A unanimous Indiana Supreme Court on March 18 reversed a lower court's ruling that Continental Western Insurance Co. doesn't have to cover a series of bitcoin ransom payments that policyholder G&G Oil Co. made to a hacker to restore access to the company's computer systems. The decision was the first by a state top court to weigh in on the applicability of crime insurance to a ransomware attack.
The crux of the coverage dispute is whether G&G's payments trigger the computer fraud provision in its commercial crime policy with Continental Western, which extends coverage only for losses "resulting directly from the use of any computer to fraudulently cause a transfer of money."
The Indiana Supreme Court found that G&G's ransom payments did indeed result directly from the use of a computer, rejecting Continental Western's assertion that the oil company's "voluntary transfer of bitcoin was an intervening cause that severed the causal chain of events."
"These payments were 'voluntary' only in the sense G&G Oil consciously made the payment," Justice Steven David wrote for the court. "To us, however, the payment more closely resembled one made under duress. Under those circumstances, the 'voluntary' payment was not so remote that it broke the causal chain."
However, the court said the available evidence on the circumstances of the ransomware attack was too thin for it to decide whether the attack "fraudulently caused a transfer of money" — a requirement that the Indiana justices said may be met if the hacker obtained access to G&G's computer systems "by trick," or deception. As a result, the state high court stopped short of ruling that G&G is entitled to coverage for the bitcoin payments and returned the case to the trial court for further fact-finding on the nature of the hacker's scheme.
Anderson Kill shareholder Joshua Gold, who represents policyholders, told Law360 that the Indiana high court's decision, while not an outright win for G&G, will be highly useful to victims of ransomware attacks and other cybercrimes that are seeking coverage under traditional crime insurance. Insurance companies often argue that the coverage is unavailable to policyholders that make payments to fraudsters who carry out ransomware attacks and "social engineering" scams, in which criminals trick businesses into sending money by posing as a partner or customer, Gold said.
"The Indiana Supreme Court applied a very pragmatic and real-world analysis of what unfolds in a ransomware scenario," he said. "Calling ransom payments and funds transfer payments 'voluntary' misses the point: If the policyholder does not make them, it could face a loss of its computer systems' functionality or entire business venture."
But Stewart Smith counsel Nace Naumoski, who represents insurers, told Law360 that the decision was in error and "injects more confusion and uncertainty into" the debate surrounding coverage for ransomware attacks and other cyber incidents.
Naumoski pointed out that some insurers offer dedicated cyber insurance policies that explicitly cover ransomware-related losses, unlike the crime policy that G&G bought from Continental Western. Insurers selling specialized cyber coverage typically engage in thorough vetting of prospective policyholders' cybersecurity defenses before issuing policies, which can help head off ransomware attacks before they happen, Naumoski said.
"With more cyber-specific policies, policyholders are required in the underwriting process to look at potential vulnerabilities in their systems and networks on the front end, which can lead to more prevention," he said. "By contrast, where, as here, a court bends over backwards to find coverage for a ransomware attack where a plain and ordinary meaning should result in denying coverage, it eliminates incentive for the policyholder to take preventative measures on the front end."
G&G's woes date to November 2017, when it discovered that it had been the victim of a ransomware attack that left its computer servers and drives encrypted and inaccessible, according to court documents. G&G purchased four bitcoins with a total value of nearly $35,000 and then transferred them to the perpetrator in exchange for the decryption passwords, court papers said.
When Continental refused to cover G&G's losses, the oil company sued in Indiana state court. In May 2019, a trial court granted Continental Western's motion for summary judgment, concluding G&G's bitcoin payments were not the result of the fraudulent use of a computer as required for coverage. Instead, the court likened the hacker's actions to those of a thief rather than a fraudster. In March 2020, a three-judge panel of an Indiana appeals court affirmed the trial court's ruling, leading G&G to seek the Indiana Supreme Court's review.
In reversing the lower courts, the Indiana high court found that, consistent with the terms of the Continental Western policy, the hacker's use of a computer to enact the ransomware attack directly caused G&G to make the bitcoin payments, notwithstanding the fact that the oil company consulted extensively with information technology professionals and the FBI before doing so. The Indiana justices construed the word "directly" to mean either "immediately" or "proximately."
