Business Interruption Costs Now Dominate Cyber Claims: Ransom Payment Era Ends

CHICAGO, IL – In a significant shift in the cyber threat landscape, business interruption (BI) costs now account for 44% of total cyber insurance claim costs, according to October 2025 data from Corvus Insurance and Coalition. Meanwhile, ransom payments have declined to just 10-15% of total cyber claim costs—down from 35-40% in 2021-2022.

This dramatic shift reflects a fundamental change in both attacker tactics and victim response strategies. Businesses have become more resilient against ransomware through improved backups and recovery capabilities, making them less likely to pay ransoms. But attackers have responded by focusing on maximizing business disruption rather than just encrypting data—creating longer outages that cost far more than ransoms ever did.

The cost breakdown of a typical cyber attack in 2025:

• Business interruption: 44% ($1.21 million average)
• Recovery and remediation: 25% ($687,000 average)
• Ransom payments: 12% ($330,000 average, but only paid in 34% of cases)
• Notification and legal: 8% ($220,000 average)
• Forensic investigation: 6% ($165,000 average)
• Reputational damage/customer loss: 5% ($138,000 average)

Total average cyber claim cost: $2.76 million (up from $2.33M in 2024)

For businesses, this shift has profound implications. Cyber insurance that focuses solely on ransom payment coverage is inadequate. The real financial threat is lost revenue, customer attrition, and operational paralysis during extended outages. Effective cyber risk management must prioritize business continuity and rapid recovery—not just whether to pay ransoms.

Why Business Interruption Costs Are Exploding

1. Attackers Are Deliberately Maximizing Downtime

Old ransomware playbook (2019-2022):

1. Gain access to network
2. Encrypt files
3. Demand ransom for decryption key
4. Victim pays or restores from backups within days

New playbook (2023-2025):

1. Gain access to network
2. Dwell for 30-90 days, spreading laterally
3. Steal sensitive data
4. Encrypt backups and production systems
5. Delete or corrupt recovery mechanisms
6. Deploy ransomware across entire environment simultaneously
7. Demand ransom while victim discovers they can't quickly recover
8. Even if victim doesn't pay ransom, threaten to publish stolen data

The goal: Make recovery as slow and painful as possible to maximize pressure to pay ransom or maximize business damage if they don't.

Why attackers shifted tactics: As businesses implemented better backups and stopped paying ransoms, attackers had to create more leverage. Extended business interruption creates extreme pressure—lost revenue, angry customers, employee layoffs, potential business failure.

Real-world example: A regional healthcare provider suffered a ransomware attack in June 2025.

Old playbook impact: Encrypt patient records, restore from nightly backups, back online in 2-3 days, minimal business interruption.

Actual 2025 attack:

• Attackers dwelled in network for 67 days before deploying ransomware
• Encrypted production systems AND on-site backups
• Deleted cloud backup jobs (attackers had compromised admin credentials)
• Corrupted Active Directory (authentication system)
• Destroyed virtualization environment configuration

Recovery timeline:

• Day 1-3: Assessed damage, realized backups were compromised
• Day 4-8: Rebuilt core infrastructure from scratch
• Day 9-21: Restored data from off-site backups (slower than expected due to incomplete backups)
• Day 22-35: Tested systems, verified data integrity
• Day 36: Partially reopened (limited services)
• Day 47: Fully operational

Costs:

• Ransom demanded: $2.4M (not paid)
• Business interruption: $4.8M (lost revenue + continued fixed costs)
• Recovery/rebuild: $1.9M (consultants, new equipment, accelerated recovery efforts)
• Notification/legal: $420,000
• Customer loss: $1.1M (patients who permanently switched providers)
• Total: $8.24M

Note: Ransom was $2.4M but business interruption was $4.8M. Even if they had paid the ransom (and received a functioning decryption key, which is never guaranteed), they still would have faced weeks of recovery and verification.

