Ohio Supreme Court says insurance policy does not cover ransomware attack on software News
Ohio Supreme Court says insurance policy does not cover ransomware attack on software

The Ohio Supreme Court Tuesday unanimously overruled a judgment of the Ohio Second District Court of Appeals and moved that there must be “direct” physical loss or physical damage in the company’s computer software for insurance policy coverage.

In the three-year court proceedings between the greater Dayton medical billing software maker EMOI and its insurance service provider Lansing, Michigan-based Owners Insurance Company, the latter asserted that the insurance contract unambiguously stated only “direct physical loss” or “direct physical damage” to media would be covered under the insurance policy. The court in its final ruling gave the rationale that a computer might have physical electronic components that are “tangible” in nature but the information stored there has no “physical presence”; thus a ransomware attack on the company software has no coverage under the company’s insurance policy. The judgment against EMOI concludes that a software developer can’t use its property insurance to cover losses.

A district judge had dismissed EMOI’s case against Owners, which the developer brought forth just months after the attack. But the appellate court in November 2021 had ruled in favor of EMOI stating that the claimant could sue the insurance company for allegedly treating its claim in bad faith by failing to properly examine “the various types of damage that can occur to media such as software”.

Owners insurance in its memorandum in support of jurisdiction wrote:

“… Everything from personal phones and computers to cars, voting machines, and pipeline control systems have been “hacked” or “ransomed”. The increased use and reliance on digital information and services developed over the years have opened ripe new target areas to exploit…A specialized type of insurance protection has been developed to provide insurance for digital ransom or other “cyber loss”. The reason that it was developed is that traditional commercial or business property insurance does not contemplate such coverage…Wish as it might that it had purchased a ‘cyber’ policy that might have provided coverage for this situation, EMOI did not….”

Similar claims have been settled in the favor of insurance companies, setting a trend of exclusion from the private sector and liability insurance policies for cyber attack incidents.  As a result, there is a surge in interest for specialist cyber insurance to cover instances such as ransomware attacks that do not cause direct physical damage. In turn, the cyber insurance sector has taken steps to increase premiums, limit underwriting amounts and establish its own set of exclusions, most notably, cyberattacks associated with war. The U.S. government started a study in September to assess whether it should offer a backstop or other safeguard mechanisms to make sure that cyberattacks with catastrophic repercussions are insured.