RSAC 2026: Cyber insurance and the rise of ransomware
At RSAC 2026, John Kindervag proposed the idea that the rise of the cyber insurance industry has motivated ransomware threat actors to escalate their attacks and ask for more.
John Kindervag opened his session at RSAC 2026 Conference with a compelling proposition: The advent of life insurance offered a new motivation to commit murder.
The Forrester alumnus, who is widely credited as the creator of the zero-trust security model, and current chief evangelist at Illumio, argued that, while murder has always been part of society, life insurance layered a financial incentive on top of an ancient crime.
Today, he said, that equates to cyber insurance giving digital criminals a lucrative new reason to escalate the decades-old practice of ransomware fraud.
Ransomware evolves
The ransomware age dawned in 1989. An evolutionary biologist, Joseph L. Popp, distributed thousands of floppy disks, labeled as legitimate research software, to attendees of a World Health Organization AIDS conference. Once installed, the program on the disks -- later dubbed the AIDS Trojan -- lay dormant until activated after a predetermined number of system reboots. The malware hid directories and encrypted file names with symmetric encryption, rendering the computer unusable. Victims were presented with a message to send a $189 payment to a P.O. box in Panama to regain access.
In the early 2000s, basic file-renaming and locking techniques were replaced by asymmetric encryption. Distribution became easier as email attachments and botnets offered new methods to infect systems. Payment, too, became easier as cryptocurrencies provided anonymity without banking oversight. In 2019, extortion became a popular tactic; beyond just encrypting and locking data, attackers now stole it and threatened to publish it or leak it on the dark web.
By the 2020s, innovation had reached breakneck speed, with AI-fueled cyberattacks enabling large-scale, multivector data exfiltration and extortion from even the most secure government agencies and global enterprises.
The dawn of cyber insurance
The cyber insurance industry rose in parallel with greater reliance by businesses on the internet and electronic storage, as well as the growth of emerging cybersecurity threats.
Commercial insurers began experimenting with coverages in the 1990s, offering narrow third-party liability policies covering damage caused by hacker-induced breaches. By the end of the decade, insurers were issuing the first widely marketed cyber insurance policies, covering data breach response and business interruption costs. In the 2000s, more companies began offering products and began selling first-party coverage that insured policyholders and other parties affected by cyber incidents.
The industry has been maturing ever since, expanding product portfolios to include breach notification, credit monitoring, regulatory defense, ransomware negotiation, supply chain coverage and extortion protections. As the threat landscape has become more perilous, premiums have spiked. According to Kindervag, the market has grown 40-fold in the past 20 years and is presently estimated at nearly $21 billion.
The business of it all
According to the "Resilience 2025 Midyear Cyber Risk Report," ransomware-related incidents were responsible for more than 90% of losses in the first half of 2025.
Kindervag was quick to point out that both insurers and ransomware threat actors are motivated by the same thing, relaying a conversation with a cyber insurance executive who explained, "I could deny every claim. I'm not going to do that, because all I have to do is make sure I'm making more money than I'm paying out. It's a business to me. I'm not trying to transfer risk. I'm trying to make money. So as long as the financial equation works, we're going to keep making ransomware policies."
The largest portion of many cybersecurity budgets, Kindervag stated, is dedicated to paying ransomware. In 2018, companies paid about $39 million to have their data released, and within five years, that figure had ballooned to more than $813 million. Even when paying such staggering amounts, it behooves insurance companies to limit the number of riders on their policies, so paying premiums still makes sound business sense for their commercial policyholders.
"For some companies," Kindervag said, "They just consider [ransomware] part of doing business."
How much you got?
With a large, successful industry of commercial insurers willing to pay ransomware demands for their customers, criminals have grown bolder but also more pragmatic. They know insurers are willing to pay and can often determine the coverage amounts enterprises carry through data breaches and other methods. The result is an underground group of ransomware actors who can bypass the negotiation phase when holding data or systems hostage. Rather than engage in time-consuming haggling, they simply ask for the amount they know will be paid to the victim.
"They're coming up and asking you how much money you are getting," Kindervag said. "That's how much we are going to charge you. Not a penny more. They don't want extra. They just want what's coming to them, what's fair in their world. They're a business just like you're a business."
Several years ago, for example, the ransom note sent with Hardbit ransomware read, "If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent."
Kindervag summarized the situation, "Ransomware amounts increased 2.8 times if the victims had insurance coverage. Think of that as a data point. The fact that you had insurance increased the amount of money you were going to pay for ransomware."
Ransomware amounts increased 2.8 times if the victims had insurance coverage. Think of that as a data point. The fact that you had insurance increased the amount of money you were going to pay for ransomware.
John Kindervag
A policy problem
Kindervag didn't let enterprises off the hook in his session. He attested that bad policy enables ransomware events. When security professionals have poor visibility into systems and controls are in the wrong places, threat actors can gain the access needed to hold companies hostage. If an attacker has a long dwell time to gather the information needed to breach sensitive data, that is simply poor security policy.
Those policies, he argued, have played a significant role in the explosive proliferation of ransomware events. Because the cyber insurance business model does not necessarily reward stringent cybersecurity models, that industry has also been instrumental in the rise of ransomware.
Kindervag advocated strong cybersecurity first. But if security policies are insufficient to stop ransomware attempts, he advised companies not to stand on principle because at that point it's too late. "This is the end of the chain. You failed at the beginning with policy, and now you're paying the price for having bad policy."
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
