Ohio Supreme Court Rules Insurance Provider Not Required to Cover Cyber-attack Costs

The seven justices of the Ohio Supreme Court unanimously ruled that an insurance company was not required to cover the cost of a ransomware attack. EMOI, a medical billing software company, sued Owners Insurance Company after Owners denied their claim following a 2019 incident. The court sided with Owners’ stance that EMOI’s claim was not covered under its policy because the cyber attack did not result in any “physical” damage. The Justices’ opinion stated:

“We find the language in the electronic-equipment endorsement to be clear and unambiguous in its requirement that there be direct physical loss of, or direct physical damage to, electronic equipment or media before the endorsement is applicable. Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case.”

The Events that Led to the Ruling

In September 2019, a hacker gained access to EMOI’s computer systems and encrypted files needed for using its software and database systems. After the attack, when a file was opened, a ransom note appeared notifying the user the files were encrypted and would only be restored when a ransom worth approximately $35,000 was paid.

EMOI decided to pay the ransom and most of their files were returned to normal after a decryption process. An automated phone system remained encrypted because the decryption key provided by the hacker did not work on the server that hosted that system. The ransomware attack did not result in any hardware or equipment damage. Afterward, EMOI upgraded its software systems and took other steps to enhance its defenses against any future attacks.

EMOI held a businessowners insurance policy with Owners, and it filed a claim within a day of the attack. Owners denied the claim on the basis that there was no physical damage to electronic equipment or media. Owners claimed under the policy media was defined as, “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards.”

EMOI sued and a district judge dismissed the case. In 2021, the appellate court ruled in EMOI’s favor, stating it could sue Owners for allegedly treating its claim in bad faith by failing to properly examine “the various types of damage that can occur to media such as software.” The case made its way to the state Supreme Court where the Justices ruled in Owners’ favor.

Takeaways

This case shows the standard businessowners insurance policy is not an effective strategy for recouping the costs associated with a cyber-attack. Any business that wants increased protection, needs to specifically explore cybersecurity insurance., which has been getting more expensive.

There is no escaping the cost of a cyber-attack, whether it’s cybersecurity insurance premiums and deductibles, paying the ransom after a ransomware attack, potential lawsuits, or damage to your reputation, the list of consequences is long. All organizations need to be vigilant in putting policies and procedures to prevent an attack and minimize the impact if one does happen. Steps your organization should be taking include:

• Testing your existing cybersecurity through breach readiness assessments, cyber risk assessments, and penetration testing
• Implementing phishing-resistant multifactor authentication
• Providing your employees with rigorous training to better spot phishing and other types of cyber-attacks
• Using a third-party risk management solution for identifying, managing, and mitigating risks associated with your suppliers or vendors.
• Working with a cybersecurity service provider to avoid any gaps in your security program caused by any labor shortages and staffing challenges

CompliancePoint offers a full suite of cybersecurity services, backed by our team of experts, that will help your organization design and implement a robust cybersecurity program. Contact us at connect@compliancepoint.com to more about how we can help your business.