It’s 6:15pm on a Friday night as an SMB insured reaches out to the Converge hotline reporting that its servers are encrypted and its network is down. Only there’s no panic in the caller’s voice. They are confident in their third party cloud hosted backups. They are all ready to spin up a new clean virtual network and restore their systems; they just require some assistance from a digital forensics and restoration provider.
They are hoping to be fully (business) operational by Monday, with only some minor residual effects that could last another week or two. No need or interest in paying the threat actor’s ransom.
But wait. Within days they’ll discover that the threat actor exfiltrated hundreds of gigabytes of data from their network, and that is where the point of this article begins.
Ransomware Landscape
The ransomware landscape has changed significantly over the past few years—not just in how attacks occur, but in what drives claims severity and frequency. What was once primarily a business interruption event—where attackers encrypted files and demanded a ransom for the decryption key—has evolved into something much more complex, and in many cases, more damaging.
Early ransomware attacks often relied on untargeted phishing campaigns or open Remote Desktop Protocol (RDP) ports. If attackers were successful, they’d encrypt critical systems, and many organizations—lacking mature backup strategies—would pay to recover. These incidents were often disruptive, but the ransom demands were relatively modest, and the data impact was minimal.
Over the past several years, threat actors have moved to more targeted approaches. As organizations have strengthened their business continuity planning and moved to cloud infrastructure, they’ve become better at managing the operational impacts of ransomware. This has driven attackers to make data theft a central feature of their attacks, and in some cases, it’s the only tactic used.
Attackers are gaining deeper access, moving laterally within networks, and exfiltrating massive volumes of data—sometimes hundreds of gigabytes or even terabytes. Business interruption losses—while still common—are often more contained. Ransom payment rates have steadily dropped—from 85% of victims paying in early 2019 to just 25% at the end of 2024, according to Coveware’s recent quarterly report.
However, claims costs have not decreased. In fact, they’ve risen.
What’s changed is the nature of the losses:
- Data mining and review costs now range from thousands to hundreds of thousands of dollars, depending on the volume of exfiltrated data.
- Notification obligations affect thousands—sometimes hundreds of thousands—of individuals.
- Privacy class actions are now routine, even when only a few hundred individuals are impacted.
- Defense and settlement costs continue to grow, with plaintiff firms treating ransomware-related litigation as a volume business.
With the focus now squarely on data theft, organizations must pivot their cybersecurity strategy accordingly. This is where Data Loss Prevention tools become essential.
DLP solutions are designed to detect, monitor, and block the unauthorized movement of sensitive data—whether that data is in use, in motion, or at rest. And in today’s environment, they serve four key functions:
- Preventing data exfiltration: By flagging and stopping suspicious attempts to move data off the network, DLP tools directly address modern extortion tactics.
- Enhancing visibility: As data moves across hybrid and cloud environments, DLP helps organizations track where sensitive information resides and how it’s being accessed.
- Supporting compliance: Regulations like GDPR, HIPAA and CCPA impose strict obligations around data handling and breach notification. DLP helps enforce those policies proactively.
- Integrating with broader security efforts: Modern DLP systems work alongside SIEMs, endpoint protection platforms, and incident response workflows, providing another layer of defense.
Unfortunately, successful DLP rollouts require an organization to have a strong sense of what data is critical for their organization and where it is stored. This seemingly simple requirement causes many deployments to fail and the resulting DLP solution to be ineffective.
The ransomware story today is not just about encrypting systems—it’s about exposing data. And while fewer companies are paying ransoms, total loss costs remain high due to a shift in where those costs land.
For those in the insurance business, this means:
- Underwriting needs to account for privacy and legal exposure, not just business interruption and restoration.
- Claims handlers should be prepared for prolonged response timelines, higher legal spend, and increased data review expenses.
- Brokers should advise clients to invest in DLP and privacy-centric controls, not just operational resilience.
As attackers continue to innovate, insureds must adapt—and so must the insurance market. Understanding and responding to this evolving risk is key to managing losses and supporting clients in an increasingly complex cyber landscape.
Spiehs is head of claims and Andrew Shaughnessy is director of cyber risk services at Converge.
Was this article valuable?
Here are more articles you may enjoy.
Uber Alleges Insurance Fraud Scheme in Florida as It Goes on Legal Offensive 
Louisiana Governor Vetoes Bill Limiting Bad Faith Lawsuits Against Insurers 
IIHS: Hyundai, Kia, Toyota, and Nissan Models Are Latest Vehicle Safety Award Winners 
Hong Kong Tracks System That May Develop into First 2025 Typhoon 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.