2. Modern Business Operations Are Highly Dependent on Technology

Every day of downtime equals massive revenue loss:

E-commerce: 100% of revenue depends on website functionality. One day offline = one day of zero revenue.

Manufacturing: Production lines halt without ERP and control systems. Each day offline = thousands of units not produced.

Professional services: Attorneys, accountants, consultants can't access client files, billing systems, or communication tools. Productivity drops to near-zero.

Healthcare: Can't access patient records, can't schedule appointments, can't process insurance claims. Emergency diversion costs patients and revenue.

Example—Online retailer: $15M annual revenue = $41,000 average daily revenue.

14-day cyber attack downtime:

• Lost revenue: $574,000 (14 days × $41,000)
• Continued fixed costs: $168,000 (still paying rent, utilities, salaries)
• Customer acquisition to replace lost business: $89,000
• Total BI cost: $831,000

Compare to ransom demand: $180,000. Even paying the ransom wouldn't have prevented significant business interruption because:

• Systems would still need to be verified safe before resuming operations
• Data integrity would need to be confirmed
• Some systems would still need rebuilding
• Customer trust would need to be restored

3. Recovery Takes Much Longer Than Expected

What businesses think: "We have backups, so we can be back online in 24-48 hours"

Reality: Full recovery typically takes 3-6 weeks

Why recovery takes so long:

Data restoration is just the beginning: Getting data back is only 30% of recovery. You must also:

• Verify data integrity (is this data clean or did attackers corrupt it before encryption?)
• Rebuild infrastructure (attackers often destroy core systems)
• Reconfigure applications and dependencies
• Test everything thoroughly (you can't afford to restore corrupted or backdoored systems)
• Implement security improvements (you can't just restore to the vulnerable state that allowed the breach)

Skills shortage: You need specialized expertise (forensics, incident response, system rebuilding) immediately. These experts are scarce and expensive.

Complexity: Modern IT environments are complex (cloud + on-prem, SaaS applications, integrations, custom code). Rebuilding this complexity takes time.

Verification requirements: Cyber insurance, legal counsel, and regulatory compliance require extensive forensic investigation before you can resume normal operations. You must prove:

• What data was stolen
• Whether customer/employee data was compromised
• Whether the environment is now secure
• That you've addressed the vulnerabilities that allowed the breach

Real-world example: A law firm thought they could restore from backups and be operational in 48 hours.

Actual timeline:

• Day 1-2: Realized backup server was also encrypted
• Day 3-5: Retrieved off-site backups (tapes stored at secure facility)
• Day 6-12: Rebuilt servers and infrastructure
• Day 13-18: Restored data from tapes (slower than disk-based backups)
• Day 19-25: Forensic investigation to determine what was stolen
• Day 26-32: Testing and verification
• Day 33: Partially reopened (limited operations)
• Day 41: Fully operational

Downtime cost: $1.24M (lost billable hours + staff costs + client departures)

4. Cyber Insurance BI Coverage Often Has Gaps

Many businesses discover their cyber insurance business interruption coverage is inadequate:

Common BI sublimits and restrictions:

Time limits: Coverage only pays BI costs for 30-90 days, but full recovery often takes 45-60 days

Waiting period: First 8-24 hours of downtime aren't covered (deductible period)

Proof requirements: Must prove lost revenue with financial documentation, which can be difficult

Dependent business coverage limits: Limited coverage for BI caused by vendor/supplier outages

Contingent BI exclusions: May not cover BI from attacks on cloud providers or critical dependencies

Example—Manufacturer with $2M cyber insurance policy:

• Business interruption sublimit: $500,000
• Waiting period: 12 hours
• Coverage period: 60 days

Actual attack impact:

• Downtime: 38 days
• Lost revenue: $2.1M
• Continued fixed costs: $680,000
• Total BI cost: $2.78M

Insurance paid:

• Applied 12-hour waiting period: $46,000 not covered
• Remaining BI cost: $2.73M
• Subject to $500,000 sublimit
• Insurance paid: $500,000

Out-of-pocket BI cost: $2.28M (82% of total BI cost)

The $2M policy limit was misleading—only $500,000 applied to the dominant cost component.

