Boards & CEOs Ransomware Series #5: Do We Have Sufficient Cyber Insurance Coverage?
Hello folks,
In this installation of the series, I am going to talk about money—not just the ransom demand itself, but the total cost of a ransomware attack.
We often hear about the millions lost to ransomware, but it’s rarely just the ransom. Legal fees, forensic investigations, business downtime, crisis communications, reputational damage, and potential regulatory fines all pile up quickly. One attack could easily translate into a multi-million dollar bill. And no, your regular business insurance won't magically cover it.
Take Merck, for example. In 2017, the global pharmaceutical giant was hit by the NotPetya ransomware. Damages were estimated at $1.3 billion. Merck expected its cyber insurance to cover the loss. But the insurer said no—citing a “war exclusion” clause, since the attack was believed to be part of Russian cyber warfare. The case dragged on for years, delaying Merck’s financial recovery and exposing how messy cyber insurance claims can be.
That case should serve as a wake-up call for boards and CEOs. Just because you have cyber insurance doesn’t mean you’re actually covered for ransomware. You need to read the fine print—and more importantly, ask the right questions before the crisis hits.
Start with the Basics: Are We Even Covered for Ransomware?
Many companies just assume ransomware is included in their policy. But in reality, some insurers only cover “traditional cyber incidents,” like data breaches—not ransomware or extortion-based attacks. Others may exclude ransom payments altogether, or only offer limited support for related costs like forensic investigations, legal advice, or crisis PR.
As a board member or CEO, you need clarity. Is ransomware explicitly covered in your policy? Are all associated costs—including legal, recovery, and communication—accounted for? Are there clauses that limit payout if the attack is considered “nation-state” activity?
These aren’t just legal questions. These are questions about your company’s ability to recover.
Coverage Limits: Are We Underinsured Without Realizing It?
Here’s another common trap: having a policy limit that sounds big—but isn’t.
A $1 million cyber insurance policy might sound impressive on paper. But what if your potential loss from a ransomware attack is $8 to $10 million? That’s a huge gap. And once again, it’s something most boards don’t realize until the invoice lands on the CFO’s desk.
Have you asked your team what your maximum ransomware exposure is? And does your insurance actually cover that? Include not just ransom payment, but business interruption, data recovery, legal costs, and fines. If you haven’t run this math yet, now is the time.
Rising Premiums and Diminishing Coverage: Is Self-Insurance a Better Option?
Cyber insurance premiums have skyrocketed in recent years. At the same time, policies are coming with more exclusions, higher deductibles, and more hoops to jump through before you see a payout.
It’s time for a strategic conversation at the board level: are we getting value for our premiums, or are we overpaying for protection we can’t even claim?
For some companies, especially those with stronger balance sheets, self-insuring might be the smarter move. That means setting aside a dedicated ransomware response fund and building internal capabilities, rather than relying heavily on insurance payouts that may or may not come through.
This isn’t a one-size-fits-all answer. It depends on your risk appetite, your financial strength, and your trust in your current policy.
Read the Fine Print. Seriously.
One last point I would like to make that often gets missed—many companies already have some ransomware coverage, but don’t even know it. It might sit under “extortion coverage” or be buried in a long clause that nobody has read in years. Worse, you might be paying for duplicate coverage across different policies.
Boards should insist on a proper review of the policy documents—not just by legal, but by the risk management team as well. Get clarity on what’s covered, what’s excluded, and what the claims process looks like.
Because the worst time to open the cyber insurance binder is during an attack.
Final Thoughts: Insurance Alone Won’t Save You—But It Can Help
Cyber insurance is not a silver bullet. But when done right, it’s a vital part of your ransomware readiness strategy.
So here’s what the board should be asking right now:
Are we actually covered for ransomware? Or are there exclusions hiding in the fine print?
Is our policy limit aligned with our real-world exposure?
Should we consider self-insurance if premiums keep climbing?
Do we fully understand the claims process before the crisis hits?
Don’t just assume you’re insured. Make sure you’re protected.
That’s all for this week!
Cheers,
Sivanathan
P.S. My recently published book titled “Leadership in the Age of AI: A Handbook of Daily Cybersecurity Leadership Nuggets” is available for purchase:
Paperback (Amazon): https://www.amazon.com/Leadership-Age-AI-Cybersecurity-Transform/dp/B0DZ2PGP7Q
E-book (Gumroad): https://sivanathans.gumroad.com/l/cybersecurityleadership