Document Type


Publication Date



Ransomware attacks are becoming increasingly pervasive and disruptive, resulting in ransom demands becoming more exorbitant. Payments for ransom costs are increasingly being covered by insurance, which may offer coverage for a variety of cyber-related losses. Some commentators have expressed concern over this market phenomenon. Specifically, the concern is that the presence of insurance is making the ransomware problem worse based on the following theory: because there is ransomware insurance that covers ransom payments, and because paying the ransom is often far cheaper than paying the restoration and business interruption costs covered under the policy, there is an increased tendency to pay the ransom—and a willingness to pay higher amounts. This fact, known by the criminals, increases their incentive to engage in ransomware attacks, which increases the demand for insurance. And the cycle continues. This Article demonstrates that the picture is not as simple as this story would suggest. Insurance offers a variety of pre-breach and postbreach services that are aimed at reducing the likelihood and severity of a ransomware attack. Thus, over the long-term, cyber insurance has the potential to lower ransomware-related costs, even without government intervention. As recent research has shown, however, insurers have not yet fully embraced their potential role as ex ante and ex post regulators of cyber risk—a role for which they are especially well-suited. This Article discusses reasons why that might be the case and offers suggestions for how government intervention may help. Among these suggestions is a limited ban on indemnity for ransomware payments with exceptions for cases involving threats to life and limb, which would be an expanded version of what is already in place with the Office of Foreign Assets Control’s (“OFAC”) sanctions program. We also explain how a government regulator, such as the OFAC, could serve a coordinating function to help cyber insurers internalize the externalities associated with the insurers’ decisions to reimburse ransomware payments—a role that is played by reinsurers in the context of kidnap-and-ransom insurance. Finally, we consider the idea of a federal mandate requiring property and casualty insurers to provide coverage for the costs of ransomware attacks but exclude coverage for the ransomware payments.