Some policyholders mistakenly assume that all cyber insurance policies provide coverage for much the same type of losses. But unlike many other types of commercial insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options, from which the organization must purchase specific insuring agreements that match its risk profile. Cyber losses can result from cyber extortion (including the use of ransomware), theft, denial of service attacks, network disruption, and a host of other causes, and can lead to different types of losses, including ransom payments, business interruption, third-party liability due to unauthorized disclosure of confidential information, and regulatory defense and penalties – to name just a few. A given insurance policy may cover any combination of these losses, and some coverages may be optional. It is incumbent on the policyholder to know the risks it needs insured and work with its broker and coverage counsel to find the right policy.
A decision last month by a federal court in Oregon highlights the risk of litigation when coverage is not clear. In Yoshida Foods International, LLC v. Federal Insurance Company, the policyholder suffered a ransomware attack demanding payment of $107,074.20 in cryptocurrency to recover encrypted data. Because Yoshida lacked access to cryptocurrency, one of its executives paid the ransom from his personal cryptocurrency account and was later reimbursed by the company. The policy did not explicitly provide coverage for extortion, ransomware, or encryption, but did cover a “direct loss” caused by “Computer Fraud,” which included unlawful taking of money resulting from unauthorized entry into a computer system. Federal refused to cover the ransomware payment, arguing among other things that the payment was not a “direct loss” insured by the computer fraud coverage grant because the company’s reimbursement to its executive was an indirect or consequential loss, and because the transfer of funds represented the company’s conscious decision instead of direct theft by the criminals. Over Federal’s objections, the district court found the policy language was broad enough to encompass the ransomware attack, obligating the insurer to indemnify Yoshida for its loss. The policyholder prevailed – but only after litigating the scope of the insurance policy that it purchased.
The Yoshida Foods decision is not binding on other courts, and another jurisdiction could reach a different interpretation of similar policy language. But the coverage dispute might have been avoided if the policy included a specific coverage grant for extortion and ransomware. Amid the assortment of options in the cyber insurance market, policyholders are well advised to shop for policies that clearly identify the risks the organization intends to cover, while also paying attention to limits, definitions, conditions, and exclusions.