The Indiana Supreme Court is deciding whether ransomware attacks are covered by insurance.
Two lower courts have ruled a Muncie fuel distributor can’t collect on its “computer fraud” coverage. G-and-G Oil’s policy included coverage for the loss of money “directly resulting from the use of any computer to fraudulently cause a transfer of money.” Continental Western Insurance says G-and-G’s losses weren’t the result of fraud, but the company’s decision to pay the ransom.
G-and-G argues past cases make clear a “direct” loss encompasses the entire chain of events.
Continental Western attorney Dana Rice told the justices the coverage would apply if hackers got access to the company’s bank account and siphoned money out. In this case, he says, the fraud isn’t what caused the loss — if there was fraud at all. G-and-G believes but isn’t certain that the hackers gained access to the computers through a phishing attack. Rice says that’s beside the point. He says if a burglar had broken in and manually uploaded ransomware, there’d be no “fraud” at all.
Continental Western also argues it offered coverage specifically addressing the loss of computer access, and G-and-G opted not to purchase it. G-and-G attorney George Plews says that’s an unrelated section of a bundle of six different policies. He says the relevant section is the property-loss policy, and says the company didn’t purchase additional cybercrime coverage because it already had it.
As always, there’s no indication when the justices will rule.