The Declining Ransom Payment Trend

While business interruption costs are rising, ransom payments are declining:

Ransom Payment Statistics 2025

Percentage of victims who paid ransom:

• 2021: 58%
• 2022: 48%
• 2023: 41%
• 2024: 37%
• 2025: 34%

Average ransom payment (when paid):

• 2021: $570,000
• 2022: $540,000
• 2023: $480,000
• 2024: $390,000
• 2025: $330,000

Why fewer victims are paying:

Better backups: Organizations have invested in immutable, off-site backups that attackers can't compromise

Law enforcement pressure: FBI and international agencies strongly discourage ransom payment and have successfully disrupted payment channels

Sanctions risk: Paying ransoms to sanctioned groups (many ransomware operators are based in sanctioned countries) creates legal liability

No guarantee: Even if you pay, you might not receive a functioning decryption key—or attackers may come back for more

Reputational risk: Paying ransoms is increasingly seen as funding criminal enterprises

Recovery improvements: Organizations have improved incident response and recovery capabilities, making it faster and cheaper to recover without paying

Insurance influence: Cyber insurers increasingly discourage or refuse to cover ransom payments

Why Ransom Payments Are Lower (When Paid)

Negotiation has improved: Organizations and their insurers have become sophisticated negotiators, paying 30-50% of initial demands

Competitive ransomware market: With more ransomware groups competing, attackers accept lower payments rather than risk victims refusing entirely

Cryptocurrency tracing: Law enforcement can increasingly trace crypto payments, creating recovery opportunities (and deterring some attackers)

Group disruptions: Major ransomware groups have been disrupted by law enforcement, fragmenting the market and reducing negotiating power

Four Strategies to Minimize Business Interruption Costs

Since BI now dominates cyber claim costs, risk management must prioritize business continuity:

Strategy 1: Implement True Immutable Backups

Not all backups are created equal: Attackers specifically target backup systems.

Backup types ranked by resilience:

Worst: Network-attached backups

• Connected to production network
• Attackers can access and delete/encrypt
• Common failure in cyber attacks

Better: Off-site backups

• Physically separate from production environment
• Harder for attackers to access
• Still vulnerable if connected via network

Best: Immutable backups

• Once written, cannot be modified or deleted for retention period
• Even admin credentials can't delete them
• Attackers are powerless against truly immutable backups

Immutable backup technologies:

Cloud object storage with object lock: AWS S3 Object Lock, Azure Immutable Blobs, Google Cloud Retention Policy

• Files locked for retention period (30-90 days typical)
• Cannot be modified or deleted even by account administrators
• Cost: ~$20-30 per TB per month

Purpose-built backup appliances: Commvault, Veeam, Rubrik, Cohesity with immutability features

• Hardware-enforced immutability
• Cannot be accessed via network protocols
• Cost: $15,000-50,000+ depending on capacity

Offline/air-gapped: Physical media (tapes, drives) stored off-site with no network connectivity

• Completely inaccessible to network-based attackers
• Slower recovery but guaranteed protection
• Cost: Storage facility fees + media costs

Real-world example: A financial services firm implemented AWS S3 Object Lock for backups with 60-day retention.

Ransomware attack results:

• Production systems encrypted
• On-site backup server encrypted
• Cloud backups untouched (immutable)

Recovery:

• Restored from cloud backups
• Downtime: 6 days (infrastructure rebuild + data restoration + verification)
• BI cost: $340,000 (vs. $1.2M+ typical)
• Ransom demanded: $680,000 (not paid)

The immutable backups saved $840,000+ in avoided ransom and reduced BI costs.

Strategy 2: Create a Cyber Crisis Response Plan

Most organizations have incident response plans but lack business continuity focus.

