Ransomware insurance is slowly gaining prominence in the market as a means to enhance protection against the devastating effects of a ransomware attack. 

Depending on the vendor, a ransomware policy may cover loss of income if the attack disrupts operations, or loss of valuable data. Other policies may also cover extortion by refunding the ransom paid to cybercriminals.

The exact payout and terms are stated in the policy document, or the “fine print.” Fine prints also contain exclusions, which are circumstances under which the policy won’t pay out. This is where the problem lies.

For instance, a policy may require that its customer complies to minimum efforts to protect their systems against ransomware. Moreover, a notification clause is usually included in the contract that requires users to notify their insurance vendor about the attack at the soonest possible time.

Another common exclusion is war-related, where insurers refuse to pay out on a claim if the damage was because of war, or war-like actions. Currently, this is the most controversial item in the pipeline.

The first matter for discussion is to agree on the definition of war. When does an act of aggression qualify as a war-related activity? Another issue is attribution because cyber attackers tend to disguise themselves and do not openly admit their involvement in an attack.

Also, in the event of a ransomware attack, how does the insurer – or the claimant – prove the organization responsible for the attack and their motivation? Can that be found out at all? 

Furthermore, ransom demands come in the millions, while damages could be as high as a billion dollars. Out of self-interest, insurance vendors will try to find any possible reason to refuse to pay a claim. In fact, most of these claims are commonly contested in court.

The outcome of these cases are uncertain and may take very long to resolve.