In Emoi Services LLC v. Owners Insurance Company, the Ohio Supreme Court recently found software is an intangible item that cannot experience direct physical loss or damage and, therefore, the plaintiff’s inability to access or use its software during a ransomware attack was outside the scope of its "businessowners" policy. This decision reinforces important principles all organizations must consider when examining the nature and scope of their cybersecurity posture and insurance needs.
The Emoi decision
Computer software company Emoi Services furnishes health care providers with online services for medical applications, claims processing and revenue management. In September 2019, a threat actor launched a ransomware attack against Emoi, encrypting its software programs and rendering its online services unusable. In response, Emoi paid a ransom of approximately $35,000 in exchange for decryption keys. Ultimately, the majority of Emoi’s systems and files were returned to their normal state of operations following the decryption process.
At the time of the cyberattack, Emoi had a businessowners policy with Auto-Owners Insurance Group. Emoi filed a claim seeking to recover the damages it incurred. Owners denied the claim and rejected Emoi’s argument that the businessowners policy’s “electronic equipment” endorsement provided coverage. The endorsement essentially required Owners to reimburse Emoi (i) for direct physical loss of or damage to “media” that it owned, leased or controlled as a result of the covered event and (ii) for costs to research, replace or restore information on “media” that incurred direct physical loss or damage by a covered event. The term “media” was defined in the endorsement as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards,” and includes “computer software and reproduction of data contained on covered media.”
The Ohio Supreme Court ultimately agreed with Owners’ position that the electronic equipment endorsement did not apply to the ransomware attack. The court noted the endorsement required “direct physical loss of, or direct physical damage to, electronic equipment or media before the endorsement is applicable.” According to the court, because “software is an intangible item that cannot experience direct physical loss or direct physical damage,” the endorsement did not apply.
Key principles and lessons learned
Regardless of whether an organization is subject to this Ohio Supreme Court precedent, the Emoi decision reinforces key principles all businesses should understand when seeking to procure new or renew existing cyber insurance.
General insurance coverage is not a substitute for cyber insurance
It is well known that ransomware attacks, business email compromises and other types of cybercrime have increased over the last several years. Unfortunately, cyber criminals receive significant financial assistance and other support from nation-state actors and criminal enterprises, enabling cyberattacks to become more complex and damaging to businesses.
The insurance industry has been at the forefront of recognizing and responding to the evolution of cyber threats. In particular, insurers have been developing new coverage, exclusions and vetting processes to better align their cyber policies with real-world threats and risks presented by businesses seeking coverage. For example, cyber insurance policies are often specifically crafted to address damages resulting from cyberattacks, such as network failures, loss of productivity and business income, fraudulent wire transfer payments, reputational damages, and incident response costs.
Often, general business and property insurance policies do not seek to address the specific harms, threats and costs that arise in cyberspace. Accordingly, businesses should engage their insurance brokers and carriers to determine whether they need additional cyber insurance coverage to address potential deficiencies within their general business and property insurance policies.
Technology companies should also consider technology errors and omissions policies to protect themselves from allegations of negligence or failure of the technology and subsequent liability. Specialized forms address the blended cyber and professional liability exposure for technology companies because a software failure could result in a cyber liability incident.
Assess cyber insurance exclusions
As carriers developed insurance policies to address the nuances of cybersecurity, they also developed specific cyber environment exclusions to more equally allocate risk between them and their policyholders.
For instance, it is common for insurance policies to have “war exclusion” clauses to ensure carriers are not required to cover the catastrophic financial burdens concerning damages and losses arising in the context of an armed conflict. Accordingly, insurance providers have been adopting war exclusions into the cyber context, which often exclude coverage within the policies for damages and losses from cyber operations occurring during a military conflict, retaliatory cyber operations between certain nation-states and cyber operations having detrimental influence on a nation-state.
Further, cyber insurance policies generally exclude any coverage with respect to payments to persons or entities on export control lists or who are otherwise sanctioned by a U.S. government entity (e.g., the Specially Designated Nationals and Blocked Persons List). In addition, it is common for cyber insurance policies to include express limits on the amount a carrier is required to reimburse a policyholder for damages caused by specific types of threats or attacks, such as ransomware or business email compromises.
It is imperative for businesses to engage with their insurance brokers and carriers to understand the scope of their cyber policies, including any applicable exemptions and limitations. In the event such insurance coverage is not adequate or a policy’s cyber-related exclusions significantly reduce the scope of recovery, organizations should consider procuring supplemental or replacement coverage, or undertake other measures to broaden their existing coverage, such as reducing their risk profile with enhanced security controls.
Security, security, security
Although cyber insurance is a necessary measure to mitigate damages and losses from a cybersecurity event, information security controls are an organization’s primary mechanism to protect against cyber risk. To ensure the greatest results, organizations should align their information security programs with industry-recognized data protection frameworks, such as the Cybersecurity Framework set forth by the National Institute of Standards and Technology.
The U.S. government routinely encourages organizations to maintain specific technical security measures to bolster their cyber hygiene, such as implementing multifactor authentication, antivirus and anti-malware scanning tools, encryption, business continuity measures, email spam filters, software update protocols, and network filtering solutions.
It is important for organizations to continually assess their cyber risk profiles and test their information security controls and protocols to ensure adequacy in light of evolving threats. Employee security and awareness training including phishing simulations is essential and good risk management for companies of all sizes. They should also undertake tabletop exercises to ensure senior leaders within their organizations are prepared to address the complex issues that arise during ransomware attacks or other cybersecurity events.
In many circumstances, insurance brokers and carriers offer cybersecurity-related consulting services to assist policy holders with assessing and bolstering their information security programs. They also have professional relationships with data security consultants and can help policyholders retain specialized security products and training at discounted prices.