Essential components of cyber crisis response:

1. Business continuity alternatives:

• How can core business functions operate without primary systems?
• Manual workarounds for critical processes
• Alternative systems or locations
• Vendor relationships for emergency capacity

Example—Healthcare provider:

• Primary: Electronic health records system
• Backup: Paper-based charting procedures (supplies pre-positioned, staff trained)
• Alternative: Partner hospital's EHR system (mutual aid agreement)
• Emergency: Temporary cloud-based EHR deployment (vendor on retainer)

2. Communication protocols:

• Internal: How to reach all employees when email is down
• Customers: How to notify customers of service disruption
• Partners/suppliers: Notification to supply chain
• Media/public: Crisis communications messaging

3. Decision authority:

• Who decides whether to pay ransom?
• Who authorizes bringing systems back online?
• Who determines when to notify law enforcement?
• Who manages customer communications?

4. Vendor relationships:

• Incident response firm (pre-contract for immediate engagement)
• Forensic specialists
• Crisis PR firm
• Legal counsel specializing in cyber incidents
• Temporary IT infrastructure providers

5. Financial preparedness:

• Access to cash (cyber attacks may freeze banking access)
• Insurance contact information (immediate notice to cyber carrier)
• Board/owner authorization for emergency spending

6. Testing and training:

• Quarterly tabletop exercises simulating cyber attacks
• Annual full recovery test (restore from backups in non-production environment)
• Employee training on crisis procedures

ROI of crisis planning: Organizations with tested cyber crisis plans recover 40-60% faster and at 35-50% lower cost than those without plans.

Strategy 3: Implement Cyber-Resilient Architecture

Design IT systems to maintain critical functions even during attacks:

Segmentation: Isolate critical systems so compromise of one doesn't cascade to everything

• Separate networks for production, backup, development, guest
• Firewall rules limiting communication between segments
• Zero-trust architecture requiring authentication for all access

Redundancy: Critical systems should have failover capabilities

• Multiple data centers or cloud regions
• Redundant suppliers (don't depend on single cloud provider)
• Alternative communication channels

Rapid recovery priorities: Identify critical systems requiring fastest recovery

• Tier 1: Must be online within 4 hours (e.g., e-commerce site, manufacturing control systems)
• Tier 2: Must be online within 24 hours (e.g., email, office productivity)
• Tier 3: Needed within 72 hours (e.g., reporting systems, archives)
• Tier 4: Can wait 5-7 days (e.g., development environments, testing systems)

Simplified dependency mapping: Document what each system depends on

• Application dependencies (what other systems does this need to function?)
• Data dependencies (what databases, files, configurations?)
• Network dependencies (what connectivity is required?)
• This mapping accelerates recovery (you know what to restore first and in what order)

Example—E-commerce company architecture:

Before resilient redesign:

• Single cloud region
• All systems interconnected
• Shared authentication/authorization
• Monolithic database

Attack impact: Ransomware spread to all systems within 4 hours, complete business shutdown for 18 days.

After resilient redesign:

• Multi-region cloud deployment (primary + hot standby)
• Network segmentation (website / payment / admin / backup each isolated)
• Separate authentication systems for critical tiers
• Database replication to isolated environment

Same attack on new architecture:

• Ransomware compromised admin environment
• Critical customer-facing systems isolated and unaffected
• Failed over to standby region
• Downtime: 8 hours (investigation + failover)
• BI cost: $22,000 (vs. $740,000 with old architecture)

Strategy 4: Optimize Cyber Insurance BI Coverage

Don't accept standard cyber insurance BI terms—negotiate better coverage:

What to request:

Higher BI sublimits: BI sublimit should equal 6-12 months of revenue (not just a percentage of overall policy limit)

• Standard: $500K BI sublimit in $2M policy
• Better: $3M BI sublimit (match actual BI exposure)

Longer coverage period: 90-120 days (not 30-60 days)

• Modern attacks take 45-60 days to fully recover
• Standard 60-day limit often expires before recovery is complete

