It's difficult to see how $2,000,000 worth of insurance coverage would ever pay out more than $100,000 unless you were the victims of multiple crimes at once. I'm not an insurance broker...but after reading over 1,000 pages of policies in Q1 of 2023 that's my impression. You should review your policy with your insurance broker and IT team to make sure you understand it.
There are lots of new limits on limits appearing in policies. For example, Fraudulent Instruction Loss has been around for a while but it has a new limit. Funds where your company acted as the custodian may now be excluded. If your payroll was redirected, it's not clear you'd get it back. It does seem clear that taxes you withheld wouldn't be paid.
There seems to be much more effort put into reasons an insurance company would never pay a ransom. In one policy, payment could not be made if it caused issue with "any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the European Union, United Kingdom or United States of America." Even if you don't operate in foreign countries their future laws might diminish your insurance coverage.
If you're attacked by a bad actor with ties to a anyone "designated by any government as a terrorist or terrorist group," your ransom won't be paid. The US Justice department, FBI and a host of other agencies designate groups as terrorists on a regular basis.
Check our our Cyber Security Guide to find out more or to submit a question. You ask . We answer.