Cybersecurity Insurance’s Usefulness Questioned Yet Again
Cybersecurity insurance policies are considered by many to be a last resort safety net that, when things go wrong in a terrible way, provides at least a bit of hope for some form of compensation.
Moving beyond the hard-to-disprove “Acts of War” clause included in such policies, over the holiday period another nail has been hammered into the cybersecurity insurance proverbial coffin, courtesy of the Ohio Supreme Court – with the potential to basically turn all existing cybersecurity insurance policies into nothing more than worthless sheets of paper.
Rewinding the Story
In 2019, an Ohio-based company was, unfortunately, hit by a ransomware attack. It was nothing tremendously out of the ordinary, as ransomware was – and continues to be – a very lucrative business, and there are plenty of would-be victims around the world. The requested ransom was 3 bitcoins, at the time valued at around 35,000 dollars. For reasons not relevant to this story, the company took the (ill-advised) step of paying the ransom in order to recover access to their own files. So far, this story is nothing out of the ordinary and similar to hundreds of stories all over the world.
The next day, because the company had cybersecurity insurance, they submitted a request with their insurance company to recoup the amount spent paying the ransom as well as accessory damages (business revenue loss).
This is where it gets interesting. The same day the claim was submitted, the insurance company replied and refused to comply, stating that there had been no “direct physical damages” from the ransomware and, as such, would not pay any restitution.
Obviously not happy with such a response, the Ohio company proceeded to take the insurance company to court, and – to much surprise – lost the case, as the initial ruling was to uphold the insurance company’s claim that “no physical damage existed” …. on a cybersecurity insurance claim.
Again unhappy with the result, an appeal, suit and counter suits ensued until the decision reached the Ohio Supreme Court, which provided a ruling at the end of December, 2022. And, in what appears to be a near-sighted decision, the Ohio Supreme Court upheld the initial decision, adding that (loosely quoted) “there can be no physical damage, as software is a set of computer instructions” (…) “a set of ones and zeroes”. Again, keep in mind that this is in relation to a cybersecurity insurance policy claim.
How this Decision Changes the Playing Field
Truth be told, physical damage has happened in the past as a result of ransomware infections. Even fatalities have been thought to be directly linked to ransomware infections – but it was later disproved. It takes a very special kind of environment to have physical damage as a result of a ransomware infection – healthcare equipment malfunctioning or automated factory equipment going haywire, for example – but it would have to be extreme malfunctions. Even so, these are the absolute minority of cases, a percentual glitch in the thousands of such occurrences.
As the Supreme Court rightly claims, ransomware infections affect software – and data, which was not specifically mentioned – and those are indeed a set of ones and zeroes. It’s just a very valuable and terribly important set of ones and zeroes. So valuable, in fact, that companies purchase insurance for it as part of their cybersecurity posture.
This begs the question, then, of what exactly are the insurance companies protecting insurers from? A floppy disk ejecting too fast and hurting someone? Someone scalding a finger when they touch an overheating server that is encrypting its own files?
This decision, by a Supreme Court, sets a precedent. Going forward, any and all such policies can be, in practice, nullified because insurance companies can always invoke this decision and avoid paying any compensation (known as Stare Decisis in legalese).
Cybersecurity without a Safety Net
If you work at a company that has such an insurance policy, or are responsible for the acquisition of such a policy, then it is strongly advised to ask for clarification from your insurer regarding which situations are actually covered – preferably in writing – so that you can adjust your expectations in case problems arise. Like backups, it seems like the state of this type of insurance is only known when tested and – again like backups – it seems to always be broken when you need it most.
Consider shifting priorities in cybersecurity spending. Investing in better security solutions and improved operational practices is probably a better investment, as the holes in the safety net are getting bigger and bigger as time goes on. Considering such a method as a useful security measure is getting more and more difficult to accept.
As a final remark, it will also be interesting to follow this decision in a related field, but where the same argument is likely to hold, with the same unfortunate reasoning – copyrights. It’s still just ones and zeroes, right? Makes you wonder how long until a diligent lawyer makes the same argument in such a case.
But that’s a story for another day.
Happy New Year.