Skip to main content
Top Button
Destination, Ransomware: Does Your Cyber-Liability Insurance Cover All the Stops? Destination, Ransomware: Does Your Cyber-Liability Insurance Cover All the Stops?

Destination, Ransomware: Does Your Cyber-Liability Insurance Cover All the Stops?

A recent ruling from the Indiana Court of Appeals may prevent you from recovering ransom paid to cyber-criminals under your insurance policy’s Computer Fraud provision. The Indiana Court of Appeals decision turned on whether ransom payments are fraudulently induced or, as the trial court in this case concluded, they are “voluntary payment[s] to accomplish a necessary result.”[1] Federal courts have diverged on whether ransom payments can be considered a direct loss, and a fuller explanation can be found in a review of recent federal court cases analyzing direct losses under Computer Fraud coverage published by Ice Miller’s Data Security and Privacy team. As ransomware attacks increase in frequency and severity, it may be time for you to revisit your insurance coverage.

The Case: G&G Oil Co. of Indiana v. Continental Western Insurance Company

In November 2017, Indiana oil company G&G Oil Co. of Indiana (“G&G”) fell victim to a ransomware attack that encrypted G&G’s network, servers, and most workstations, rendering them inaccessible. As is common with most ransomware attacks, the hackers demanded a ransom—to be paid in Bitcoin—in exchange for restoration of G&G’s servers. G&G purchased four Bitcoins for $34,477.50 and delivered the ransom to the hacker, who provided G&G with the passwords to decrypt its computers and regain access to its servers.

Seeking to recover the ransom payments under the Computer Fraud provision included in the Commercial Crime Coverage Part of its insurance policy, G&G filed a claim with its insurer, Continental Western Insurance Company (“Continental”). Continental denied the claim because G&G had not purchased the option “Computer Virus and Hacking Coverage” offered under the Agricultural Output Coverage Part, and further argued that the payments did not result directly from the use of a computer to fraudulently cause a transfer of G&G’s funds. Based on this denial, G&G initiated a lawsuit in the Marion Superior Court.

The trial court ruled in favor of Continental, holding that G&G’s losses were not fraudulently caused:

“Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme. The hacker deprived G&G Oil of use of its computer system and extracted bitcoin from the Plaintiff as ransom. While devious, tortious, and criminal, fraudulent it was not.”[2]

On appeal, the Indiana Court of Appeals agreed, adding that the hacker did not “pervert the truth or engage in deception to induce G&G to purchase the Bitcoin.”[3] Both the trial court and the Court of Appeals acknowledged that although the attacker’s actions were certainly illegal and malicious, they were not in any way fraudulent in inducing G&G to purchase and transfer the Bitcoin ransom to the hacker. G&G willingly purchased Bitcoin and intentionally delivered the Bitcoin to the attacker in exchange for restoration of its systems.

Why is This Case Important?

It is important to distinguish the ruling in G&G’s case from certain federal circuit court rulings finding insurance coverage under computer fraud provisions. In cases where coverage is found, coverage focuses on the wire transfers the attackers cause to happen through deception. For example, an employee receives a phishing email from an attacker posing as the company’s Chief Financial Officer asking for $50,000, and the employee transfers the funds. In ransom payment scenarios similar to that in G&G Oil Co., circuit courts are split on whether this is a direct loss caused by computer fraud, with some courts limiting “direct losses” to those incurred by brute-force hacking and other courts expanding that definition to include social-engineering attacks. In the G&G case, the Indiana Court of Appeals has clearly limited the potential for a claim of a direct loss under computer fraud provisions to recover a ransom payment the victim has effectively, willingly made to the criminal hacker. As the Court of Appeals reasoned, ransom payments themselves are not fraudulently induced because the attacker explicitly requests money from the victim in exchange for decryption, and the victim has the choice whether to pay the attacker.

Key Takeaways

Think twice before paying ransoms. If your company falls victim to a ransomware attack, consult your insurance policy before moving forward with any payment. Some insurance policies may have additional cyber-liability coverage known as “cyber-extortion” coverage that may provide relief for ransom payments, negotiation with hackers, and the cost of computer forensic investigations. 

Include the question of whether a ransom would be paid in your ransomware response planning—negotiating and paying a ransom is often a stressful and risky gambit, and the more preparation you have done ahead of time, the smoother the response process.

Even if your ransom payments are not covered, other losses may be protected. As we highlighted in a previous publication, coverage for losses beyond ransom payments may exist in other policies, such as property coverage for computer data and software corruption as well as reduced computer system speed and efficiency.

Ice Miller has the professionals and experience to help clients acquire adequate cyber-liability coverage as well as address other data security and privacy questions. To speak to an attorney, please contact Nick Reuhs, Guillermo Christensen, Christian Robertson, or Mason Clark. Nick Reuhs is an Ice Miller partner and assists the Data Security and Privacy Group with insurance matters. Guillermo Christensen is an Ice Miller partner in the Data Security and Privacy Group and White Collar Investigations. Christian Robertson and Mason Clark are associates in our Data Security and Privacy Practice Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] G&G Oil Co. of Indiana v. Continental Western Insurance Company, No. 19A-PL-1498, *5 (Ind.Ct.App. March 31, 2020).
[2] Id.
[3] Id. at 11.
View Full Site View Mobile Optimized