Cyber Insurance and Ransomware: Traditional Property Policy Held to Cover Cyber Loss
Do you carry cyber insurance for your business? Do you know whether it covers “ransomware” attacks that delete or disable your data unless you pay the hacker to release it?
Ransomware attacks are increasingly common in all industrial sectors, and they frequently hit smaller and medium-sized companies. Such businesses make good targets, because they are less likely to have in place a robust security and incident response plan, and therefore have no alternative way to get their business data back in place.
As cyber insurance has emerged in the insurance market, such incidents have become one of the many insurable risks under a cyber policy – and generally excluded under other, more traditional policies.
A Maryland court recently ruled, however, that a printing and embroidery business was entitled to recover for a ransomware attack under its property policy. The company argued successfully for coverage under the clause covering “direct physical loss or damage to” company computer hardware and software, because the company had to replace and reinstall all its computers following a ransomware attack. The insurer had tried to argue that loss of data leading to a need to replace equipment and software was not a “physical” loss and would only be covered by a cyber policy (which the company did not carry).
The ruling is a noteworthy exception to the general rule that cyber losses are not covered by traditional property policies; but whether it will stand on appeal (or be followed by other courts) remains to be seen. The prudent course is to obtain standalone cyber coverage and to be sure it covers data loss and replacement as well as equipment replacement.