According to a survey report released yesterday, not only are most North American businesses still not buying cyber insurance, but those that are don’t buy enough limit to cover last year’s median ransom demand.

Summarizing the results of a poll of 450 IT and cybersecurity decision makers in the U.S. and Canada, security software provider Blackberry and cyber MGA Corvus reported that just 55 percent of respondent said they currently have cyber insurance.

In addition, just 19 percent of respondents said they had a coverage limit above $600,000, which the two firms say is the median ransomware demand amount for 2021.

For small businesses—those with 1,500 employees—that percentage falls to 14 percent.

Half of the small business respondents said they hope the government will offer financial aid to organizations hit by ransomware attacks.

But even those numbers don’t tell the whole story, according to a BlackBerry blog post summarizing the results, revealing that some respondents don’t even have coverage for ransomware under this cyber insurance policies. In fact, 37 percent of respondents who do buy cyber insurance do not have coverage for ransomware payment demands included.

The report also notes that increased requirements from insurance carriers have made insurance harder to obtain for some buyers seeking coverage, with more than one-third (34 percent) of respondents saying they have been denied coverage due to not meeting specific Endpoint Detection and Response (EDR) software requirements.

Still, the increased requirements may be having a real impact on reducing ransom payouts, according to Corvus.

“In our portfolio alone, we’ve seen a 50 percent reduction in the ratio of ransom demands that end up being paid,” said Corvus Chief Technology Office Vincent Weafer in a media statement. “Better software adoption is a critical element in better positioning organizations to stand up to attackers,” he said.