Payment of ransom under a cyber insurance policy: freedom of contract, or void for being contrary to public order or public morals?

The fundamental principle in Dutch private law – and therefore also in insurance law – is freedom of contract. However, this freedom has its limits. For instance, Article 3:40 of the Dutch Civil Code (DCC) stipulates that legal acts that are contrary to the law, public order (‘openbare orde’) or public morals (‘goede zeden’) are void. In this context, there has been a long-standing debate over whether insuring fines is permitted.

There now appears to be broad consensus on the uninsurability of criminal fines. The outcome is more nuanced when it comes to administrative fines, including GDPR fines. Against this background, the question arises as to whether – and if so, to what extent – a parallel can be drawn with the insurance of a ransom payment under a cyber insurance policy.

That comparison isn’t entirely accurate. There are fundamental differences between the payment of an administrative fine and a ransom payment. An administrative fine is imposed by an administrative body as a sanction for, for example, a breach of the GDPR. A ransom payment, on the other hand, is the result of a cyberattack in which authorised users are denied access to their systems and data, and data is effectively ‘held hostage’. Furthermore, an administrative fine involves a legally enforceable payment obligation. Although a ransom payment is made under pressure, it remains voluntary to a certain extent: payment is not a legal obligation. These differences mean that the comparison with (administrative) fines is not persuasive and, at least in this respect, supports the insurability of ransom payments under cyber insurances.

However, this does not mean that the insurability of ransom payments is entirely beyond dispute.

On 27 February 2026, MPs Kathmann and Mutluer put parliamentary questions to the State Secretary for Economic Affairs and Climate and the Minister of Justice following the news item “Hackers blackmail Odido after data breach and demand a million euros in ransom”. The response of 8 April 2026 emphasises, among other things, the following:

“The government’s urgent advice remains: do not pay the ransom. Paying a ransom offers no guarantee that criminals will restore access to systems or refrain from selling stolen data to other criminals. Moreover, paying a ransom perpetuates the criminals’ business model. And may thereby provoke new attacks on Dutch organisations.”

At the same time, the government has indicated that it does not intend to introduce a legal ban on paying ransoms for the time being:

“There may be a tension between the interest of an individual victim in limiting damage in the short term and the broader societal interest in reducing the total number of (potential) victims and not perpetuating criminals’ business model. As long as this tension cannot be resolved unequivocally, it is – as in most EU countries – strongly advised not to pay ransoms, rather than imposing a legal ban.”

It follows that the payment of a ransom is not currently contrary to the law. However, Article 3:40 of the DCC refers not only to contravention of the law, but also to contravention of public order and public morals. It is precisely these concepts that touch upon the broader societal interest emphasised by the government to limit the number of victims and not to facilitate the business model of cybercriminals.

Against this background, two questions must be distinguished: (1) the permissibility of a ransom payment by the affected organisation in the specific case, and (2) the permissibility of insuring/reimbursing that ransom sum under cyber insurance. That distinction matters, because whilst the answers to the parliamentary questions (which relate exclusively to question 1) focus on the case-by-case assessment by the affected organisation in response to a specific incident, the permissibility of insuring the ransom sum concerns an ex ante choice, namely to provide cover in advance for the scenario in which a cyber incident results in a demand for ransom. That pre-emptive nature may carry greater weight in the assessment under Article 3:40 of the DCC than the assessment of a payment in a single specific incident.

This is where the tension arises. In this context, it is relevant to briefly consider the concepts of ‘public order’ and ‘public morals’. Public order is understood to mean the set of fundamental norms and principles necessary for the functioning of Dutch society. The content of public morals is informed by views grounded in broad social consensus, assessed by reference to objective anchors.

For the assessment under Article 3:40 of the DCC, the interpretation of ‘public morals’ (social acceptability) is particularly relevant. The answers to the parliamentary questions reveal two objective anchors: (i) the strong advice not to pay a ransom, and (ii) the absence of a legal prohibition (partly so as not to criminalise victims). These anchors form part of the framework within which both the payment and insurability must be assessed. With regard to insurability, the ‘public morals’ test is more likely to give rise to debate – precisely because of its ex ante nature (as described above). The mere fact that the payment of a ransom by the affected organisation is not prohibited by law does not (yet) mean that the insurance of that payment is necessarily permissible.

In this context, we do (1) not consider the ransom payment by the affected organisation likely to be void on the grounds of contravening public order or public morals, but we note that the strong advice not to pay the ransom does influence social acceptability. In light of the societal importance of not perpetuating the criminal business model, emphasised in the response to the parliamentary questions, the issue of (2) insuring or reimbursing ransom payments is more nuanced against the background of the foregoing. If the governmental disapproval persists over time and (potentially) develops into a broader social consensus (and/or further norm-setting), the coverage for ransom payments under Article 3:40 of the DCC becomes more vulnerable. In anticipation of this, it may be worthwhile to structure cover for ransom payments not as a generic payment guarantee, but as an instrument for damage limitation and recovery. Depending on the current policy wording and structure, this may require a (substantial) repositioning and/or tightening of the cover and claims governance. If anticipating potential societal developments is not desirable and the cover explicitly relates to the ransom payment itself, we believe it is important that the ex ante decision to make payment available is formulated with sufficient caution (for example, as a last resort, with strict conditions and limits and demonstrable decision-making).

In short: at present, a payment or the cover offered under cyber insurance would not (yet) readily lead to nullity. However, it remains important to continue to critically review the scope of cover, as the normative framework surrounding ransom payments is evolving. After all, the answers to the parliamentary questions underline that the tension between individual damage limitation and the public interest is explicitly recognised, whilst views on the acceptability of ransom payments (and thus the interpretation of ‘public morals’) may shift.