The Evolution of Ransomware Coverage
Lloyd's of London created Kidnap & Ransom insurance in 1932, as a response to demand driven by the kidnapping of Charles Lindbergh's son1.
Ransomware followed a similar trajectory - less dramatic than the ‘crime of the century,’ but similar in insurance impact: attacks dominating the news cycle, pushing carriers to isolate and define a new named peril. But ransomware did not begin as a wholly new coverage problem. It first fit inside an existing one.
Cyber Extortion Came First
Early Cyber Extortion forms already addressed the core ransom-demand scenario, but ransomware attacks can trigger a wider set of losses elsewhere in the policy. By 2015, Cyber Extortion was an established named peril in Cyber and E&O lines. That year, 16 Cyber Extortion endorsements were filed, nearly all of them affirmative coverage grants. By 2018, that number reached 37, and by 2019 it was 48.
Beazley's 2015 Cyber Extortion Endorsement (E07529 09 15) is typical of the early pattern. It defines an "Extortion Threat" as a threat preventing access to computer systems or data assets, altering or destroying data, introducing malicious code, or publicly disclosing information, unless a payment is received. "Cyber Extortion Loss" covers both the extortion payment itself and expenses incurred to prevent or terminate the threat. That language covers a ransomware attack without ever using the term 'ransomware': an attacker encrypts systems, demands payment, and the policy responds.
The first named ransomware forms appeared in 2016, with AXIS Insurance Company's PrivaSure product providing Ransomware Loss Coverage Endorsement (PVSR-327 02 16).
Why Ransomware Needed Its Own Definition
Cyber Extortion Intent
Cyber Extortion coverage was designed around a specific scenario: a threat directed at the insured, a demand for payment, and the costs to respond. Ransomware did not always fit that pattern cleanly.
NotPetya displayed a ransom demand but was primarily a wiper with no functioning decryption mechanism. It caused billions in damage without a meaningful extortion exchange. Main drivers of loss fall outside the Cyber Extortion insuring agreement: Business Interruption while systems are down, data recovery costs, notification expenses if data was breached, and third-party liability claims. Those losses are covered under other insuring agreements in the same policy, each with its own limits.
That creates an exposure management problem. If a carrier sublimits Cyber Extortion to $250,000, it has only capped the ransom payment and response costs. The Business Interruption, data recovery, and liability claims from the same ransomware event flow through other coverage parts uncapped. To control total ransomware exposure with one number, the carrier needs a definition that cuts across insuring agreements. "Cyber Extortion Threat" belongs to one insuring agreement. A new term is needed.
Separation of Ransomware
Carriers like Chubb and U.S. Specialty (Tokio Marine) created separate ransomware definitions. Chubb's 2021 Ransomware Encounter Sublimit, Retention, and Coinsurance Endorsement (PF-54814 06 21) defines "Ransomware Encounter" and applies a single sublimit, retention, and coinsurance percentage across five insuring agreements. U.S. Specialty's 2024 Ransomware Attack Sublimit and Coinsurance (NGP 1098A 09 24) does the same, applying one aggregate sublimit across all ransomware-related losses regardless of which insuring agreement they fall under.
Other Approaches
Not every carrier separated ransomware. Beazley and Hartford still cover ransomware through their Cyber Extortion insuring agreements and do not define ransomware separately in their primary Cyber programs. They collect ransomware-specific data through supplemental applications, but the coverage mechanism remains Cyber Extortion.
The ransomware-related losses that fall outside of Cyber Extortion (Business Interruption, data recovery, liability) are picked up by other insuring agreements in the policy. The trade-off is that there is no single cross-cutting cap on ransomware losses.
2017 Ransomware Attacks: WannaCry, NotPetya

WannaCry (May 2017) and NotPetya (June 2017) caused major economic ripples that pushed ransomware into the public vernacular.
Economic Shock
WannaCry infected over 200,000 computers across 150 countries2 in a matter of days, with total economic damages estimated at $4 billion3. A month later, NotPetya caused an estimated $10 billion in damages globally4, making it the most costly cyberattack on record at the time. Individual company losses were significant: Merck reported $1.4 billion5, FedEx's TNT Express subsidiary lost $400 million6, and Maersk spent $250-300 million7 rebuilding virtually its entire IT infrastructure.
Insurance Claims
The insurance fallout was just as significant. A large share of NotPetya claims landed on traditional property and Business Interruption policies, not standalone Cyber policies, exposing the scale of "silent cyber" on insurers' books. Zurich denied Mondelez's $100 million property claim8 by invoking the policy's war exclusion, arguing that a Russian military cyberattack constituted an act of war. A consortium of roughly 30 insurers tried the same defense against Merck's $1.4 billion claim. In 2022, a New Jersey court ruled in Merck's favor9, finding that traditional war exclusion language was never intended to encompass cyberattacks. The appellate division upheld the ruling in 202310.
These disputes drove Lloyd's to require all standalone Cyber policies to include a state-backed cyberattack exclusion by March 202311. More broadly, they forced the entire market to confront how ransomware risk was priced, excluded, and underwritten. We can see the impact of these events unfold in the filing data over the following years.

