Cyberattacks and data breaches are the stuff of corporate and government nightmares. Headline-making hacks, like the recent attacks by a variant of ransomware program Petya, which infected thousands of computers worldwide, even managed to force FedEx to temporarily halt trading its shares this week.

But for some businesses, there is an upside to the increasing focus on cybersecurity. Insurance companies have found a lucrative new revenue stream in providing cyberattack insurance to the corporate world. Cyber insurance costs companies an estimated $3.25 billion a year in premiums. That number is expected to grow to a staggering $20 billion in premiums by 2025, according to insurance provider Allianz SE.

“Basically, cyber liability is a form of an insurance policy that has been created specifically for cyber events, which can range from hacking to data breach. It could be somebody like an employee can steal data from your computer or hardware or it can range up to hacking and other events,” Smita Bhargava, vice president of programs and special risk for insurance company Clements, explained to Marketplace Tech.

Data breaches, ransom demands and other security issues from hacking cost businesses an estimated $1.5 billion in 2016, according to the Insurance Information Institute, an insurance trade group. Just this past year, in addition to ransomware program Petya, another ransomware program, WannaCry, managed to infect computers in over 150 countries this May.

“It is interesting, what happened with the last two, the big ones, is that is wasn’t just a cyber liability policy that could have responded,” Bhargava said. “It was more of a kidnap and ransom policy, which has a cyber extortion extension, that could have paid for such expenses,” Bhargav said.

Kidnapping and ransom have moved from the physical world into the cyber world. In both recent ransomware attacks, the programs froze computers, demanding bitcoin payment from owners in exchange for getting use of their computer back.

“People think it’s kidnap and ransom, so they rule it out, but these types of policies also have cyber extensions,” explained Bhargava.

After all, just because the subject of the kidnapping is data and the ransom is demanded by code, does not make it any less real. Many international corporations already have traditional kidnapping and ransom insurance policies in place to protect staff that might travel to dangerous parts of the world. Making sure those policies have a cyber extension to pay for losses from ransomware attacks like WannaCry or Petya can be a logical next step.

As Bob Parisi, a cyber product leader for insurance broker Marsh, told Reuters, “If your CFO gets kidnapped, the company is going to continue to function. If you get a piece of malware in the system, you might have two factories that stop working. The actual damage is probably greater.”

The number of data breaches are only expected to increase, according to a report by III, and insurance companies are banking that their growing cyber policies will pay off.