As Ransomware become more prevalent, Insurance companies will add more requirements and stipulations for payout. If your company didn’t have the mitigations in place that they promised, there will be NO payout. This is typical Catch22; if you have the mitigations in place, you don’t need Ransomware insurance.
Ransomware Baddies may not have the key
Ransomware is built quick and dirty and it may just not work.
OR it may just scramble your data and there never was a recovery path
Baddies don’t care, they still get paid.
Baddies are anonymous, There is NO repercussion if they don’t hand over the key.
The information needed to continue business is gone.
Clients need product on time.
If the recovery process takes too long clients buy from someone else.
No clients = no business.
Insurance Companies are greedy bastards.
Mondelez hit by NotPetya ransomware, has CyberInsurance, Cool.
Zurich Insurance refuses to pay on the grounds that Russian Ransomware is an Act of War.
Even if the Insurance company pays out
Clients are angry
Reputation is tarnished
Owner has cash in hand
Owner is likely to close shop and walk away.
What if a failing company encrypted its own files to get the Insurance $?
Intentional Ransomware would be much harder to dis-prove than arson.