Cyber Insurance Leads to Higher Ransom Demands, Dutch Government Warns

The Dutch Digital Trust Center (DTC) has revealed that cybercriminals are strategically demanding higher ransoms from organizations with cyber insurance coverage. According to their findings, insured companies paid nearly three times more in ransoms compared to uninsured businesses.

Research Findings Expose Strategic Targeting

On April 14, 2025, the Netherlands’ DTC announced that cybercriminals are increasingly aware of their targets’ insurance status and adjusting their ransom demands accordingly. This announcement stems from PhD research conducted by Tom Meurs, a cybercrime specialist with the Dutch National Police, who analyzed over 500 incidents occurring between 2019 and 2023.

Is Cyber Insurance Actually Increasing Risk?

The research demonstrates that cybercriminals have become more sophisticated and strategic in both target selection and ransom pricing. The study revealed that companies with cyber insurance paid an average of 2.8 times more in ransom payments than those without coverage.

How Attackers Discover Insurance Status

Moors points out a concerning trend: “After gaining network access, attackers actively search for files containing keywords like ‘insurance’ or ‘policy.’ This gives them advantageous information during negotiations, enabling them to demand significantly higher ransoms.”

Effective Countermeasures: The Power of Proper Backups

The research highlighted the critical importance of robust backup systems as a defense against ransomware attacks. Organizations with properly implemented backup solutions were 27 times less likely to need to pay ransoms compared to those without adequate backup protocols.

However, the research cautions that attackers typically attempt to destroy backups after infiltrating systems. For this reason, offline backups with restricted network access prove most effective against these threats.

Industry-Specific Targeting Patterns

The study revealed distinct patterns in how different sectors are targeted:

1. Commercial sector (wholesale/retail): 32.6% of attacks, average ransom of €112,793
2. Construction industry: 17.9% of attacks
3. ICT sector: 14.7% of attacks, but with significantly higher average ransoms of €268,039

Analysis of communications on dark web markets confirmed that attackers deliberately target industries with greater financial resources and payment capabilities.

Dutch Government’s Position on Ransom Payments

The DTC and Dutch government do not recommend paying ransoms for several reasons:

• Payment doesn’t guarantee data restoration
• Companies face increased risk of repeat attacks
• Police reports indicate ransom payments often fund the acquisition of credentials for future targets

The Reality of Limited Options

Despite official recommendations, many organizations find themselves with few alternatives. The study found that in approximately 95 out of 100 cases where ransoms were paid, the victims’ IT infrastructure had been completely compromised, leaving no other recovery options. In the remaining cases, companies chose to pay despite having alternatives, prioritizing rapid recovery and reputation management.

Recommended Preventive Measures

The research and DTC recommendations emphasize that organizations must implement their own preventive measures, including:

• Implementing multi-factor authentication (MFA)
• Conducting regular security awareness training for employees
• Strengthening attack detection capabilities
• Physically or logically isolating backup systems
• Keeping insurance information confidential

Additionally, establishing early warning systems through collaboration with government agencies and industry groups is crucial for detecting suspicious activities before they escalate into full-scale attacks.