"Analyzing G&G Oil's actions in this case, its transfer of bitcoin was nearly the immediate result — without significant deviation — from the use of a computer," Justice David wrote.
Kennedys partner Joshua Mooney told Law360 that the Indiana high court muddied the waters by holding that a loss can be direct if it is either immediately or proximately caused by the use of a computer, as the two terms involve much different standards. Even under the looser proximate cause standard, however, G&G's claim should not trigger coverage, he said.
"Whether or not a company pays a ransom is a deliberate process that requires a lot of thought and steps to carry out," said Mooney, who represents insurers. "This is not a situation like a business email compromise where someone is immediately tricked or fooled into sending money to a bank account. Even if the malware got into the system by trick, the ultimate decision to pay a ransom is not accomplished through foolery. Payment is a deliberate action taken by the policyholder after much consideration."
On the other hand, Anderson Kill's Gold said it was important for policyholders that the state high court recognized "that a proximately caused, and not just immediate, event can satisfy" computer fraud provisions' requirement that a loss result directly from computer use.
"If the loss does not 'immediately' follow the actual hacking event, insurers often will contest coverage," he said. "The court's recognition of proximate cause was a major boon for policyholders."
Troutman Sanders partner Samrah Mahmoud, who also represents insurers, said she is not convinced that other courts interpreting similar computer fraud provisions will follow the Indiana high court's lead.
"Whether the loss resulted directly from the use of the computer is a point I could see courts disagreeing about, and one that will be a sticking point in this emerging area of the law," she said. "I suspect that not every court will view this phrase as broadly as the Indiana Supreme Court did."
On remand to the trial court, G&G will still have to prove that the hacker obtained access to its computer systems by a deceptive trick. While G&G has posited that the hacker was able to implant ransomware via a "spear-phishing" email sent to one of the oil company's employees, the Indiana Supreme Court said this speculation is insufficient by itself to trigger coverage.
The state high court opined that not "every ransomware attack is necessarily fraudulent," noting that a hacker can easily break into a company's network without resorting to trickery if the company failed to set up an adequate security system. The evidence will need to be further fleshed out to illuminate whether the success of the hacker's scheme was attributable to deceptive tactics or some shortcoming in G&G's cybersecurity, the court found.
Hunton Andrews Kurth LLP partner Walter Andrews said that to secure computer fraud coverage, G&G — and other policyholders embroiled in similar ransomware coverage disputes — will likely need to show they have safeguards in place to prevent employees from falling prey to cyberattacks, such as the use of spam filters and up-to-date training.
"For instance, who hasn't been the subject of innumerable phishing training exercises and test emails already? It will be easy for such companies to establish that the cause of the transfer was fraudulent and not 'unhindered,'" he said.
Andrews added that if Continental Western and other insurers had wanted to exclude ransomware payments from the scope of crime insurance, they could have "written much more restrictive policy language."
"But they chose not to do so and they must live with that choice, which is consistent with case law around the country that reviewed similar policy language," he said.
Gold said that the case serves as a reminder that businesses should be diligent in engaging computer forensic analysts "early on and in a thorough fashion" after a ransomware attack comes to light to try to trace the attack to its source.
"It appeared based on the evidence relied upon by [G&G] that a detailed analysis may not have been available, and the court was therefore unable to surmise at this stage that some trick or fraud was used by the criminal to grant summary judgment," he said. "A detailed forensic report illuminating the methods utilized by the hacker to enter the system likely would have likely dispelled the court's concerns about entering summary judgment for the policyholder outright."
Mooney of Kennedys said the timing of the Indiana Supreme Court's decision is "a bit ironic," given that the prominent Lloyd's of London insurance marketplace and insurance regulators such as the New York Department of Financial Services and Bermuda Monetary Authority have issued guidance in recent years calling on insurers to take action to narrow their exposure to cyber-related risks under traditional non-cyber policies.
"This decision potentially does the exact opposite," he said.
For policyholders, though, the ruling is further confirmation that traditional policies may potentially cover these so-called silent cyber claims, said Barnes & Thornburg LLP partner Scott Godes, who co-authored an amicus brief for the nonprofit policyholder advocacy group United Policyholders in support of G&G.
"If regulators are suggesting that insurance companies need to tighten up policies to eliminate 'silent cyber' exposure, this is indicative that these policies can be read in a way to cover those cyber risks," he said.