Ransomware Sublimits Can Have a Big Impact on Cyber Clients

Modern cybercrime is constantly evolving to produce more complicated, stealthy attacks with devastating and costly consequences for companies that fall victim. Cybercrime cost U.S. businesses more than $6.9B in 2021. Even so, only 43% of businesses report feeling financially prepared to face a cyberattack in 2022 (source 1).


Cyberattacks come in many forms, but ransomware is one of the most prominent types of malware designed to target a company’s critical data and systems for the purpose of extortion. It’s often delivered through phishing emails, and once users have been locked out of the data or system, the cybercriminal demands a ransom payment. After receiving payment, the attacker will purportedly provide an avenue such as encryption keys for regaining system or data access.

Ransomware attacks drove carrier loss ratios higher in both 2020 and 2021, and price increases over the last 18 months have yet to resolve the problem. Underwriters are also relying on closer scrutiny and tighter terms and conditions to reduce the threat of ransomware as making a steady profit from cyber coverage continues to be challenging. Near the end of 2021, shortly after the Apache Log4j vulnerability was discovered in November, ransomware sublimits began emerging from cyber carriers. In 2022, they’re becoming more prevalent and over the last 6-8 months many markets have indicated they’ll only quote an account if a ransomware sublimit is included. Such sublimits can be as low as $25K, while some offer $100K, and others max out at $250K. Depending on the scope and nature of the ransomware attack, these limits can fall far short of what policyholders need to recover, but they’re sometimes the only option for obtaining coverage. This is especially true if a client lacks a cornerstone of modern cybersecurity like Multi-Factor Authentication (MFA) or Endpoint Detection & Response (EDR).

  The first half of 2022 saw a total of 236.1 million ransomware attacks worldwide.2


At first glance Ransomware Attack sublimits may give the illusion that they only apply to extortion payments, but in reality, the sublimit can apply to much more. These sublimits generally include all payable losses arising out of a ransomware attack. It’s vital that agents and clients understand the implications of the sublimit as most ransomware attacks trigger multiple insuring agreements on the policy, thus significantly limiting coverage by tying all resulting attack losses to the sublimit. Furthermore, carriers sometimes cap all future ransomware attacks within these sublimits, or only apply it to future claims until the policy aggregate limit is exhausted.

The marketplace is also seeing new defined terms in ransomware sublimits, such as “Ransomware Event” which includes any extortion payment demanded as well as all first and third-party losses stemming from the event. This encompasses an information privacy wrongful act, network security wrongful act, system disruption, or other specified perils. These endorsements typically apply to any single Ransomware Event, meaning if there were multiple attacks during the policy period, the sublimit would respond to additional attacks until the aggregate limit is reached. In contrast, without the sublimit, an extortion loss does not impact the other coverages unless the policy aggregate limit is reached.

In addition to Ransomware Attack sublimits, carriers are sometimes adding a co-insurance requirement, often hovering around 25%. Some policies have also come to include “Ransomware Attack” as a newly defined term that generally refers to any cyber event arising out of malicious software, (including ransomware) used to exfiltrate data or to block or damage data and computer systems. This means all insuring agreements affected by such a loss are subject to the sublimit, including any defense costs, regulatory loss, breach response costs, brand loss, cyber extortion, digital asset loss, business interruption loss, computer crime loss, and more. If the policy includes an aggregate sublimit for all Ransomware Attacks, any subsequent attack lacks coverage once the sublimited amount has been paid. It’s worth noting that some markets are willing to work with clients taking action to meet specific cyber security requirements in short order and may consider removing the endorsement once adherence to security requirements is achieved. Others require insureds to wait 30-60 days after meeting security requirements before removing the sublimit, but in some cases policyholders are unable to amend coverage prior to the annual renewal period.

In 2021, 68.5% of surveyed businesses reported being victimized by ransomware, the highest figure reported to date (source 2).


While a sublimited policy retains utility for issues like system failure/outage or privacy breaches, the top exposure clients seek to cover is often the risk of ransomware attack. The average extortion payment demand regularly exceeds 7 figures, making it clear that a sublimit of $25K - $250K isn’t nearly enough when the unexpected happens. Clients with a ransomware attack sublimit are effectively left to self-insure against the remaining expenses of an attack, which can cost hundreds of thousands of dollars. When clients purchase higher limits, carriers are sometimes choosing to limit extortion through a sublimit rather than limiting the ransomware. However, it’s not an extortion sublimit. Rather, it’s a ransom sublimit that ties extortion in with the first and third party coverages.

“The average extortion payment demand regularly exceeds 7 figures, making it clear that a sublimit of $25K - $250K isn’t nearly enough when the unexpected happens.”

As cybercrime continues to grow in volume and sophistication, underwriters are constantly adjusting their desired requirements for cyber security. This can be frustrating for insureds who often feel like they’re left trying to hit a moving target as requirements change from year to year. Though many companies have upped their security budgets and adopted more advanced defenses, keeping up with emerging threats is a challenge.1 Recent research indicates that 30% of surveyed executives feel their budgets aren’t sufficient to ensure proper cybersecurity.1 Insurance price hikes have also led to complaints that robust cyber coverage is unaffordable, especially for small and midsize enterprises. As a result, some companies have decided to drop or forgo cyber coverage, a risky course of action that offers upfront premium savings, but can ultimately make recovery from a cyberattack much more difficult, if not impossible.3


Rather than avoiding cyber coverage, newcomers to the market and existing clients can consider reaching out to chosen markets for a cyber loss control scan before going to market to get a feel for any security weaknesses that should be addressed in order to obtain optimal coverage. However, it’s important to keep in mind that scan results can vary from carrier to carrier and aren’t intended as a substitute for more robust internal security assessments by the organization itself. Retailers would also be wise to establish minimum security standards with an insured before seeking coverage as Multi-Factor Authentication (MFA) and Endpoint Detection & Response (EDR) are now minimum requirements for most cyber underwriters. When it comes to renewal, starting as early as 6 months out, agents can consider reaching out to incumbent carriers to inquire about any new requirements or application questions for upcoming renewals to try to help policyholders stay ahead of the security curve.


When a ransomware sublimit is included in a cyber policy, it typically limits more than just a ransom payment - it applies to any other coverages that are triggered by the event, which is very concerning for clients. It’s vital that agents be aware of these sublimits as they become more pervasive and thoroughly explain their potential consequences to insureds. Ransomware extortion payments can be costly, and clients with a ransomware attack sublimit need to understand that they may be left to self-insure against the remaining expenses of an attack. CRC Group’s ExecPro and Cyber Specialty Teams have the market knowledge and access necessary to ensure that your clients obtain the best possible coverage for the right price. Contact your CRC Group producer today to discuss how we can help your clients navigate the challenging cyber coverage landscape.


  • Mark Smith is Senior Vice President and a Professional Liability Broker with CRC Group’s Seattle office. He is an active member of the ExecPro Practice Group and a member of the Cyber Specialty Team.


  1. Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know, Forbes, June 3, 2022.
  2. Ransomware - Statistics & Facts, Statista, July 6, 2022.
  3. Clear and precise policy wording’ the key to a mature cyber market: S&P, Adivsen Front Page News, August 5, 2022.