Cyber Insurance , Finance & Banking , Fraud Management & Cybercrime
Ohio Supreme Court Says Ransomware Is Not Physical DamageJustices Rule Against Software Developer in Bid to Use Insurance to Cover Attack
Ransomware hacking isn't tantamount to a physical attack, the Ohio Supreme Court ruled, meaning a software developer can't use its property insurance to cover losses.
See Also: Recovering From a Cyberattack, Responding to the OCR, and Building a Cyber Resilient Posture for the Future: A Conversation with OrthoVirginia CIO, Terri Ripley
A unanimous ruling Tuesday from the court's seven justices sided with Lansing, Michigan-based Owners Insurance Company against greater Dayton medical billing software maker EMOI.
Owners Insurance Company, a property and casualty subsidiary of the Auto-Owners Insurance Group, covered the latter for "direct physical loss" to digital media.
Over the course of a three-year court battle, Owners asserted that EMOI's September 2019 ransomware attack lacked a physical dimension and accused the developer of attempting a runaround of its business property policy's exclusion of ransomware costs. The justices agreed with the insurance company.
"Software is an intangible item that cannot experience direct physical loss," wrote Justice Melody J. Stewart.
The state court's decision follows a trend of exclusion from commercial property and liability insurance policies of cyber incidents, exclusions that have led to the growth of stand-alone cyber insurance. Courts continue to hear litigation contesting the nature of those exclusions (see: Oreo Maker Settles With Insurer Over NotPetya Damages Claim).
There is high demand for specialized cyber insurance in the ransomware-weary private sector, but its growth has sparked concerns among insurers about concentrated risk, especially given how hacking's unpredictability makes it difficult or impossible to pool risk across clients. Those concerns have driven a surge in premiums, limits on underwriting amounts and moves by the cyber insurance industry to create its own set of exclusions, such as cyberattacks linked to wars. The federal government is investigating whether to offer a backstop for coverage of catastrophic cyberattacks (see: US Government to Study Cyber Insurance Backstop).
EMOI says it paid approximately $35,000 to ransomware hackers and afterward spent money on upgrading its security infrastructure, including shifting to a VPN for remote access and adding a new backup system. The hackers' decryption key resulted in the restoration of most files although the automated phone call system couldn't be decrypted. The hacking incident did not cause damage to hardware or the physical media holding the company's software.
A district court issued a summary judgment dismissing EMOI's lawsuit against Owners, which the developer filed within months of the attack. EMOI found a friendlier reception at the appellate level, which in November 2021 ruled that the developer could pursue a claim against the underwriter for allegedly treating its claim in bad faith by failing to fully consider "the various types of damage that can occur to media such as software."
At stake, Owners told the Supreme Court when urging it to take up the case, was a possible sweeping expansion of insurance coverage without bounds.
"Wish as it might that it had purchased a 'cyber' policy that might have provided coverage for this situation, EMOI did not," Owners wrote.