Insurance implications for N.Y businesses after a ransomware attack
Recent court cases highlight the need for New York businesses to evaluate cyber coverage under crime policies.
In an all too familiar scenario — a business email compromise scheme — a malicious actor poses as a top-level executive and directs an employee via email to wire money. The alleged purpose of the wire could be to pay a vendor or to consummate an important deal. Deceived by the imposter, the employee complies and wires the money as requested. Soon thereafter, the funds disappear, and the business is left bereft of funds and scrambling for solutions.
In another tragically common scenario — the “pay us or else” ransomware attack — a threat actor surreptitiously enters a business’s computer system posing as an authorized user, installs its own code on the system (i.e., swaps out the locks for its own and to which only it has the keys), and then locks the system. The threat actor then reveals itself and delivers its message: “pay us or else.” Even if the business were to pay, which is not recommended, the company’s data may be corrupted, or the threat actor may remain in the company’s systems.
In the aftermath of these scenarios, businesses often look to their insurers to reimburse losses and associated expenses. While several kinds of insurance may provide coverage for these types of schemes, crime coverage should be at the forefront of any list. Indeed, coverage may be available under cyber, crime, property, or other insurance policies.
Two recent cases, one from the Second Circuit and one on appeal to the Indiana Supreme Court, highlight issues that every New York business should consider in evaluating coverage under crime policies for cybercrime and cyber risks.
Crime coverage for business email compromise schemes
In Medidata Solutions v. Federal Insurance Company, the insured lost more than $4.7 million to a business email compromise scheme involving email spoofing. The threat actor used computer code that created emails mimicking Medidata’s email messages and, when received, altered Medidata’s computer system to make the email appear authentic—a “spoofed” email. The fraudster then emailed three employees, requesting that they wire funds to a bank account in order to finalize an acquisition by the company. The employees complied. Id.
After learning that it had been defrauded, Medidata filed a claim with its insurance company, Federal, under the “Crime Coverage Section” of its “Executive Protection” policy. The “Crime Coverage Section” provided coverage for “direct losses” that Medidata sustained as a result of “Computer Fraud,” as well as “Funds Transfer Fraud” and “Forgery.” Federal denied coverage.
Medidata brought suit against Federal, and the lower court held in Medidata’s favor. Federal appealed. On appeal, the Second Circuit held that the “plain and unambiguous language of the policy covers the losses incurred by Medidata … .”
First, the court held that a “Computer Violation” occurred when the fraudster manipulated Medidata’s email system, which was considered a part of the “Computer System” within the meaning of the policy. Id. The court reasoned that the code the fraudster used to alter the appearance of the email messages “represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system.” Id. The court also held that the attack changed the data of the computer system because it altered the appearance of email messages. Id. Thus, the Second Circuit concluded that the phishing attack fell squarely within the terms of the “Computer Fraud” provision. Id.
The Second Circuit also held that Medidata sustained a “direct loss,” determining that even though Medidata employees were the ones who initiated the transfer, the fraudster proximately caused the loss. Applying New York law, the court explained that “direct loss” has the same meaning as “proximate cause.”
Because the court held that the computer fraud provision was applicable, it did not consider whether Medidata’s loss was covered by other provisions of the policy, namely the “Funds Transfer Fraud” and “Forgery” provisions.
Crime coverage for ransomware payments
In G&G Oil Co. of Indiana v. Continental Western Insurance Co, the parties dispute whether a commercial crime coverage part of a multi-peril commercial common policy covers losses relating to ransomware.
The insured suffered a ransomware attack where the threat actor encrypted its servers and workstations and password-protected the insured’s drives. The threat actor demanded a bitcoin ransom payment, which the insured paid, but the threat actor proved untrustworthy and did not restore control to G&G. Instead, the threat actor demanded more bitcoin and the insured again paid it. Id. After receiving the second payment, the threat actor sent the decryption keys to G&G, who was able to restore its access to its computers and servers. Id.
G&G submitted a claim for its losses under the crime coverage’s computer fraud provision. Id.
The insurer denied coverage, claiming that the losses were not the result of computer fraud and because the insured had not purchased the optional “Computer Virus and Hacking Coverage.” Id. at 844. The insurer argued “that the ransomware attack was akin to an act of theft rather than fraud” and that G&G’s losses did not result directly from the use of a computer. Id. Additionally, the insurer argued that the policy’s computer virus or hacking exclusion applied. Id. G&G countered by contending that “fraud” and “fraudulently” were not defined in the policy and that their plain meanings clearly encompassed the ransomware attack. Id. at 844, 846. Further, G&G contended that the threat actor fraudulently used its computers, which caused G&G’s losses. Id.
The trial court found in favor of the insurer. Following an appeal, the intermediate appellate court held that: (1) the threat actor did not use a computer to fraudulently cause G&G to pay the bitcoin; (2) G&G paid the bitcoin knowing the destination of the money and without any false pretenses; and (3) there was no fraud and no coverage under the computer fraud coverage. Id. at 847. G&G’s appeal is now pending before the Indiana Supreme Court.
Crime insurance coverage for cybercrime
Although the precise cybercrimes differ, there are several similarities in these aforementioned losses. The divergence lies in the two courts’ differing views of the facts.
The Medidata court focused on the threat actor’s deception of the insured, finding that the spoofing attack “clearly amounted to a violation of the integrity of the computer system through deceitful and dishonest access.” Medidata, 729 F. App’x at 118 (internal quotations omitted). Conversely, the G&G court held that the threat actor did not fraudulently use the insured’s computer system to purchase the bitcoin ransom. G&G Oil, 145 N.E.3d at 847. It also found that the threat actor did not deceive the insured to induce G&G to purchase the bitcoin to pay as the ransom for the restoration of its systems. Id.
These decisions demonstrate the interplay between crime insurance coverages and cybercrime. However, this landscape is rapidly evolving. Indeed, in the wake of Medidata, insurers have utilized a combination of new exclusions, endorsements, and sublimits to try to limit their exposures. Given the prevalence of ransomware, New York businesses, as well as their financial, legal, and risk management advisors, should review crime, cyber, property, and other insurance coverages as new decisions are issued in this space.
Peter A. Halprin and Mikaela Whitman are partners, and Nicolas A. Pappas is an associate at Pasich LLP.
Related: