Ransomware and other cyberattacks are a consistent threat to businesses. Some buy cyberattack insurance in order to share that risk. But others do not. The question posed by this case is whether those others may be covered by other kinds of insurance. Continental issued a CGL to G&G that included commercial crime coverage. That coverage specifically stated that it would cover
loss of or damages to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”: a. To a person (other than a “messenger”) outside those “premises”; or b. To a place outside those “premises”.
During the policy period, G&G discovered that it was the victim of a ransomware attack, making its computer network useless until G&G paid the attacker ransom to unlock its systems. G&G ultimately paid over $34,000 to unlock its systems.
G&G submitted this claim to Continental under its commercial crime coverage. Continental denied G&G’s claim, because (1) G&G had not purchased the optional “Computer Virus and Hacking Coverage” and (2) G&G’s losses did not result directly from the use of a computer to fraudulently cause a transfer of G&G’s funds.
G&G sued, and both parties moved for summary judgment. The trial court granted Continental’s motion, and G&G appealed.
G&G argued that the ransomware attack was a form of computer fraud and, therefore, fell within the commercial crime coverage. But the Court disagreed:
As the term is commonly understood and defined, fraud is the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” … Here, the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin. Although the hijacker’s actions were illegal, there was no deception involved in the hijacker’s demands for ransom in exchange for restoring G&G’s access to its computers.
Since there was no “fraud,” it did not matter whether G&G’s loss was “directly” caused by the use of a computer—it fell outside the scope of coverage. G&G, it turns out, should have bought that computer hacking coverage after all.
1. CGL policies that cover losses through the fraudulent use of a company’s computers do not cover the company’s losses from ransomware attacks.
2. If presented with the opportunity to buy cybersecurity insurance, you should strongly consider it.