Does cyber insurance cover ransomware payments?

Most cyber policies cover ransomware payments, but many have sub-limits that cap payments far below the policy limit. A $1M cyber policy might only cover $100K in ransom payments. Check your policy for 'extortion' or 'ransomware' sub-limits.

What ransomware costs does insurance typically miss?

Common gaps include: business interruption beyond the waiting period, reputational damage, lost revenue during recovery, third-party liability from data exposure, and regulatory fines. Many policies also exclude coverage if the insured paid the ransom without insurer consent.

How do I check my ransomware coverage?

Search your policy for 'ransomware,' 'extortion,' 'sub-limit,' 'waiting period,' and 'incident response.' Compare the sub-limits against average ransomware demands ($50K-$500K for SMBs). Or upload your policy to CyberAgency's free gap analyzer for an instant check.

Ransomware Coverage Gaps Your Broker Might Have Missed

Your business has cyber insurance. You renewed it this year. Your broker said you're covered for ransomware.

But are you really covered? Here are the specific gaps that hide inside Canadian cyber policies — and why your broker might not have flagged them.

The Ransomware Reality in Canada

Ransomware attacks against Canadian businesses have escalated dramatically:

Average ransomware payment for SMBs: $50,000-$500,000
Average downtime after an attack: 21 days
Percentage of SMBs that close within 6 months of a major cyber incident: 60%
Average total recovery cost (beyond ransom): $79,000-$250,000

Now let's look at what your policy probably doesn't cover.

Gap #1

Ransomware Sub-Limits

You bought a $1M cyber policy. Great. But the ransomware sub-limit might be $100K — or even $50K. The rest of your coverage applies to other cyber events, not extortion payments.

Why brokers miss it: The sub-limit is buried in the policy schedule or endorsements, not in the main coverage section. Unless you specifically ask about ransomware limits, the total policy limit is what gets discussed.

What to check: Search your policy for "extortion sub-limit," "ransomware sub-limit," or "sublimit" in the cyber section. Compare against a realistic ransom demand for your business size.

Gap #2

Business Interruption Waiting Periods

Most cyber policies don't start paying business interruption costs until you've been down for 8-72 hours. For an SMB, 24 hours of downtime can be devastating.

Why brokers miss it: Waiting periods are standard in property insurance and don't raise flags. But cyber BI waiting periods are often longer than property BI periods, and the financial impact per hour is higher for data-dependent businesses.

What to check: Look for "waiting period," "time deductible," or "retention period" in the business interruption section. Count the hours of self-funded downtime.

Gap #3

Unauthorized Ransom Payment Exclusions

Some policies won't cover a ransom payment if you paid it without the insurer's prior consent. In the chaos of an active attack, this detail gets missed.

Why brokers miss it: This clause is often in the "conditions" section, not the "exclusions" section. It reads like an administrative requirement, not a coverage denial trigger.

What to check: Search for "prior written consent," "insurer approval," or "unauthorized payment" in the conditions and endorsements.

Gap #4

Incident Response Cost Caps

Your policy covers forensic investigation, legal counsel, and breach notification — but only up to a sub-limit that may not cover the full cost of a proper incident response.

Typical costs a ransomware incident generates:

Forensic investigation: $15,000-$75,000
Legal counsel: $10,000-$50,000
Breach notification (if data exfiltrated): $5,000-$50,000
Crisis communications: $5,000-$25,000
System restoration: $10,000-$100,000

What to check: Look for "incident response" sub-limits. If the total IR sub-limit is under $100K, it probably won't cover a serious incident.

Gap #5

Reputational Damage & Lost Revenue

Your policy covers direct costs (ransom, investigation, notification). It probably doesn't cover the revenue you lose because customers leave after hearing about the breach.

Why this matters: Studies show 22% of SMBs lose customers after a publicly reported breach. The revenue loss often exceeds the direct incident costs — and most cyber policies exclude it entirely.

How to Audit Your Coverage

Don't wait for a claim to discover these gaps. Here's what to do right now:

Find your cyber policy (not your GL — your standalone cyber or cyber endorsement)
Search for: "ransomware," "extortion," "sub-limit," "waiting period," "incident response," "prior consent"
Compare sub-limits against realistic costs (use the figures above)
Or upload your policy to our free analyzer for an instant check

Free Ransomware Coverage Check

Upload your cyber policy and our analyzer will flag ransomware sub-limits, waiting periods, and incident response caps — in under 60 seconds.

Analyze Your Policy → Explore CyberAgency Essential

The Bottom Line

Having a cyber policy is necessary but not sufficient. The specific terms — sub-limits, waiting periods, consent requirements, and incident response caps — determine whether your coverage actually responds when ransomware hits. These details are easy to miss in a renewal conversation and devastating to discover after a claim.

Check now. Fix before it matters.