Ransomware and Cyber Insurance: What Policies Actually Cover in 2026

If you are buying cyber insurance in 2026 and assuming it will cover your next ransomware incident the way it covered the last one, you are in for an expensive surprise.

The ransomware coverage landscape has changed more in the past 18 months than in the previous five years. Carriers have rewritten policy wordings, tightened underwriting requirements, introduced new exclusions, and in some cases, exited the ransomware coverage market entirely.

This article breaks down what cyber insurance actually covers for ransomware in 2026 — and what it does not.

The Core Coverage: What Most Policies Include

Most standalone cyber insurance policies still include ransomware coverage, but the specifics matter enormously.

Business Interruption (BI)

BI coverage compensates for lost income during the period your operations are affected by a ransomware attack. In 2026, the key variables are:

• Waiting period: Typically 8-24 hours before coverage kicks in. Shorter waiting periods cost more.
• Maximum period of restoration: Usually 90-120 days. If recovery takes longer, you are on your own.
• Measurement: Based on historical revenue, projected revenue, or a pre-agreed formula. Ambiguity here is the source of many coverage disputes.

What changed in 2026: Carriers are increasingly requiring that the insured demonstrate they can restore operations within the policy period. If your recovery plan assumes 6 months to rebuild from scratch, a 90-day restoration period will not help you.

Extortion Payment Coverage

Whether policies cover ransom payments varies significantly:

• European market: Most policies still cover ransom payments, but many now require carrier consent before any payment is made. Paying without approval can void coverage.
• UK market: Increasingly, policies exclude ransom payments entirely, following NCSC and NCA guidance discouraging payments.
• US market: Coverage is more common but often sub-limited (e.g., $500K sub-limit on a $5M policy).

Critical detail: Extortion payment coverage typically covers the ransom itself, plus negotiation fees (usually through a pre-approved incident response firm). It does not cover the cost of investigating the attack or rebuilding systems — those fall under other coverage grants.

Incident Response and Forensics

Most policies cover the cost of engaging incident response firms, forensic investigators, and legal counsel after a ransomware attack. This is typically the least disputed part of the claim because the carrier often selects and engages these firms directly.

Typical costs covered:

• Forensic investigation: $150K-$500K
• Legal counsel (breach coach): $50K-$200K
• Crisis communications: $25K-$100K
• External negotiator (if ransom is being considered): $50K-$150K

These costs are often structured as first-party coverage with no deductible, which means they are paid in full regardless of the policy’s deductible or retention.

Data Recovery and System Restoration

Coverage for the cost of rebuilding systems, restoring data from backups, and replacing compromised hardware. In 2026, this increasingly includes:

• Cloud infrastructure rebuild costs
• Cost of replacing encryption keys and certificates
• Temporary infrastructure during recovery
• Overtime labor for internal IT teams

The Gaps: What Policies Increasingly Exclude

This is where most policyholders get caught off guard.

War and Hostile Acts Exclusion

The most significant coverage development in 2026 is the expansion of war exclusions to cover state-sponsored cyberattacks. After the Merck vs. ACE/AIU litigation (where courts rejected the insurer’s attempt to apply a war exclusion to a NotPetya attack), carriers have rewritten their war exclusions with cyber-specific language.

What this means: If a ransomware attack is attributed to a nation-state actor (e.g., groups linked to Russian, North Korean, or Chinese intelligence services), your carrier may attempt to deny the claim under the war exclusion. The legal landscape here is rapidly evolving and highly uncertain.

Intentional Acts and Voluntary Payments

Policies increasingly exclude:

• Voluntary payments made without carrier consent
• Payments to sanctioned entities (OFAC, EU sanctions list)
• Costs arising from the insured’s failure to follow the incident response plan

Prior Acts and Known Circumstances

If your organization was already compromised when the policy was bound — even if the ransomware had not yet been deployed — the claim may be denied. This is particularly relevant for dwell-time scenarios where attackers are present in the network for weeks before executing.

Systemic Risk Exclusions

Newer policy wordings include language that limits or excludes coverage when a ransomware event affects a large number of insureds simultaneously (e.g., through a supply chain attack). The threshold varies, but the intent is clear: carriers are protecting themselves against catastrophic aggregation.

What Underwriters Are Demanding

Getting ransomware coverage in 2026 requires more than filling out an application. Underwriters are conducting detailed technical assessments before binding:

Mandatory Security Controls

Most carriers now require as a condition of coverage:

1. Multi-factor authentication on all remote access, email, and privileged accounts
2. Endpoint detection and response (EDR) deployed across all endpoints
3. Tested offline or immutable backups with documented restoration procedures
4. Network segmentation separating critical systems from general corporate network
5. Documented incident response plan that specifically addresses ransomware

Missing any of these controls does not just increase your premium — it may make you uninsurable for ransomware.

Enhanced Due Diligence

For limits above €5M, underwriters are increasingly requiring:

• External vulnerability scan results (not self-reported)
• Results from a recent penetration test (within 12 months)
• Dark web monitoring confirmation
• Security awareness training completion rates
• Proof of backup testing (restoration logs, not just backup completion logs)

Sector-Specific Requirements

Certain sectors face additional scrutiny:

• Healthcare: Must demonstrate HIPAA or equivalent compliance + medical device segmentation
• Financial services: Must demonstrate DORA compliance + transaction system resilience
• Manufacturing: Must demonstrate OT/IT network separation + SCADA protection
• Local government: Must demonstrate NIS2 compliance + crisis management procedures

How to Structure Your Ransomware Coverage

For organizations navigating this market, here are practical recommendations:

1. Do not assume last year’s policy covers this year’s risk. Policy wordings change annually. Have coverage reviewed by a broker who specializes in cyber insurance.

2. Match your recovery capabilities to your policy limits. If your policy has a 90-day restoration period but your actual recovery time is 180 days, you have a coverage gap that will not become apparent until you file a claim.

3. Document everything before an incident. Pre-incident documentation of systems, backup procedures, and security controls makes the claims process faster and reduces disputes.

4. Consider a ransomware-specific endorsement. Some carriers offer endorsements that expand ransomware coverage beyond the base policy — including covering the cost of data reconstruction, extended business interruption, and reputational harm.

5. Check the sanctions exclusion carefully. If you operate in regions where sanctioned entities are active, ensure your policy addresses the scenario where a ransom demand comes from a sanctioned group.

For a broader view of how ransomware losses are shaping the market, see our analysis of ransomware claims trends in 2026 and our guide to underwriting models for ransomware risk. When a ransomware incident occurs, follow our Cyber Insurance Claims Process Guide for step-by-step filing instructions.

For more on this topic, see our guide to Ransomware Attack Vectors in 2026.

For more on this topic, see our guide to NIS2 Ransomware Reporting Requirements. Michael Guiao is the Founder of Resiliently.ai and the author of Resiliently. He holds CISM, CCSP, CISA, and DPO (TÜV) certifications and has 8+ years of experience across insurance, auditing, and consulting at firms including AXA, Xella Group, and PwC.