Shorter waiting period: 4-8 hour waiting period (not 12-24 hours)

• Every hour counts for businesses with high revenue per hour
• Or negotiate aggregate waiting period rather than per-incident

Dependent business / contingent BI coverage: Full policy limits (not sublimited)

• Your supplier/vendor getting attacked can shut you down
• Standard policies heavily sublimit this coverage

Broader trigger: BI coverage triggered by any cyber event (not just ransomware)

• DDoS attacks, system failures, cloud provider outages should trigger coverage
• Some policies only cover BI from specific attack types

Extra expense coverage: Costs to minimize BI should be covered generously

• Paying overtime for recovery
• Expedited shipping for replacement equipment
• Temporary cloud infrastructure
• Emergency contractor fees

Real-world example: A manufacturing company negotiated enhanced cyber BI coverage:

Standard policy quoted:

• $2M total limit
• $500K BI sublimit
• 12-hour waiting period
• 60-day coverage period
• Cost: $28,000

Negotiated policy:

• $3M total limit
• $2M BI sublimit
• 4-hour waiting period
• 90-day coverage period
• Contingent BI at full limits
• Cost: $36,000 (+$8,000)

Cyber attack in month 8:

• Downtime: 42 days
• BI cost: $1.68M

Standard policy would have paid: $488,000 (after 12-hour waiting period, capped at $500K, limited to 60 days) Enhanced policy paid: $1.64M (after 4-hour waiting period, higher sublimit, 90-day coverage)

Additional coverage: $1.15M Additional premium cost: $8,000 ROI: 14,375% in this incident (obviously not typical but demonstrates value)

The Future: Business Interruption Will Dominate Even More

Expect business interruption to account for 50-60% of cyber claim costs by 2027-2028:

Why BI costs will continue rising:

Business technology dependency increasing: More business processes digitized, making downtime more costly

Attacker sophistication improving: AI-powered attacks will create even longer recovery times

Critical infrastructure targeting: Attacks on supply chain, cloud providers, utilities create cascading BI impacts

Regulatory requirements: Data breach notification, forensic investigation, regulatory cooperation extend downtime

What this means for businesses:

Traditional cyber defenses aren't enough: Preventing attacks is important but assume some will succeed

Business continuity is paramount: Ability to operate during/after attacks determines survival

Cyber insurance BI coverage is critical: Most important component of cyber policies going forward

Recovery speed is competitive advantage: Organizations that recover in days (not weeks) retain customers and market share

Taking Action: BI-Focused Cyber Risk Management

Five actions for the next 30 days:

1. Test your backups: Actually restore critical systems from backups in test environment. Measure how long it takes. Identify gaps.

2. Calculate your BI exposure: How much revenue do you lose per day/week of downtime? What fixed costs continue? This is your BI exposure.

3. Review your cyber insurance BI coverage: What are the sublimits, waiting periods, time limits? Does coverage match your actual exposure?

4. Create/update cyber crisis response plan: Specific procedures for maintaining critical business functions during extended outages.

5. Identify and implement cyber-resilient architecture improvements: What are single points of failure? What segmentation would limit attack spread? What redundancy is worth the cost?

The uncomfortable truth: You will likely experience a cyber incident. The question isn't "if" but "how quickly you recover" and "how much it costs." Organizations that prioritize business continuity and rapid recovery will survive and even thrive. Those that focus solely on prevention and hope they never get attacked will face catastrophic business interruption costs when—not if—attacks succeed.

---

Concerned about business interruption from cyber attacks? Understanding your revenue exposure to downtime and implementing resilient systems that maintain operations during attacks requires both cybersecurity expertise and business continuity planning. Modern cyber risk management combines technology defenses, backup strategies, crisis planning, and insurance coverage to protect your business's ability to operate—not just your data.

Sources: Corvus Insurance Cyber Claims Report 2025, Coalition Cyber Threat Index, Sophos State of Ransomware 2025, Verizon Data Breach Investigations Report