Your Bank Has Cyber Insurance. But Does It Actually Cover a Ransomware Attack?

The gap between what banks think they have and what insurers will actually pay

By Dan Weedin, Emerging Risk Solutions®

June 1, 2026

Your phone rings in the middle of the night. As the CEO or CFO of a bank, it’s the call you dread most.

You’ve been held up.

Unlike the days of Jesse James or Bonnie and Clyde, getting “held up” now happens in the shadows of cyberspace. And it’s not a kid in someone’s basement doing it. It’s a sophisticated, efficient criminal organization that kidnaps your technology and holds it for ransom.

But there’s good news! You have cyber insurance.

But wait, there’s bad news. Your cyber insurance policy has a $100,000 sublimit for ransomware payments. The demand is $800,000. Nobody explained the sublimit.

What is Ransomware

Ransomware is the colloquial name for cyber extortion. This is important because insurance carriers will use both terms when detailing the coverages and sublimits of a cyber policy.

By now, anyone managing cyber insurance for a bank understands that a ransomware attack holds the most valuable data on a bank’s servers hostage until the bank pays a ransom, often in bitcoin or cryptocurrency.

Why It Matters

FinCEN’s 2025 Financial Trend Analysis found that financial services firms reported 432 ransomware incidents totaling $365.6 million in payments from 2022 to 2024, and that ransomware payments across that three-year window exceeded $2.1 billion, more than the entire prior nine-year period combined.

IBM’s 2025 Cost of a Data Breach Report puts the average total cost of a ransomware breach at $5.08 million, the highest of any attack vector tracked.

Meanwhile, 65% of financial organizations experienced a ransomware attack in 2024, up from just 34% in 2021. The 2025 threat landscape has shifted: attack frequency is up while ransom payments are down, meaning attackers are pivoting to data extortion and reputational pressure rather than encryption alone.

Bank-specific cyber policies now require Multi-Factor Authentication (MFA) as a condition of coverage, and some insurers will non-renew if MFA is absent.

Key Insurance Issues

  1. Banks carry multiple insurance policies: Cyber Liability, Crime, Commercial Property, and a Bankers Fidelity Bond. Ransomware coverage lives only in the cyber policy. It’s also important to understand that ransomware (also called cyber extortion) is a 1st Party cyber claim; Liability is a 3rd Party claim.
  2. Sublimits generally come in the italicized fine print of insurance proposals and policies. Ransomware is one of those 1st Party coverages that come with a sublimit. In many cases, the sublimit is $100,000 (regardless of the main limit).
  3. A common mistake among insurance buyers in any industry is reading only the sales proposal. Sublimits are included in most proposals, but they are easy to miss. They are spelled out clearly inside the policy itself. But you need to know where to look, and, let’s face it, nobody reads the policies.
  4. MFA (Multi-Factor Authentication) is now a standard condition of coverage in most bank cyber policies. If it isn’t in place, a carrier can deny your claim or non-renew your policy. Don’t assume your agent has confirmed compliance. Verify it yourself.
  5. What about your vendors and supply chain partners? If your bank is hit through a third party, many cyber policies have no coverage trigger for that scenario. The attack didn’t happen on your network, so the policy doesn’t respond. Does yours?

What’s Your Limit?

When was the last time you reviewed your ransomware sublimits? Hopefully, it was at the last renewal. However, did you take that extra step of reading the policy to confirm it? The insurance sales proposal is only a summary; it’s not intended to replace the policy.

Summary

Both the insurance and banking industries have come a long way in understanding and defending against cyber threats. The concern is that cybercriminals continue to outpace the “good guys” in sophistication and speed.

The challenge for whoever manages the bank’s insurance program, whether that’s the CEO, CFO, or Chief Risk Officer, is that insurance isn’t your only job. That’s exactly why a regular, independent, and unbiased review of the program matters.

© Dan Weedin. All Rights Reserved.

The owner of this website has made a commitment to accessibility and inclusion, please report any problems that you encounter using the contact form on this website. This site uses the WP ADA Compliance Check plugin to enhance accessibility.

LEARN HOW TO PROTECT YOUR BUSINESS FROM A COSTLY CYBER DISRUPTION.

Download your copy now!

You have Successfully Subscribed!

Your information is secure with us! We don't share your personal info with any third party.