January 23, 2022

Volume XII, Number 23

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

Ransomware in 2022: You May Be Screwed, but Without Insurance It Could Always Be Worse

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.

2022 is expected to be another record-setting year for cyber criminals. Hackers are likely to continue to exploit the vulnerabilities attendant to remote working, which isn’t expected to be going anywhere in 2022. According to a survey by Microsoft, most people would consider leaving their company if the option to work remote was removed. So, employers are unlikely to scale back the flexible work options currently on offer, which leaves them exposed in ways cyber criminals are apt at exploiting.

What’s more, we are currently experiencing what experts call “the great resignation” or “the big quit.” More and more people are resigning or changing jobs, according to data released by the UK’s Office for National Statistics and a study by CNBC. This could lead to more cybersecurity vulnerabilities because new employees aren’t as familiar with existing security protocols.

All of this at a time when cyber criminals are only getting more sophisticated. Cybersecurity professionals have observed cyber criminals more frequently targeting “supply chain software”—a piece of software that is used by multiple businesses. Targeting supply chain software allows cyber criminals to access numerous targets from a single breach. Also on the rise is Ransomware-as-a-Service (RaaS)—cybercriminals hawking their wares to other cybercriminals.

This all means one thing—companies must be prepared. Fortunately, cyber insurance can still help mitigate cyber risks and liabilities, including the costs associated with ransomware attacks, such as response costs and the costs of retaining experts to advise you through the incident, investigation, and next steps; lost business income as a result of interruptions to networks or encryption; and in many cases, coverage for the ransom itself. While robust cyber insurance policies still exist on the market, cyber insurance claims in 2021 exploded and there is no sign of that trend abating in 2022. As a result, renewals are expected to be especially challenging as insurers seek to limit aggregate exposure and enforce stricter underwriting standards. For example, nearly all cyber insurers are increasing underwriting scrutiny and demanding more detailed submissions from policyholders, including supplemental ransomware questionnaires or applications.

At the same time, many cyber insurers are imposing higher deductibles and sub-limits while dramatically increasing premiums. Some insurers are also limiting or eliminating specific types of coverage, such as coverage for state-sponsored attacks and/or social engineering fraud. One insurer limits or excludes coverage for so-called “widespread events,” which purports to apply when a single attack implicates multiple targets (both insured and not insured)—such as an attack on supply chain software, discussed above. Other cyber insurers are limiting coverage for contingent business interruption loss—losses resulting from a cyber attack impacting another company’s system, on which you rely to do business.

As our team has discussed before on the blog and in other articles, in this market, companies must be mindful of potential gaps in coverage and should make sure to obtain a tailored policy that meets your company’s insurance objectives. It is critical to use sophisticated coverage counsel to help guide the process and review policies and quotes prior to binding coverage, particularly as you are likely to face different endorsements and potentially material coverage limitations, potentially all at a higher cost, at renewal.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 5
Advertisement

About this Author

Kevin V. Small Insurance Attorney Hunton Andrews Kurth New York, NY
Associate

Kevin counsels clients on the recovery of insurance proceeds and on risk management and insurance strategy.

Kevin represents clients in complex coverage disputes involving claims under various types of policies, including first-party property, cyber, D&O, E&O, general liability, product liability, and transactional liability.

Prior to law school, Kevin worked for the world’s leading risk management and insurance broking firm. In this role, he advised Fortune 500 clients on structuring sophisticated risk management programs, brokered the insurance components of such...

212-309-1226
Koorosh Talieh Attorney Insurance Law Hunton Andrews Kurth Washington DC
Partner

KT’s practice focuses on complex insurance litigation, counseling, arbitrations, trials, and appeals.

KT represents corporate policyholders in disputes seeking to enforce insurance coverage for products, environmental, construction, directors and officers, employment, fiduciary, errors and omissions, and intellectual property liabilities, and a wide array of first-party property and business interruption losses. His experience includes all phases of dispute resolution from pre-complaint investigation and advice through mediation, arbitration,...

202-662-2715
Andrea DeField Associate Miami Insurance
Associate

Andrea finds risk management, risk transfer, and insurance recovery solutions for public and private companies.

Andrea has dedicated her career to helping clients manage risk and maximize insurance recovery. As part of her counseling practice, Andrea adds value to business deals by advising clients on contractual risk transfer through indemnity, additional insured, and required insurance provisions in contracts. She also helps clients identify and mitigate risk before a loss occurs by conducting insurance due diligence for mergers and acquisitions and by conducting audits of clients...

305-810-2465
Advertisement
Advertisement
Advertisement