyber exclusions: Has the property carrier added CP 01 40 or equivalent language? Is the client aware that property-side backup coverage for ransomware BI has been removed?
5. Security control compliance: Has anything changed in the client's IT environment — new remote access tools, new cloud platforms, employee headcount — that might affect policy conditions? Policy conditions that are no longer met at the time of loss can void coverage.

For a structured approach to the full annual review — including how to document cyber gap findings and present them to clients — see How to Conduct an Insurance Annual Review That Retains Clients and Uncovers Coverage Gaps.

Ransomware coverage audits belong in the same category as property valuation reviews: the underlying exposures change every year, the market terms change every year, and a policy placed three years ago may look very different from what the client thinks they have.

Frequently Asked Questions

Does a standard cyber policy cover ransomware payments?

Most cyber policies include cyber extortion coverage that pays ransom demands, but many apply a separate sublimit — not the full aggregate policy limit — specifically to extortion payments. A policy with a $2 million aggregate limit may carry a $500,000 ransomware sublimit. Always verify sublimits in the declarations page and all endorsements before representing to a client that their full limit is available for a ransom event.

What is the war exclusion and how does it affect ransomware claims in 2026?

The war exclusion prevents coverage for losses caused by acts of war. After Merck & Co. v. ACE American Insurance Co. (NJ Superior Court, 2022) highlighted ambiguities in traditional exclusion language, carriers updated their forms. Lloyd's Market Bulletin Y5258 (effective January 1, 2023) mandated exclusions for state-sponsored cyber events across all Lloyd's syndicates using broader language than prior war exclusion forms. For clients in sectors disproportionately targeted by state-affiliated actors — healthcare, energy, financial services — the scope of this exclusion warrants specific review and discussion at placement.

What is silent cyber and why does it create ransomware coverage problems?

Silent cyber refers to cyber event exposure in policies not specifically designed to address it. Commercial property policies used to be ambiguous about whether ransomware (which disables systems without physically damaging hardware) could trigger business interruption coverage. ISO's CP 01 40 endorsement, now widely added at commercial property renewals, explicitly excludes cyber losses — eliminating any property-side backup coverage for ransomware BI that clients may have assumed existed. Brokers should confirm whether property policies have been endorsed with CP 01 40 and whether clients understand the implication.

How do business interruption waiting periods affect ransomware claims?

Cyber BI coverage typically includes a retention period — commonly 8–24 hours — before coverage activates. Additionally, most policies cap the restoration period (how long BI payments continue) at 30, 60, or 90 days from the attack date. Ransomware incidents with encrypted backups or compromised OT environments may take longer to recover than the policy's restoration period allows. Clients in manufacturing, logistics, and healthcare face the highest exposure to recovery period gaps.

Can a client's E&O policy provide ransomware coverage?

No. E&O coverage responds to claims that a client made a professional error or omission in their services — not to criminal attacks on their systems. Ransomware is a crime against the business, not a professional mistake. E&O policies do not cover extortion payments, forensic response costs, business interruption, or regulatory notifications arising from a ransomware attack. The complete breakdown of where E&O and cyber coverage each begin and end is covered in E&O vs Cyber Liability Coverage: Does Your Client's E&O Policy Cover a Data Breach?.

What security controls do carriers require for ransomware-inclusive coverage?

For limits above $1 million, most standard admitted carriers treat the following as conditions of coverage: MFA on all remote access and email, active EDR with monitoring, tested immutable offsite backups, documented incident response plan, and privileged access management (PAM) for administrator accounts. Failing to maintain these controls post-binding — not just at application — can void coverage if the control failure contributed to the loss. Document the client's security posture at placement and monitor for material changes.

Which industries face the most ransomware coverage restrictions in 2026?

Healthcare, education, municipalities, and government contractors face the most aggressive ransomware sublimits and declination rates from standard admitted carriers. Manufacturing, professional services, and financial services with documented security controls remain more competitive. For high-risk industries, the E&S market often provides broader ransomware coverage terms — though without the admitted market's guaranty fund protections, which must be disclosed to the client in writing.

What should I do if a client's policy was renewed with new ransomware exclusions or sublimit changes they weren't told about?

Review the renewal policy line by line against the expiring policy, including all endorsements. Document any changes to sublimits, exclusions, or conditions in writing. Notify the client explicitly of any material change that narrows their coverage. If the narrowing is material and alternatives exist — endorsements to restore sublimit parity, supplemental coverage, or an E&S replacement — present those options with premium estimates. Document all client communications about coverage changes. For clients who decline to address a material gap, obtain a written acknowledgment that the gap was disclosed and the client chose not to address it — this is your primary protection under your own E&O coverage.

Arvori helps insurance brokers track cyber policy terms, sublimits, and exclusion changes across their commercial book — so ransomware coverage gaps don't surface at claim time. Visit arvori.app to see how the platform supports cyber placement and renewal documentation workflow.