RANSOMWARE RAMPAGE
Three courts determined that the case did not involve fraud, yet reached opposing rulings
Nothing was solved by putting a coverage in place that ended up creating both an uncovered loss and a substantial litigation expense, doubling down on the error.
By Bruce D. Hicks, CPCU, CLU
The Court Decisions column is a popular part of Rough Notes magazine. One reason for this is that the court room is where the promises made in an insurance contract often become real. All insurance professionals can develop “what if” scenarios, but until those scenarios are tested with an actual loss and a court decision, they remain mental exercises. This column comes from the industry expert editors of Policy Forms & Manual Analysis (PF&M). This is a knowledge base consisting of more than 15,000 pages of coverage explanations from Rough Notes Company’s digital solutions. The editors are going to dig a little deeper into one of those court decisions to identify a coverage problem, provide possible solutions and/or offer broader perspectives.
In the case of G&G Oil of Indiana, Inc. v. Continental Western Insurance Company, the policyholder sought coverage for an unwanted expense as it interpreted coverage to exist. While the policyholder looked for reimbursement under a commercial property policy that included protection against computer fraud, the insurer did not see the loss in the same manner.
Taking a look at what caused the claim and the policy language involved would be helpful. The policyholder found that company employees were locked out of using the firm’s computer system. The company’s system files were encrypted by an outside party that sent a notice to contact another party via email in order to resolve their problem.
After seeking advice from the FBI, the company initiated contact. They followed instructions requiring them to use cryptocurrency to pay the outside party. Access to their system was restored after they secured roughly $35,000 in bitcoin and sent it as ransom to the party that hijacked their data.
The disagreement about whether coverage was due revolved around the commercial property policy’s computer fraud language. It provided protection when money, securities and/or similar property was lost or damaged from an outside party that used computer technology to trick the insured into its transfer.
This was a particularly interesting scenario that fell into litigation. Eventually, neither of the litigants nor the courts were on the same page with how the policy language applied to the loss. It was a study in wearing blinders. The policyholder didn’t appear to have a clear idea of the protection they needed. The insurer appeared to drop the ball on what coverage was provided. If an agent was involved, that party likely whiffed on getting the insured and insurer aligned. The lower courts did not establish opinions on grounds that were supported by the highest court that addressed the case.
In our opinion, the loss involved the criminal use of a computer to coerce the policyholder to pay a ransom. The policyholder erred in how it framed the loss. Yes, a computer was central to the loss. However, the insurance company was on point that the coercion was not fraud. No trick was involved. Kidnapping of persons or of property is straightforward. The payment of ransom is a deliberate choice, and the purpose is understood.
The courts also diverged on the key issue. Both lower courts focused on the issue that the ransom was not fraud. For various reasons, the jurisdiction’s highest court held what was essentially the same opinion but reached a far different result. It ruled that the payment was made under duress. Therefore, the payment was not a voluntary one. The higher court then reversed the lower two courts’ opinions and required the matter to be re-tried.
I hope you have the same question that I do: How can all three courts determine that the ransom payment did not involve fraud, yet reach opposing rulings?
Okay, let’s stop belaboring what actually happened and offer our opinion on the real mistake. At some point, the parties needed a better understanding of the key exposures that had to be addressed. Nothing was solved by putting a coverage in place that ended up creating both an uncovered loss and a substantial litigation expense, doubling down on the error.
Why bother with a funds and securities exposure when it was cyber crime creating the larger exposure? Both cyber crime and cyber liability risks have matured and grown into areas of significant risk. The products to address them already exist.
While the exposure is higher tech, the challenge is as old as dirt. Has placement of the most logical insurance plan addressed the key operation exposures? When every party has that focus, protection and mitigation are maximized.
In the end, insurers seek language that restricts their payment obligations to accidents. The rationale that while actual harm is frequently unintended, the point is that they are, to some degree, foreseeable. The only way for insurance professionals to proceed is to hammer home how insurance is meant to perform. A policy that is poorly understood is open to failing coverage expectations.
The author
Bruce D. Hicks, CPCU, CLU, is senior vice president, Technical & Educational Products Division, at The Rough Notes Company, Inc. He has more than 30 years of property/casualty insurance experience, including personal and small business underwriting as well as compliance duties for several national and regional insurers. Active in the CPCU Society, Bruce served as a governor of the organization from 2007 through 2010 and currently serves on its International Interest Group Committee.