Silent Cyber Claims - possible bonanza for insureds, at great risk to insurers

“Silent cyber” insurance is a term that is used to describe?cyber-related losses stemming from insurance policies that were not drafted or intended to cover cyber risk—meaning that an insurer may have to pay claims for cyber losses under a policy not designed for that purpose. Insurers are concerned because these losses were not priced into the concerned policies, when they were drafted.

Policies covering perils that cause physical damage, probably drafted years ago, when cyber risks were not even contemplated, there was obviously no specific exclusion for cyber risks and liabilities. Such policies are considered to be “silent” on cyber coverage/exclusion. A policy that does not state that a peril caused by cyber is covered, may not explicitly state that it’s excluded. So, whether losses from cyber-induced physical perils, such as fire, are covered is still unknown. If a policy has all risks coverage, as opposed to named perils coverage, anything not explicitly excluded is covered.

As per the Organisation for Economic Co-operation and Development (OECD), silent cyber can affect the following types of policies:

• Terrorism:?Cyber-terrorism
• Property:?Physical asset damage, data & software loss, business interruption, contingent business interruption
• Crime/Fidelity:?Financial theft and fraud
• Kidnap & Ransom:?Cyber ransom and extortion
• Workers’ Compensation:?Bodily injury
• Directors & Officers:?Directors and officers liability
• Professional Indemnity/Errors and Omissions:?Professional indemnity, technology errors and omissions
• General liability:?Breach of privacy compensation, communication and media liability, fines and penalties, incident response costs, network security failure

The Working Group, set up by IRDAI on cyber insurance wanted proper addressing of the silent cyber issue: “Insurers may place this matter (silent cyber issue) high on the agenda and address this problem sooner than later” the committee said in its report.

Recent cases in the USA indicate that insureds can take advantage of policies, even as insurers struggle to deny them.

In the case G&G Oil Co. of Indiana, Appellant-Plaintiff, v. Continental Western Ins. Co. (2020), the Court of Appeals, looked into a claim dispute relating to a ransomware attack for which claim was made under the multi-peril commercial insurance policy. The policy had a section: 6. Computer Fraud: We will pay for loss of or damages to "money", "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises": a. To a person (other than a "messenger") outside those "premises"; or b. To a place outside those "premises".

On November 17, 2017, G&G employees discovered that the company was the victim of a ransomware attack. Employees were unable to access the company's servers and most of its workstations.?A hijacker had gained access to G&G's computer network, encrypted its servers and most workstations, and password protected its drives. The hacker demanded a ransom, and in exchange for payment, agreed to send G&G the passwords and restore its control over its computer servers. The hijacker demanded payment in bitcoin.?After receiving the fourth bitcoin, the hacker gave G&G the passwords enabling it to decrypt its computers and regain access to its servers.

G&G submitted a claim to the insurer requesting indemnity for the ransomware attack and ensuing losses under the computer fraud provision included in the Commercial Crime Coverage Part of its insurance policy.?The claim was denied because the insured had not purchased the optional "Computer Virus and Hacking Coverage" offered under the Agricultural Output Coverage Part. It was also stated that G&G's losses did not result directly from the use of a computer to fraudulently cause a transfer of G&G's funds.

In the court case that followed, the trial court concluded that G&G's losses did not directly result from the use of a computer but from a "voluntary payment to accomplish a necessary result."?The superior court also did not allow the claim stating that the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker's actions were illegal, there was no deception involved in the hijacker's demands for ransom in exchange for restoring G&G's access to its computers. For all of these reasons, the court concluded that the ransomware attack was not covered under the policy's computer fraud provision.

The matter was then taken to the Indiana Supreme Court, which in 2021 decided otherwise. The SC concluded that in order to obtain coverage under this policy, G&G Oil must demonstrate that its loss resulted either "immediately or proximately without significant deviation from the use of a computer." The court found that G&G Oil has satisfied that definition.

