Software provider denied insurance payout after ransomware attack

The Supreme Court of Ohio issued a ruling days before the New Year that a software and service provider shouldn’t be covered by insurance against a ransomware attack as it didn’t cause direct or physical harm to tangible components of software, as it doesn’t have any.

“When insurance policy covers ‘physical damage’, there must be direct physical loss or physical damage of the covered media containing the computer software in order for the software to be covered under the policy,” the opinion document noted.

This decision overturned a lower court ruling involving EMOI Services, an Ohio-based company selling software for scheduling appointments, medical billing, and record keeping. In 2019, attackers gained access to EMOI’s computer systems, planting ransomware and demanding a ransom of three Bitcoins, which amounted to $35,000 that time. After hiring a third-party vendor to fix the systems, EMOI Services owners realized it would cost them less if they pay the ransom, so they did.

After the company paid the ransom, the attackers handed over the decryption key to restore data. However, some systems and files remained encrypted, such as EMOI’s telephone system and a trove of its non-critical files.

When EMOI Services filed an insurance claim for losses from the ransomware attack—the ransom payment and costs associated with investigating the attack, remediating from it, and upgrading its security systems—Owners Insurance Co., its policy owner, denied the claim. The insurers contended the attack has no “direct physical loss to media”, which is covered by the policy. EMOI Services then sued Owners Insurance Co, alleging breach of contract.

The Court of Common Pleas in Montgomery County ruled in favour of the insurer, agreeing that EMOI’s policy only covers direct or physical loss or damage. The Second District of the Court of Appeals, however, reversed this, saying a potential coverage is possible if EMOI can prove the ransomware attack against it caused actual damage to its software.

The opinion in the Supreme Court of Ohio finally set it all straight: EMOI’s insurance policy is “clear and unambiguous in its requirement”. “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case,” the ruling said. This was made despite the policy defining computer software as a form of “media”.

“EMOI contends that the policy covers that damage even when there has been no damage to hardware. We are not persuaded by this argument. The most natural reading of the phrase ‘direct physical loss of or damage to’ is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media,” the court elaborated on its ruling. Note that the stresses in these statements were reproduced from the court document.

“Similarly, although the term ‘computer software’ is included within the definition of ‘media,’ it is included only insofar as the software is ‘contained on covered media.’ We hold that ‘covered media’ means media that has a physical existence.”

In an email interview with Insurance Journal, Policyholder attorney K. James Sullivan said the Ohio Supreme Court looked at the issue of direct physical loss with a “20th Century lens.”

“I suspect we’re going to see an increasing number of losses to policyholders driven by twenty-first century fact patterns, such as pandemics, harm to computer systems, harm to air quality, etc., so it will be interesting to watch how the Ohio Supreme Court, insurers, and policyholders adapt going forward, Sullivan said. “Based on the underpinnings of these most recent opinions, it seems that insurance policy language needs to catch up to the evolving and emerging risks faced by modern-day Ohio policyholders.”


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/