Companies without cyber insurance can find themselves in difficult situations. As more and more vital business functions migrate to electronic systems, companies without cyber insurance have to try and find coverage for any damage to their systems through traditional insurance policies. That approach can work depending on the specifics of a policy and a claim, but it might lead to additional legal costs fighting with the insurance company.
A graphics and screen printing company recently discovered this in respect to a ransomware attack the company suffered in 2016. National Stitch and Ink is a Maryland company that lost access to its data and software as part of a cyber attack. The company had to hire an information technology contractor to restore its systems to working order, but the protective systems installed rendered the system slow and caused a decrease in efficiency and the recovery of a number of intellectual property items such as artwork could not be completed. Lacking a cyber insurance policy, the company filed a claim through its traditional property coverage. The insurance company, State Auto Property & Casualty Insurance, denied the claim. National Stitch and Ink filed a lawsuit seeking a judgment against State Auto requiring them to cover the claim.
The Court’s analysis focused on the specific language of the insurance contract. Maryland follows the general rule that ambiguities in an insurance contract should be resolved in favor of the holder. The policy at issue explicitly provided coverage for electronic data processing and software and the data stored on electronic data processing media. It also provided coverage for “direct physical loss or damage” to such property.
Looking to the plain language of the contract, the Court determined that the ransomware attack caused “damage” both to National Stitch and Ink’s data and the computer system on which it was stored. Because of the broad language in this particular policy, the Court did not apply a number of precedents that required some type of direct physical damage to the servers or computers in order for a property policy to cover this type of loss. This meant that State Auto Property & Casualty had to cover the loss.
Unfortunately for companies that do not wish to purchase cyber coverage, most property policies have been modified to explicitly exclude coverage for this type of loss. Insurance companies are consistently tightening the language in standard policies to ensure those policies will not cover cyber losses. This makes the purchase of cyber coverage even more important for most businesses, as creative legal arguments attempting to find coverage under other policies are less likely to succeed. Instead, companies must find competitive and broad cyber coverage in the insurance marketplace that fits their company’s needs.