It opined that “G&G Oil's action of transfer of Bitcoin was nearly the immediate result—without significant deviation—from the use of a computer. Though certainly G&G Oil's transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The designated evidence indicated that G&G Oil's operations were shut down, and without access to its computer files, it is reasonable to assume G&G Oil would have incurred even greater loss to its business and profitability. These payments were "voluntary" only in the sense G&G Oil consciously made the payment. To the court the payment resembled more closely one that was made under duress. Under those circumstances, the "voluntary" payment was not so remote that it broke the causal chain. Therefore, we find that G&G Oil's losses "resulted directly from the use of a computer." The case was remanded for further proceedings.

In another case EMOI Servs. v. Owners Ins. Co., decided in 2021, the court of Appeals of Montgomery had to deal with a hacker attack to the servers of the company that encrypted their files. The hacker demanded US$35,000. The insured then tried to see who could remove the encryption legally, but the cost was found to be US$ 55,000. Even then the data recovery company was not certain that all of the data could be recovered. Hence the amount was paid and the files were decrypted.

The insured found that they had a businessowner's insurance policy issued by Owners. The insurer found that there was no coverage under any of the potentially applicable provisions of the insurance policy, including the Data Compromise endorsement and the Electronic Equipment endorsement.

In the court case that followed, the insurer stated that in the Businessowners Special Property Coverage form, the Data Compromise endorsement, and the Electronic Equipment, there was no direct physical loss or damage which had occurred, as required by the Special Property Coverage Form and Electronic Equipment endorsement. Owners further argued that the Data Compromise endorsement did not extend to the type of loss incurred by EMOI, as it did not involve "affected persons" or "personally identifying information."

The insured argued that it was "not seeking merely to recover for lost data," which it acknowledged was not covered by the policy. Rather, it argued that it was seeking coverage for "the damage to the media, not the information or data contained on the media." EMOI explained that the software, a computer program, "was damaged by a computer hacker who manipulated the computer software program, encrypting the program to prevent EMOI's use of the software and access to the data.?The software was not accessible or usable. Thus, the computer software was damaged. However, after examining the issues, the trial court ruled in favour of the insurer.

At the appeal stage the court found that the insured’s server fell within the definition of "electronic media and records."?See Lambrecht & Assocs., Inc. v. State Farm Lloyds,?119 S.W.3d 16, 25,?2003 WL 21078083?(Tex.App.). During the oral argument, counsel for Owners (Insurer) indicated that a server could be "media," although the counsel asserted that it would need to be physically damaged.

The insurer’s argument was that media includes computer software and reproduction of data that is contained on "covered media." Consistent with the use of the term "covered" throughout the policy, the court read "covered media" to mean media that is insured under the endorsement.?See Black's Law Dictionary?365 (6th Ed.1990) ("Cover. To protect by means of insurance[.]") The court did not find it reasonable to interpret the phrase to mean only media that has incurred a covered loss, as Owners (insurer) suggested. In the case, because the computer software and reproduction of data was contained on EMOI's servers, i.e., "covered media", those items also met the definition of media. The court did not accept the insurer’s interpretation of the media provision as it did not adequately account for the additional statement defining "media" to include software and reproduction of data on covered media.

The other area of dispute was?whether the damage to EMOI's software constituted "direct physical loss of or damage" to covered property. The insurer argued that the EMOI's system was not physically damaged because once the decryption program was run, EMOI's files opened and operated the way they were intended to. In essence, it was argued that EMOI's system merely needed to be cleaned. The insured counter argued that the policy also covered the intangible item of software. The court construing the evidence in the light most favourable to EMOI, concluded that the policy contemplated that EMOI's software and reproduction of data was capable of being physically damaged, and Glaser-Garbrick (insured’s IT Manager) had testified that it was. Thus, the court found that genuine issues of material fact exist as to whether EMOI's claim was covered by Electronic Endorsement - Media policy.