At the RSAC 2026 Conference, John Kindervag delivered a thought-provoking session that drew parallels between historical crimes and modern cyber threats, particularly focusing on the implications of cyber insurance. His assertion captured attention: the existence of life insurance has historically provided a financial incentive for heinous acts like murder, suggesting that a similar dynamic is emerging with ransomware in the digital age. As Kindervag, an esteemed figure known as the architect of the zero-trust security model and currently serving as chief evangelist at Illumio, pointed out, this evolution highlights a troubling trend where financial motives intensify age-old crimes.
Ransomware, he noted, has undergone a dramatic transformation since its inception. The genesis of this cyber menace can be traced back to 1989 when an evolutionary biologist, Joseph L. Popp, distributed floppy disks containing malicious software disguised as legitimate research tools at a World Health Organization AIDS conference. Once installed, this malware, known as the AIDS Trojan, lay dormant until triggered by a set number of system reboots, ultimately locking users out of their computers unless a payment of $189 was sent to a P.O. box in Panama. In the decades since, ransomware threats have evolved from simple files being renamed or held hostage to complex systems utilizing asymmetric encryption, increasingly sophisticated distribution methods, and aggressive extortion tactics involving stolen data.
As the 2020s unfolded, ransomware schemes reached unprecedented levels of sophistication. Cybercriminals began employing advanced technologies that enabled extensive data theft and digital extortion from highly secured government agencies and prominent global enterprises. With the rise of the internet and electronic storage, the cyber insurance industry suddenly found itself in the spotlight, paralleling businesses’ increasing dependence on digital environments and the accompanying threats.
The early days of cyber insurance were characterized by limited coverage options. By the late 1990s, insurers began offering the first comprehensive cyber policies that covered damages from hacker-related breaches. Over the years, the industry significantly matured, diversifying its offerings to encompass breach notification, regulatory defense, and ransomware negotiation, among others. According to Kindervag, the growth of the market has been exceptional, ballooning by nearly 40 times in two decades to a current valuation of approximately $21 billion.
Ransomware incidents reportedly constituted over 90% of totals losses recorded in the early half of 2025, as highlighted in the “Resilience 2025 Midyear Cyber Risk Report.” This alarming statistic underscores what Kindervag discerned in conversations with cyber insurance executives: both insurance companies and ransomware perpetrators operate with financial profit in mind. One executive candidly admitted, “I could deny every claim. I’m not going to do that, because all I have to do is make sure I’m making more money than I’m paying out.” This admission points to a business model in which the profitability of selling ransomware policies is prioritized over transferring risk to ensure clients remain covered.
For many companies, ransomware has become ingrained in the cost of doing business. Over a five-year period, payments made by businesses to recover their data surged from approximately $39 million in 2018 to an eye-watering $813 million in 2023. Insurance companies maintain careful oversight, typically striving to manage the policyholder base and limit the extent of specific perks included in coverage. By doing so, the practice of insuring against ransomware becomes viable even against the backdrop of rising costs.
Kindervag noted a concerning trend where cybercriminals have grown more calculating and pragmatic. With a firm understanding of how much insurance companies are willing to pay, these criminals often skip the negotiation phase altogether. They approach victims with a straightforward question: “How much are you insured for?” Their aim is to collect on amounts that align with the policies in play rather than inflating demands, attuning to what they see as a fair exchange—a reflection of their own understanding of business.
This new paradigm extends to some ransomware operations, exemplified by the Hardbit ransomware instance, which used ransom notes that openly inquired about potential insurance coverage. Remarkably, Kindervag noted a significant trend: victims with insurance were reported to pay nearly 2.8 times more in ransom than those who had none, making it evident that the existence of coverage inadvertently encouraged higher demands.
Despite the evident financial models moving within this ecosystem, Kindervag did not absolve enterprises of accountability. He stressed that poor security policies often exacerbate vulnerabilities enabling ransomware attacks. When security practices lack visibility or fundamental safeguards, they lead to prolonged dwell times for attackers. By the time companies realize their data is compromised, they face major consequences. “This is the end of the chain. You failed at the beginning with policy,” he articulated, delivering a stark reminder to prioritize robust cybersecurity measures over merely relying on insurance as a safety net.
Kindervag’s insights serve as a call to action for organizations navigating this perilous landscape, urging them to adopt preventive measures linked to sound policy frameworks rather than viewing insurance payouts as an ultimate safeguard against cyber threats. The confluence of financial motives in both cyber insurance firms and ransomware actors creates a landscape that necessitates proactive, comprehensive approaches to information security.