4 Tips to Safeguard Cyber Policies From Cybercriminals

• December 22, 2025

By Jason Vitale

When cyberattackers gain access to a business’s systems, they’re after one of two things: files to encrypt now or files to use as leverage later to possibly force the organization to pay a ransom to prevent further malicious activity. An attacker’s leverage is information they glean from any source, including a business’s cyber insurance policy.

A cyber insurance policy may seem like an odd target for hackers, but it holds a treasure trove of information. If cybercriminals gain access to coverage details, it can shift the balance of power in their favor, making ransom demands more calculated, negotiations more difficult and outcomes more costly.

The policy provides attackers with insider knowledge of a business’s coverage amount, the types of services or vendors covered, how the claims process might unfold, indications of the business’s willingness to pay a ransom, and potential responses during a ransom negotiation. With these details, bad actors can customize their attacks, pricing strategy and demands to maximize the likelihood of a larger ransom payment.

For example, if a policy covered up to $1 million in ransom payments, attackers could demand a ransom just low enough to feel reasonable compared to a long recovery process, operational downtime and reputational damage. Attackers can also use policy details to wage psychological warfare, weaponizing information to throw businesses off, spread misinformation and insist that payment is the best choice.

Targeting cyber insurance policies is not a new play, first making headlines in 2021 after the leak of training material used by Conti ransomware affiliates.

As threat actor groups continue to pursue this tactic, businesses must take proactive steps to protect their policies. Here are four steps businesses can take to reduce their risk:

1) Treat cyber insurance policies like any other confidential financial document. Ransomware attacks often move laterally across systems in search of valuable data. This makes storing policies on open or shared cloud drives, like Google Drive or Microsoft SharePoint, particularly risky. Instead, cyber insurance policies should be stored in secure systems with strict access controls, just like any other highly sensitive document.

A document management system with permission-based access would work best, and, for an added layer of security, endpoint detection and response (EDR) tools can be set up to monitor for and alert on suspicious behavior.

It’s not recommended to keep unencrypted copies on laptops, in email inboxes or on local servers. If an unencrypted policy needs to be transmitted by email, a best practice is to archive the email in an encrypted, offline location and delete the original.

2) Limit policy access to essential personnel. Similar to how only a few people in a business need access to banking statements or IT admin permissions, not everyone needs to have the details of the business’s cyber insurance policy within reach.

Generally, the policy should only be available to legal, finance, IT, security and senior leadership teams. If an outside vendor or board member needs to access it, the business should share a time-limited, password-protected version using encrypted email or a secure file-sharing portal, with instructions to download and save it in an encrypted format.

By limiting who can view or share the policy, businesses can reduce the number of points at which it could be leaked or intercepted and prevent any accidental exposure.

3) Offline policy backups should be part of incident response. During ransomware attacks, bad actors can encrypt internal systems or take them offline. As part of their incident response plan, businesses should share clean, off-network copies of their cyber policy with their managed service provider, insurance brokers and outside legal counsel so it can still be accessed when needed. Similarly, including the contact information for the business’s cyber insurance provider and key employees in the incident response plan is beneficial if the situation escalates.

4) Employee education can help reduce exposure. A best practice for businesses is to deploy cybersecurity training across their organizations. Most of the time, the training focuses on using a password manager with complex and unique passwords for each login location, being wary of unusual emails and knowing how to report suspicious activity.

For key employees across finance, legal and IT, training should also encourage them to handle cyber insurance policies with the same level of caution they use with sensitive customer data or internal financials.

However, not many small and midsize businesses are aware of the risks posed by an unsecured cyber policy to their organizations. Independent insurance agents play an essential role in supporting organizations by guiding them through policy selection, potential claims and proactive risk mitigation. The trusted relationships agents have built with policyholders mean they can call attention to the resources and tools available to increase awareness, protect policy information, reduce risk and improve overall cyber hygiene.

Jason Vitale is an incident response lead at Coalition Incident Response.