Ransomware in 2022: You May Be Screwed, but Without Insurance It Could Always Be Worse
A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.
2022 is expected to be another record-setting year for cyber criminals. Hackers are likely to continue to exploit the vulnerabilities attendant to remote working, which isn’t expected to be going anywhere in 2022. According to a survey by Microsoft, most people would consider leaving their company if the option to work remote was removed. So, employers are unlikely to scale back the flexible work options currently on offer, which leaves them exposed in ways cyber criminals are apt at exploiting.
What’s more, we are currently experiencing what experts call “the great resignation” or “the big quit.” More and more people are resigning or changing jobs, according to data released by the UK’s Office for National Statistics and a study by CNBC. This could lead to more cybersecurity vulnerabilities because new employees aren’t as familiar with existing security protocols.
All of this at a time when cyber criminals are only getting more sophisticated. Cybersecurity professionals have observed cyber criminals more frequently targeting “supply chain software”—a piece of software that is used by multiple businesses. Targeting supply chain software allows cyber criminals to access numerous targets from a single breach. Also on the rise is Ransomware-as-a-Service (RaaS)—cybercriminals hawking their wares to other cybercriminals.
This all means one thing—companies must be prepared. Fortunately, cyber insurance can still help mitigate cyber risks and liabilities, including the costs associated with ransomware attacks, such as response costs and the costs of retaining experts to advise you through the incident, investigation, and next steps; lost business income as a result of interruptions to networks or encryption; and in many cases, coverage for the ransom itself. While robust cyber insurance policies still exist on the market, cyber insurance claims in 2021 exploded and there is no sign of that trend abating in 2022. As a result, renewals are expected to be especially challenging as insurers seek to limit aggregate exposure and enforce stricter underwriting standards. For example, nearly all cyber insurers are increasing underwriting scrutiny and demanding more detailed submissions from policyholders, including supplemental ransomware questionnaires or applications.
At the same time, many cyber insurers are imposing higher deductibles and sub-limits while dramatically increasing premiums. Some insurers are also limiting or eliminating specific types of coverage, such as coverage for state-sponsored attacks and/or social engineering fraud. One insurer limits or excludes coverage for so-called “widespread events,” which purports to apply when a single attack implicates multiple targets (both insured and not insured)—such as an attack on supply chain software, discussed above. Other cyber insurers are limiting coverage for contingent business interruption loss—losses resulting from a cyber attack impacting another company’s system, on which you rely to do business.
As our team has discussed before on the blog and in other articles, in this market, companies must be mindful of potential gaps in coverage and should make sure to obtain a tailored policy that meets your company’s insurance objectives. It is critical to use sophisticated coverage counsel to help guide the process and review policies and quotes prior to binding coverage, particularly as you are likely to face different endorsements and potentially material coverage limitations, potentially all at a higher cost, at renewal.