The $11.5 Billion Problem with Ransomware

ByGordon Coyle Reading Time: 7 minutes

TLDR

Ransomware attacks on businesses have exploded in scale and sophistication since 2019. The old $11.5 billion figure is now a relic. Global ransomware losses exceeded $30 billion in 2023. Every business that runs on data is a target. The protection strategy has three layers: technical controls, employee training, and cyber insurance. None of them works alone.

What Is Ransomware and Why Should Every Business Owner Care?

Ransomware is malicious software that locks your systems and holds your data hostage until you pay. But the ransom is only part of the story. The real cost is the downtime, forensic cleanup, and reputational damage that follows. Most of that is not covered by a standard business insurance policy, and the financial exposure is far larger than most owners expect.

The scale of the problem has grown dramatically.

Here’s where things stand today:

  • Global ransomware damage costs exceeded $30 billion in 2023, up from $11.5 billion in 2019
  • The average ransomware recovery cost for businesses now exceeds $2 million, including downtime and remediation
  • 66% of organizations were hit by ransomware in 2023 (Sophos State of Ransomware 2024)
  • Small and mid-sized businesses are now the primary target. Attackers know SMBs are less protected than large enterprises
A business owner facing a ransomware attack on their computer, illustrating why ransomware protection for businesses is critical.

Real-World Cost: A Business Owner’s Nightmare

Consider a mid-sized professional services firm: 40 employees, running everything on a shared network. A single employee clicks a phishing link on a Monday morning. By noon, every workstation and server is encrypted. Client files, accounting records, email. All locked. The hacker demands $75,000 in Bitcoin.

Even if the firm pays, recovery takes three to six weeks. Staff sit idle. Clients find other providers. The forensic IT firm charges $30,000. The total hit: well over $200,000. And if the firm did not have cyber insurance, every dollar comes out of pocket.

Book a Call

How Does Ransomware Get Into Your Business?

Ransomware rarely exploits complex technical weaknesses. In most cases it enters through predictable, preventable attack vectors, and most businesses leave at least one of them unaddressed. The four most common entry points are well-documented by CISA, and understanding them is the first step toward closing them.

According to CISA’s #StopRansomware guidance, the primary attack vectors are largely preventable with the right controls in place. The challenge is that most businesses don’t have those controls consistently applied.

Phishing Emails

The most common entry point. One click on a convincing email releases the malware. Attackers run automated campaigns at scale. Even a 0.5% hit rate across 100,000 emails yields hundreds of infected networks.

RDP Exploits

Businesses with open Remote Desktop Protocol ports and weak credentials are prime targets. This vector surged post-2020 with remote work and has stayed elevated. Attackers scan the internet continuously for exposed RDP.

Unpatched Software

Outdated systems are a standing invitation. The WannaCry attack exploited a known Windows vulnerability for which a patch had been available for months, costing businesses globally over $4 billion.

Third-Party Access

Attackers target vendors and MSPs with admin access to multiple clients. Compromising one MSP unlocks hundreds of businesses simultaneously, multiplying the damage from a single attack.

What Does a Ransomware Attack Actually Cost?

Most business owners focus on the ransom demand when they hear about ransomware. But the ransom is typically the smallest line item in the final bill. The real cost includes downtime, forensic cleanup, legal exposure, and lost clients. It can exceed $2 million even for a mid-sized business, and most of it is uninsured under standard policies.

Cost Category

Typical Range

Ransom payment

$50,000 to $5,000,000+

Business downtime (per day)

$5,000 to $50,000+

Forensic IT investigation

$15,000 to $100,000

Data restoration and system rebuild

$10,000 to $250,000

Legal and regulatory notification costs

$5,000 to $500,000

Total average recovery cost

$2,000,000+

None of these costs are covered by a general liability policy, a BOP, or a commercial property policy. Without cyber insurance, you absorb every dollar.

Contact Us

How Do You Protect Your Business from Ransomware?

Ransomware protection for businesses requires three coordinated layers: technical controls, employee training, and cyber insurance. None of them is sufficient on its own. Businesses that invest heavily in IT security but skip training and insurance remain highly vulnerable, because attackers target people, not just systems.

Layer 1: Technical Controls

  • Offline encrypted backups tested regularly
  • Multi-factor authentication (MFA) on all remote access and email
  • Regular patching within 48 hours of critical disclosures
  • Network segmentation to limit lateral movement
  • Endpoint detection and response (EDR) software

Layer 2: Employee Training

  • Regular training, not a one-time onboarding module
  • Phishing simulations to identify who clicks and coach them
  • Role-specific training for employees with financial access or system privileges

See our Cyber Risk Employee Training Overview for a full implementation guide.

Layer 3: Cyber Insurance

  • Ransom payment reimbursement
  • Business interruption losses during downtime
  • Forensic investigation and IT remediation
  • Legal fees and regulatory notification costs
  • Crisis communications and reputational recovery

Learn what cyber insurance covers in detail.

