Cyber Insurance: Does it Cover Malicious Software?

Does Cyber Insurance Cover Ransomware?

In a previous blog, we told you that an insurance policy is a contract and that its meaning is subject to general principles of contract law.  In the case, G&G Oil Co. of Indiana, Inc. v Continental Western Insurance Co., decided March 18, 2021, the Indiana Supreme Court provided another example of that legal axiom.

The Insurance Policy at Issue

The plaintiff in the case, G&G Oil Co. of Indiana, Inc. (“G&G”), purchased an insurance policy (the “Policy”) from the defendant, Continental Western Insurance Co. (“Continental Western”).  The Policy contained a number of different coverages, one of which was “Commercial Crime Coverage”.  The Commercial Crime Coverage part of the Policy included a “Computer Fraud” provision, which provided that:

We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

  1. To a person (other than a “messenger”) outside those “premises”; or
  2. To a place outside those “premises”.

The Claim for Coverage under the Policy

One day, G&G discovered that its hard drives had been encrypted and that it was unable to access its computer systems.  Further, it found a message stating “To decrypt contact [email user].  Enter password.”

G&G consulted with the FBI and was advised that it would need to contact the hackers in order to negotiate the release of its computer systems.  G&G did contact the hackers, who demanded a ransom to release its servers.  G&G paid the ransom, and its computer systems were restored.

G&G filed a claim with Continental Western to recover the ransom paid to the hackers.  However, Continental Western denied the claim.  First, it determined that computer hacking was specifically excluded from the Policy because G&G had declined that coverage in another part of the Policy.  Second, Continental Western found that the ransom was voluntarily paid by G&G to the hackers.  The hackers did not “transfer funds directly” from G&G.

G&G filed a lawsuit against Continental Western.  In the trial court, each party filed a motion for summary judgment.  The trial court granted Continental Western’s Motion for Summary Judgment finding that G&G’s loss was not “fraudulently caused”, as required by the Policy, but was the result of theft.  In addition, it found that G&G’s payment to the hackers was not a loss “resulting directly from the use of a computer” but was “a voluntary payment to accomplish a necessary result”.

G&G appealed the decision of the trial court to the Court of Appeals, where it did not fare any better.  The Court of Appeals held that “the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom” and that “the hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin”.  The Court of Appeals found that this ground was sufficient to uphold the decision of the trial court and, as a result, did not decide whether G&G’s loss resulted directly from the use of a computer.

The case was then transferred to the Indiana Supreme Court for review.

An Insurance Policy is a Contract

The Indiana Supreme Court said that there were two issues to be decided.  Is ransomware “fraudulent conduct” under the Policy?  And is the payment of a ransom to hackers a loss that results “directly from the use of a computer”?  The answer to both questions involves the interpretation of the Policy language.  And, when interpreting an insurance policy, the Court recognized that:

. . . an insurance policy is a contract like any other . . . but we do apply some specialized rules of construction in recognition of the frequently unequal bargaining power between insurance companies and insureds.  One such rule is that courts construe ambiguous terms against the policy drafter and in favor of the insured.

However, policy language will not be deemed ambiguous simply because the parties to the contract interpret it differently.  Instead, policy language is ambiguous only if it is susceptible to two or more reasonable interpretations.  And, whether an interpretation is reasonable is not determined from the perspective of the parties to the policy but from the perspective of an “ordinary policyholder of average intelligence”.

“Fraudulently Cause a Transfer” is Unambiguous

For reasons not pertinent to this article, the Court found that the term “fraudulently cause a transfer” is not ambiguous.  It found that its normal meaning, based both on caselaw and the dictionary, is “to obtain by trick” or deception.  The issue for the Court, therefore, was whether the encryption of G&G’s computer systems was obtained by trick or deception.

Now, to get into the legal weeds a bit because this case was decided on motions for summary judgment, the standard of review was different.  A motion for summary judgment essentially asserts that there is no genuine issue of material fact; that a trial to determine the facts is not necessary; and that, as a result, the trial court can decide the case as a matter of law.  Therefore, when an appeals court reviews a grant of summary judgment, it first needs to consider whether there are genuine issues of material fact.  And, if it decides that there are genuine issues of material fact, then the proper remedy is to remand the case to the trial court for trial; not to enter judgment for one of the parties.  That is what happened here.

In its initial claim letter to Continental Western, G&G stated that:

It is our belief that the hijacker hacked into our system via a targeted spear-phishing email with a link that led a payload downloading to our system and propagating through our entire network . . .

The Supreme Court found that this allegation in G&G’s claim letter was enough to defeat Continental Western’s motion for summary judgment but was not enough to award summary judgment in G&G;s favor.  Not every ransomware attack is necessarily fraudulent.  “For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage.  There would be no trick there.”  Because G&G could not establish that its computers were hacked by trick or deception, and Continental Western could not establish that G&G’s computers were hacked as a result of G&G’s negligence or its failure to adopt ordinary safeguards, neither party was entitled to summary judgment.  Therefore, the case would have to be remanded to the trial court for trial on this issue.  That is, of course, unless the Court found that G&G’s loss did not result directly from a computer as a matter of law; in which case, it could uphold summary judgment for Continental Western.

The Payment of Ransom Resulted Directly from a Computer

G&G claimed that its loss resulted directly from a computer because it would not have had to pay ransom without the hacking of its computer.  Continental Western claimed that the payment of ransom was voluntary and, as a result, the payment did not result directly from a computer.  The voluntary nature of the payment broke the chain between the hacking and the payment.

The Supreme Court said that the dispute required it to interpret the policy language “resulting directly from the use of a computer”.  Again, for reasons not pertinent to this article, the Court said that the term “directly” means immediate or proximate.  It requires a straight-line chain of events between the hacking and the payment.  There could be no intervening cause to disrupt the chain of events.

The Supreme Court found that the payment of the ransom was proximately caused by G&G’s need to access its computer systems.  Without access to its computers, its business would have been disrupted, and it would have suffered even greater loss.  The payment was voluntary only in the sense that G&G was fully aware that it was making the payment.  It had no choice.  It was made under duress.  As a result, the Supreme Court found that the payment of the ransom resulted directly from a computer, and G&G was entitled to summary judgment on this issue.

What Does This Case Mean?

So, does this case answer the question that was asked at the beginning of the article?  Does cyber liability insurance cover ransomware?  Not yet.           

While G&G was successful in overturning the judgment of the lower courts, it has not yet recovered under the Policy.  It simply earned the right to a trial on the issue of whether the ransom paid to the hackers is covered under the Policy.  In the end, it may prevail.  But, again, it may not.  Whether it prevails will depend upon whether it can establish that the encryption of its servers was “fraudulently caused”.  The moral of the story is that the time to understand an insurance policy is before a claim is filed, not after.  You can be sure that, when G&G purchased the Policy from Continental Western, it never expected that a claim would result in a lawsuit.  It expected to be protected against this type of loss.  However, at this point, we do not know whether there will be a happy ending for G&G or for Continental Western.

A business looking for insurance needs the advice of an experienced professional.  An insurance professional can help you identify the risks that your business faces and make sure that you obtain the right policy to cover those risks.  That might mean negotiating with the insurance company to include coverages that are not normally contained in their standard policy form.  It may also mean eliminating exclusions that rob an insurance policy of its relevance.  In addition, an experienced insurance professional may be able to introduce you to alternative risk management strategies, such as a captive insurance company.  With a captive insurance company, a business owner can tailor its insurance coverage to provide its business with the ultimate in insurance protection.