2020 Onward: New Coverage Mechanisms
Admitted insurance typically lags the events that drive them by a few years. Carriers wait to see how claims are adjudicated. Forms, underwriting guidelines, and pricing needs to be drafted, reviewed, and filed with state regulators. The impact from the 2017 attacks started showing up in 2020, when named ransomware forms surged:
- 2020: 17 named forms filed
- 2021: 56 named forms filed
- 2022: 56 named forms filed
Across all named ransomware forms filed since 2020: 49 were exclusions, 82 were sublimits or coinsurance, 56 were coverage grants, and 54 were named applications. Exclusions and coverage endorsements were spread across umbrella/excess, E&O/PL, and Cyber. By that point, the market was no longer converging on one answer. Carriers were using different tools depending on whether they wanted to cover ransomware, cap it, exclude it, or underwrite it separately.
Ransomware-Specific Underwriting
Cyber Extortion has existed in applications since at least 2015 (82 that year). Ransomware started appearing in application questions meaningfully in 2018 (49 apps) and reached 163 in 2025, overtaking Cyber Extortion (124). Named ransomware supplemental applications, dedicated assessments that collect ransomware-specific underwriting data, did not appear until 2020. Nine carrier groups have filed them to date, including Beazley, AXIS, Hartford, CNA, and U.S. Specialty.

These supplemental applications collect detailed, ransomware-specific security data that general Cyber applications do not. Underwriting moved from general cyber hygiene to targeted controls tied specifically to ransomware severity and recoverability:
- MFA deployment: whether MFA is required for remote access, privileged accounts, cloud resources, and personal devices. AXIS (AXIS1012729) breaks this into five separate checkboxes.
- Endpoint detection and response: whether an EDR or next-generation antivirus tool is deployed, and which product. AXIS lists specific vendors (CrowdStrike Falcon, Carbon Black, Cylance, Symantec EDR). CNA (CNA109982XX) asks whether EDR/NGAV covers all endpoints and servers.
- Backup security: whether backups are encrypted, stored offline or air-gapped, and tested for successful restoration. Beazley (F00818) asks whether the applicant can test backup integrity to confirm it is free from malware before restoration.
- Patching and access controls: CNA asks whether critical patches are applied within 7 days of release. AXIS asks whether Remote Desktop Protocol is enabled and, if so, whether it requires VPN access, MFA, and network-level authentication.
- Email security: SPF, DKIM, and DMARC implementation. CNA asks specifically whether SPF is strictly enforced on incoming emails.
- Incident readiness: Beazley asks whether the applicant has a 24/7 or working-hours security operations center. AXIS asks whether administrator access is actively monitored for unusual behavior.
Case Study: How U.S. Specialty Rates Both Perils
U.S. Specialty's 2024 NetGuard Plus product (NGP 1000A 09 24) illustrates how a carrier handles both Cyber Extortion and ransomware as separately managed exposures.
Cyber Extortion is priced with a three-tier gate based on the applicant's security controls:
- Risk Low: full policy limit
- Risk Medium: $250,000 sublimit
- Risk High: no coverage
There is no additional premium and no factor table. It is a pass/fail coverage decision driven by the base Cyber application.
Ransomware has its own sublimit factor table in the rating plan. On a $5,000,000 main limit:
- $5,000,000 ransomware sublimit: factor 1.00
- $1,000,000 ransomware sublimit: factor 0.90
- $50,000 ransomware sublimit: factor 0.80
Retention is priced separately through a matrix of requested retentions against revenue-based deductibles.
The underwriting inputs are different too. The base Cyber application feeds the Cyber Extortion risk-group classification. The ransomware supplemental application (RSA-A 09 24) collects data the base application does not: MFA deployment for remote access and privileged accounts (with provider and type), endpoint detection and response tool and whether it covers 100% of endpoints, backup encryption and air-gapping, backup frequency, and estimated recovery time in the event of a widespread ransomware attack.
Two perils, two pricing mechanisms, two underwriting inputs, one policy.
A 10-Year Summary
Over the past decade, ransomware coverage did not merely become more common. It became administratively separable inside insurance products - first as an implied Cyber Extortion event, then as a named peril, and eventually as a separately defined, underwritten, and often limited exposure.
- 2015-2016: The first named ransomware forms appeared, defined separately from Cyber Extortion.
- 2017-2019: WannaCry and NotPetya made ransomware visible. Named forms appeared but stayed small and mostly coverage-oriented.
- 2020-2023: Ransomware became its own named peril class. Exclusions spiked across umbrella/excess, E&O/PL, and Cyber. Sublimits and coinsurance emerged primarily inside Cyber Liability. Cyber Extortion remained affirmative.
- 2024-2025: Exclusions receded. Sublimits and coinsurance, concentrated in Cyber, became the dominant mechanism.
Data sourced from FilingFocus.
Footnotes
-
NBC News, "Global cyberattack spreads to 150 countries" (May 2017) ↩
-
CBS News, "WannaCry ransomware attack losses could reach $4 billion" (May 2017) ↩
-
Wired, "The Untold Story of NotPetya, the Most Devastating Cyberattack in History" (Aug 2018) ↩
-
Security Magazine, "Merck wins $1.4B lawsuit over NotPetya attack" ↩
-
The Security Ledger, "NotPetya's cost to FedEx: $400 million and counting" (Dec 2017) ↩
-
CNBC, "Maersk says NotPetya cyberattack could cost $300 million" (Aug 2017) ↩
-
The Register, "Mondelez, Zurich settle $100M+ NotPetya insurance lawsuit" (Nov 2022) ↩
-
Insurance Journal, "Court siding with Merck over war exclusion for cyber attack" (Feb 2022) ↩
-
NJ Appellate Division opinion, Merck v. ACE American Insurance (May 2023) ↩
-
Lloyd's Market Bulletin Y5381, "State backed cyber-attack exclusions" (Aug 2022) ↩