Does Cyber Insurance Actually Cover Ransomware Attacks?

Yes, but only if the policy is structured correctly and your security controls meet the underwriter’s requirements. This is where many businesses get caught off guard. They buy a cyber policy, get hit, and discover gaps they never knew existed. Coverage conditions, sublimits, and pre-approval requirements vary significantly across carriers.

What a Strong Cyber Policy Covers

  • Ransomware payment: reimbursed after carrier pre-approval
  • Business interruption: lost revenue while systems are down
  • Extortion response: professional negotiators who often reduce ransom demands significantly
  • Forensics and remediation: the full IT cleanup cost
  • Third-party liability: notifications and lawsuits if client data was exposed

Stop Buying Ransomware Insurance Wrong

What Most Policies Won’t Cover

  • Pre-existing vulnerabilities your carrier warned you about and you ignored
  • Attacks on unpatched systems where a critical patch had been available
  • War exclusions. Nation-state attacks are increasingly contested in court, and some carriers are tightening language here
  • Inadequate security controls at claim time. Carriers audit your controls when you file

For a deeper breakdown, read our guide on cyber insurance and ransomware.

Book a Call

What Should You Look for in a Ransomware Insurance Policy?

Cyber policies vary significantly in how they handle ransomware. Sublimits, coinsurance requirements, and pre-approval clauses are now standard terms. Knowing what to look for before you buy is the difference between a policy that pays and one that doesn’t when you need it most.

Coverage Checklist

  • No sublimit on ransomware. Some policies cap ransomware coverage at a fraction of the total limit. Get a policy where ransomware is covered at full limits.
  • Extortion response services included. Access to a crisis response team and experienced negotiators is worth as much as the reimbursement.
  • Business interruption with a short waiting period. Most policies have a 6-12 hour retention period before BI kicks in. Shorter is better.
  • First-party and third-party coverage. Both are necessary. First-party covers your own losses; third-party covers claims from clients whose data was affected.
  • Pre-breach services. The best policies include dark web monitoring, employee training tools, and vulnerability scanning. See our guide on cyber pre-breach services.

What Underwriters Will Ask You

When you apply for cyber coverage, expect questions about:

  • Do you have MFA on all remote access and email?
  • Do you maintain offline backups tested within the last 90 days?
  • Do you use EDR software across your endpoints?
  • Have you had a prior cyber incident in the last three years?

Answering no to any of the first three may result in a higher premium or a coverage exclusion. Investing in these controls before you apply reduces both your premium and your actual risk simultaneously.

How Much Does Cyber Insurance Cost for Ransomware Coverage?

Cyber insurance is more affordable than most business owners expect, especially compared to the average $2 million recovery cost. Premiums vary based on industry, revenue, headcount, and the security controls you have in place. Businesses with strong controls consistently pay less, sometimes significantly less.

Business Size

Typical Annual Premium

Small business (under $5M revenue)

$1,500 to $5,000

Mid-market ($5M to $50M revenue)

$5,000 to $25,000

Professional services firm

$3,000 to $15,000

Healthcare or financial services

$8,000 to $50,000+

For most small and mid-sized businesses, cyber insurance is one of the most cost-effective risk transfer tools available. A $3,000 annual premium against a $500,000 potential loss is straightforward math. To get an accurate number, read our guide on how much cyber insurance you should buy.

Get Your Cyber Insurance Quote

Frequently Asked Questions About Ransomware Protection for Businesses

The most effective protection combines three layers: technical controls (MFA, offline backups, patching, EDR), employee training (regular phishing simulations and security awareness), and cyber insurance to cover financial losses when controls fail. No single layer is sufficient on its own.

Yes, most cyber insurance policies cover ransom payments after the carrier pre-approves the payment. Many policies also include access to negotiation services that can reduce the ransom demand significantly before payment is made.

Recovery without paying is possible only if you have clean, offline backups that are regularly tested and not connected to your main network at the time of the attack. This is why CISA consistently identifies offline backup as the single most important ransomware defense.

Yes. Small and mid-sized businesses are increasingly the primary targets. Attackers know that SMBs typically have less sophisticated defenses than large enterprises and are more likely to pay quickly to restore operations. Over 46% of small businesses report having been targeted by a cyberattack.

The average total cost of a ransomware attack, including ransom, downtime, remediation, and legal fees, now exceeds $2 million. The ransom itself is typically a fraction of that total.

No. General liability, BOP, commercial property, and workers’ compensation policies do not cover cyber events. Ransomware losses require a standalone cyber insurance policy or a cyber endorsement specifically designed for these risks. Learn more in our data breach insurance guide.

This article was written by the CEO of The Coyle Group, Gordon B. Coyle, CPCU, ARM, AMIM, PWCA, who has over 40 years of experience working with business owners of all sizes and industries across the US, solving their insurance challenges.

Check Out Our Blogs