Ransomware Attacks: Protecting Your Company Via Insurance

As cyber-insurance has evolved over the past decade, policyholders and insurers have generally accepted a basic maxim: first-party technology risks are only insured under cyber-insurance policies. Nearly every time a policyholder challenged this notion, they were rebuffed by courts holding that traditional property policies only cover physical loss and security breaches (like ransomware) occurred in the binary code, not in the physical world. Thus, there was no ransomware coverage under a traditional property policy. However, in recent weeks, a Federal Court in Maryland rejected that premise, potentially opening more policies to coverage for ransomware attacks.
 
In the Maryland case, an embroidery company sought coverage for losses resulting from a ransomware attack.[1] A 2016 ransomware attack prevented the company from accessing its art files, other server data and most of its software. The company paid the initial bitcoin ransom, but the attacker demanded additional payments and then refused to send the company the configuration file necessary to access the encrypted data and software.
 
A security firm replaced and reinstalled the company’s software, but this slowed the company’s computer system and resulted in a loss of efficiency. Also, the security firm assessed that dormant remnants of the ransomware virus were still on the system. The options available to completely eliminate the risk of further infection were either to wipe the entire system and reinstall all of the software and data or to purchase a new server and components.
 
The embroidery company filed an insurance claim under its property and casualty policy. However, the insurer denied the coverage because, among other things, it argued that computer data and software were considered intangible property not covered under the policy and the reduced functionality and efficiency of the company’s computer system were not covered losses. On January 23, a federal court agreed with the company and ruled the policy covered the losses.
 
When is computer data and software covered property?
 
Many insurance policies differentiate intangible property from tangible property and exclude one while covering the other. In the policy at issue here, the court found that both were covered. Moreover, the court found that, for the purposes of the policy, there can be “damage to” software or data. In fact, although the company’s computer system retained certain functionality, the ransomware attack and subsequent remedial measures reduced the computer system’s speed and efficiency. Additionally, the storage capacity was damaged such that its content (namely the data and software) could not be accessed. These were “damage(s) to” the computer system. Consequently, the court found the data and software were covered property.
 
Is a computer system’s reduced speed and efficiency a covered loss?
 
The insurer also argued that even if the data and software were covered property, the loss of computer functionality was not a covered loss because no physical loss or damage had occurred. The court disagreed and held that a computer system need not be completely and permanently inoperable to be “damaged” for purposes of policy coverage. Instead, reduced operability and functionality was sufficient “damage” to trigger coverage.
 
Notably, the court also found that the loss of a computer system’s functionality could be a physical loss. Citing another court opinion, the court stated the following:
 
Physical damage is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.[2]
 
Accordingly, the court found that the embroidery company demonstrated a covered loss after losing access to and use of its data and software and experiencing reduced speed on its computer system.
 
Takeaways
 
Re-Consider Paying Ransoms: While many experts advise against paying an attacker’s ransom, some companies pay in desperation to recover data and return to business as usual. However, as shown in this case, paying an attacker does not always mean the attacker will release the data. Instead, payment might only embolden the attacker to make additional requests or repeat attacks.  When considering making payments, carefully consider using advisors with experience in this area who will be knowledgeable about “proof of life” and other approaches to testing whether the criminal will be able to decrypt files.
 
Know Your Policies: Many insurers have tried to move cyber-risks from traditional policies, such as property and casualty insurance, to modern cyber-policies. For ransomware attacks, many cyber-policies provide specific coverage for cyber extortion, data restoration, and business interruption losses resulting from ransomware attacks. Yet, as the court ruled here, some traditional policies still provide coverage for ransomware attacks. Notwithstanding this court’s opinion, companies should review their existing policies as well as others offered in the market to understand their current cyber-risks. In addition, while ransomware continues to grow as a threat, other attack vectors such as fraudulent transfer schemes, are very common – ensuring your coverage is comprehensive and matches your risk profile is a good investment.
 
For additional information, please contact Guillermo Christensen or Christian Robertson. Guillermo, a former CIA intelligence officer and a diplomat with the U.S. Department of State, is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Practices. Christian is an associate in Ice Miller’s Data Security and Privacy and White Collar Defense Practices.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.