One of the areas of significant concern in the global insurance underwriting community is the potential exposures insurers face from “silent cyber” – that is, the coverage of cybersecurity-related losses under traditional insurance policies that are not expressly designed to cover cyber losses. In a recent ruling in an insurance coverage dispute in which a small business sought insurance coverage for its losses following a ransomware attack, a Maryland federal court judge, applying Maryland law, held that the company’s business owner’s policy (BOP) covered the damages the company incurred. The ruling highlights the potential coverage available for companies experiencing cyber-security losses under their traditional insurance policies. As discussed below, there are a number of interesting features to this ruling.
National Ink and Stitch LLC is an embroidery and screen printing business. In December 2016, its computer server and networked computers were hit with a ransomware attack. The attack prevented the company from accessing all of its art files and other data on its server, and all of its software. The company paid the bitcoin ransom the attacker demanded, but then the attacker demanded further payment.
At that point, the company paid a security company to replace and to install its software, and to install protective software. As the court later said, “In the end, although Plaintiff’s computers still functioned, the installation of the protective software slowed the system and resulted in a loss of efficiency.” The art files formerly housed on the server cannot be accessed. Computer experts testified that there likely are dormant remnants of the ransomware virus on the company’s server that could “re-infect the entire system.” In order to eliminate the risk of further infection, the company would be to “wipe” the entire system and reinstall all of the software and information, or to purchase an entirely new server and components.
National Ink and Stitch submitted a claim to its BOP insurer in December 2016. However, the insurer denied coverage for the cost of replacing the entire system, arguing that the company had not experienced “direct physical loss of or damage to” its computer system in order to justify reimbursement of the replacement cost of the entire system under the Policy. National Ink and Stich filed a lawsuit against the insurer. The parties filed cross-motions for summary judgment.
The Relevant Policy Language
The policy provides, in relevant part, that the insurer “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss.”
The policy’s Special Form Computer Coverage endorsement expressly defines “Covered Property” to include “Electronic Media and Record (Including Software),” and defines “Electronic Media and Records” to include: “(a) Electronic data processing, recording or storage media such as films, tapes, discs, drums, or cells; (b) Data stored on such media.”
The January 23, 2020 Opinion
In a seeking summary judgment, the insurer had argued that because National Ink and Stitch had only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience a “direct physical loss” as required under the policy. National Ink and Stitch said, for its part, argued that because the policy expressly provides that computer data and software are “Covered Property” subject to “direct physical loss,” and the computer system itself sustained damage, in the form of impaired functioning, it is entitled to coverage.
Judge Gallagher concluded that National Ink and Stitch is entitled to recovery under the policy based both on the loss of data and software in its computer system, and on the loss of functionality to the computer system itself.
In reaching her conclusion that National Ink and Stitch was entitled to recover based on the loss of data and software, Judge Gallagher noted the “inherent contradiction” between the policy and the insurer’s interpretation, since the policy expressly refers to Electronic Media and Record (and Software) as “Covered Property.” Under the insurer’s argument, damage to software and data could never be covered because software and data are not physical. Judge Gallagher, quoting prior case law with approval, noted that “the plain language of the policy’s provisions and definitions dictates that such property is capable of sustaining a ‘physical’ loss.”
Judge Gallagher said further that the mere fact that the computer system retained some limited functionality did not prevent the court from concluding that the company had suffered physical damage. The more persuasive case is that “loss of use, loss of reliability, or impaired functionality demonstrate the required damages to a computer system, consistent with the ‘physical loss or damage to’ language in the Policy.” Indeed, she noted, “in many instances a computer will suffer ‘damage’ without becoming completely inoperable.”
Here, Judge Gallagher said, National Ink and Stitch had sustained loss of its data and software, and is left with a slower system that appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data. Because “the plain language of the Policy provides coverage for such losses and damage, summary judgment will be granted in favor of the Plaintiff’s interpretation of the Policy terms.”
Judge Gallagher’s ruling in this insurance coverage dispute is significant because she has found coverage for ransomware virus-related losses under a BOP policy. Most small businesses carry some form of BOP coverage, so the court’s ruling suggests an important potential avenue for small business owners that have suffered these kinds of losses to pursue.
It is particularly noteworthy, as emphasized in a January 27, 2020 Law 360 article about the decision (here), that the ruling “marks the first time that a court has squarely addressed the availability of coverage for costs linked to a ransomware incident.”
The significant of the decision, according to a January 27, 2020 post on the Hunton Insurance Recovery Blog (here) is that the ruling “demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.”
The possibility that a traditional insurance policy like a BOP policy might pick up coverage for these kinds of losses also seems, according to the Law 360 article, to confirm the insurance industry’s “worries that courts may interpret traditional policies to cover” these kinds of risks. The Law 360 article expressly cites Judge Gallagher’s ruling as an instance of “silent cyber.”
I will say that from my perspective, in considering the insurer’s arguments here, it almost seemed like the insurer was trying to dispute coverage as if the policy did not contain the Special Form Computer Coverage endorsement expressly defining “Covered Property” to include “Electronic Media and Records (Including Software)” and providing further that Electronic Media and Records expressly include “Data stored on such media.”
I do not profess expertise on property insurance coverage, and maybe there is more to it, but given the policy’s express language, it seems to me it was always going to be difficult for the insurer to argue that the company’s damaged data and software were not “covered property,” and, given that the policy expressly covers “physical loss” but “damage to” covered property, to argue that the company had to show complete destruction of the computer system to recover its damages.
As the Hunton Insurance Recovery Blog notes, the decision is significant because it shows that an insured’s business “does not need to be completely shut down in order to get insurance coverage.” A slow-down in functionality “should be sufficient to trigger coverage.”
At a minimum, the ruling is a reminder that cyber-insurance policies may not be the only source of insurance available in the event of a cyber-attack. Policyholders should carefully consider all their insurance policies to determine where coverage might be available. As the Hunton blog post notes, companies experiencing a cybersecurity incident should “carefully review and consider making a claim under all potential insurance policies.”
Readers of this blog, and indeed most insurance industry participants these days, are well aware that potential “silent cyber” exposures under traditional insurance policies is a big concern for insurers these days. As I noted in a recent post, there are a number of high-profile pending cases in which policyholders are seeking coverage for cyber-related losses under traditional insurance policies.
From their perspective, the insurers feel their never intended to pick up cyber-related losses under these “non-affirmative” policies. Insurers wary of these kinds of losses may well seek to amend their policies to try to avoid coverage for cyber-related claims. For that reason, policyholders and their advisors should, as I discussed in a recent post, be alert to any policy changes that may have the effect of narrowing coverage.
From the policyholder’s perspective, the willingness of courts to find coverage for cyber-related losses under traditional policies provides some comfort that companies can get insurance coverage when they experience these kinds of losses. But I am concerned that this good news for policyholders will be misinterpreted. In my view, it would be a big mistake for companies to conclude based on favorable decisions like this one that the companies do not need to buy cyber insurance policies.
Cyber policies provide much more comprehensive and much more specific coverage for cyber exposures. The policies provide both first-party and third-party policies. Well-advised policyholders know that in order to be best protected against cyber exposures, a purpose-built cyber insurance policy is an indispensable part of their insurance program. Policyholders with questions about this topic should be sure to discuss this with their insurance advisors in order to fully understand how they will be best protected.