Does Your Cyber Insurance Policy Cover a Ransomware Attack?

Bradley Arant Boult Cummings LLP
Contact

Bradley Arant Boult Cummings LLP

Some policyholders mistakenly assume that all cyber insurance policies provide coverage for much the same type of losses. But unlike many other types of commercial insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options, from which the organization must purchase specific insuring agreements that match its risk profile. Cyber losses can result from cyber extortion (including the use of ransomware), theft, denial of service attacks, network disruption, and a host of other causes, and can lead to different types of losses, including ransom payments, business interruption, third-party liability due to unauthorized disclosure of confidential information, and regulatory defense and penalties – to name just a few. A given insurance policy may cover any combination of these losses, and some coverages may be optional. It is incumbent on the policyholder to know the risks it needs insured and work with its broker and coverage counsel to find the right policy. 

A decision last month by a federal court in Oregon highlights the risk of litigation when coverage is not clear. In Yoshida Foods International, LLC v. Federal Insurance Company, the policyholder suffered a ransomware attack demanding payment of $107,074.20 in cryptocurrency to recover encrypted data. Because Yoshida lacked access to cryptocurrency, one of its executives paid the ransom from his personal cryptocurrency account and was later reimbursed by the company. The policy did not explicitly provide coverage for extortion, ransomware, or encryption, but did cover a “direct loss” caused by “Computer Fraud,” which included unlawful taking of money resulting from unauthorized entry into a computer system. Federal refused to cover the ransomware payment, arguing among other things that the payment was not a “direct loss” insured by the computer fraud coverage grant because the company’s reimbursement to its executive was an indirect or consequential loss, and because the transfer of funds represented the company’s conscious decision instead of direct theft by the criminals. Over Federal’s objections, the district court found the policy language was broad enough to encompass the ransomware attack, obligating the insurer to indemnify Yoshida for its loss. The policyholder prevailed – but only after litigating the scope of the insurance policy that it purchased.

The Yoshida Foods decision is not binding on other courts, and another jurisdiction could reach a different interpretation of similar policy language. But the coverage dispute might have been avoided if the policy included a specific coverage grant for extortion and ransomware. Amid the assortment of options in the cyber insurance market, policyholders are well advised to shop for policies that clearly identify the risks the organization intends to cover, while also paying attention to limits, definitions, conditions, and exclusions. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Bradley Arant Boult Cummings LLP

Written by:

Bradley Arant Boult Cummings LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide