Your Cyber Policy May Not Cover the Ransom Even When It Covers the Breach

*5 min read · Last updated May 23, 2026*

In this article

– What cyber liability actually pays for – Why your carrier wants the first call, not the wire – The math when you call first vs. when you don’t – Coverage gaps even careful buyers miss – What to do this week – FAQ

Daniel Okafor runs a 22-employee accounting firm in Atlanta. On a Tuesday morning in March 2026, his office manager called him at 6:47 AM to say every file on the server was encrypted and a note demanded $84,000 in Bitcoin within 72 hours. Daniel had a $1 million cyber liability policy he had renewed two months earlier. He assumed the policy would handle the ransom. By Friday he had wired the money himself, restored partial operations, and received a denial letter from his carrier citing breach of the policy’s cooperation and authorization clauses.

What cyber liability actually pays for

A typical small business cyber liability policy includes first-party coverage (your own losses) and third-party coverage (claims from customers whose data was exposed). On the first-party side, you usually get forensic investigation, system restoration and data recovery, business interruption coverage while you are offline, breach notification costs, and crisis management.

Cyber extortion, the actual ransom payment to make the encrypted data come back, is treated as a separate insuring agreement. Some policies bundle it under the main limit. Many sublimit it to $50,000, $100,000, or $250,000 even when the headline policy limit is $1 million. Daniel’s policy sublimited cyber extortion to $100,000. The forensics, restoration, and notification bucket sat at the full $1 million. He used none of it.

Why your carrier wants the first call, not the wire

Every cyber liability policy issued in the last five years includes a cooperation clause and an authorization clause for ransom payments. The carrier has breach counsel on retainer, ransomware response firms who track threat actors and know which groups actually deliver decryption keys, compliance teams who screen the recipient wallet against OFAC sanctions lists, and negotiators whose only job is reducing the demand. They wire the money on your behalf after that vetting.

The moment you wire it first, the carrier has no way to validate the recipient, negotiate, or confirm the payment was lawful. They deny the cyber extortion bucket and often refuse the forensics and restoration buckets too, because the cooperation clause covers the entire incident response. Daniel’s denial letter quoted his cooperation clause: “Insured shall not commit to, agree to, or pay any sum without Insurer’s prior written consent.” He had paid $84,000 within 36 hours. The denial was airtight.

The math when you call first vs. when you don’t

A $250,000 demand handled with carrier involvement typically resolves with the negotiator cutting the demand to roughly $110,000, the carrier wiring it from the cyber extortion sublimit, and forensics and notification ($180,000) drawing from the main limit. Insured out of pocket: the deductible. The carrier later estimated they would have negotiated Daniel’s $84,000 demand down to roughly $40,000. The $44,000 difference, plus $63,000 in forensics, plus the $84,000 ransom, came to roughly $191,000 he absorbed personally.

Coverage gaps even careful buyers miss

If you bought through a generalist broker rather than a cyber specialist, two gaps are common. First, the cyber extortion sublimit is often left at the carrier’s default of $50,000 to $100,000 rather than negotiated up. Second, social engineering coverage, which pays when an employee is tricked into wiring funds, is often excluded or sold as a separate endorsement. See our piece on social engineering fraud and the cyber insurance gap, and the direct physical loss requirement in business interruption insurance for the same structural gap on the BI side. For the foundational mechanics, see how cyber liability insurance protects small businesses.

What to do this week

Pull your cyber liability declarations page and look for three numbers: the aggregate policy limit, the cyber extortion sublimit, and the business interruption waiting period. If your cyber extortion sublimit is under $250,000 for a business with more than 10 employees, ask your broker what an endorsement to raise it costs. If the sublimit is missing entirely, your policy may not cover ransom payments at all. Then tape the carrier’s 24-hour breach hotline number to the wall next to your server room; dialing it before your IT vendor is the difference between a covered loss and a six-figure write-off.

The cyber policy you bought to protect the business is only worth what you can collect against it. The first phone call after the encryption screen appears determines whether that number is $1 million or zero.

Frequently asked questions

Does my cyber liability policy automatically cover ransom payments? Not necessarily. Many small business cyber policies sublimit cyber extortion to a fraction of the headline policy limit. Check the declarations page for a “cyber extortion” line and confirm the dollar figure.

What is a cyber extortion endorsement? An add-on that either creates ransom payment coverage where the base policy excludes it, or raises an existing sublimit. On small business policies it usually costs a few hundred dollars annually and can raise the sublimit from $50,000 to $250,000 or more.

Can my carrier negotiate with the ransomware group on my behalf? Yes. Most cyber insurers retain ransomware negotiators who handle the back-and-forth with threat actors. Carrier-led negotiations routinely cut the initial demand by 30 to 60 percent.

What happens if I pay the ransom before notifying my carrier? You almost always void the cyber extortion coverage and often the related forensics and notification coverage too. Cooperation clauses break the moment you commit to or pay any sum without written carrier consent.

Are ransomware payments deductible as a business expense? Generally yes when the payment recovers business assets, but the IRS has been signaling tighter scrutiny, especially when no police report was filed and no OFAC screening was documented. Consult your tax advisor.