Hunton Insurance Recovery Blog

The Supreme Court of New Jersey recently agreed to hear ACE American Insurance Company’s appeal of an Appellate Division decision finding that a war exclusion in a property insurance policy did not preclude coverage for Merck & Co., Inc.’s claim stemming from a 2017 cyberattack. We previously reported about this case here.   

The Superior Court of New Jersey Appellate Division recently upheld a lower court’s finding that the war exclusion in a property insurance policy did not preclude coverage for Merck’s claim stemming from a 2017 cyberattack. The decision is appropriately being heralded as a huge win for policyholders and an affirmance of New Jersey’s longstanding history of protecting policyholders’ reasonable expectations. We previously blogged about developments relating to the war exclusion and the Merck case when it was initially heard by the Appellate Division.

Last week, the Ohio Supreme Court ruled in EMOI Services, L.L.C. v. Owners Ins. Co., 2022 WL 17905839 (Ohio, Dec. 27, 2022), that a policyholder did not suffer direct physical loss of or damage to computer media that was encrypted and rendered unusable.  The Court reached its ruling even though “media” was defined in the policy to include “computer software,” concluding that software does not have a “physical existence.” The Supreme Court’s decision reverses an Ohio appellate court’s earlier ruling that the cyberattack triggered coverage under a commercial property insurance policy and builds upon plainly distinguishable rulings in COVID-19 business interruption cases, such as Santo’s Italian Café, L.L.C. v. Acuity Ins. Co., 15 F.4th 398, 402 (6th Cir. 2021), where the Sixth Circuit found that government orders issued in response to the COVID-19 pandemic did not physically alter insured property.

Like other policyholders, hard insurance market trends, aggravated by cybersecurity risks, climate change, and COVID-19, have hit higher education policyholders, yielding reduced or limited coverages for increased premiums. These conditions – reduced coverages and higher premiums – are symptoms of a “hard” insurance market. (A hard market is caused by a mismatch between policyholders’ waxing demand for coverage and insurers’ waning risk appetite.) But higher education policyholders face unique risks that exacerbate existing market conditions, including:

Hunton insurance attorneys, Walter Andrews, Andrea DeField, and Sima Kazmir, recently published an article in the Daily Business Review, discussing the scrutiny that companies face as a result of increased cyberattacks as well as tips for your next cyber insurance renewal.

A recent U.S. Treasury Department report noted that through June 30, 2021, the total value of suspicious activity associated with ransomware transactions was $590 million. The standalone cyber insurance industry has grown to address this pervasive risk. These major shifts in the cyber landscape mean that ...

On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC's October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.

This guidance should serve as a reminder to policyholders that ransomware and other cyber incidents trigger stringent regulatory and reporting requirements and that policyholders should consider engaging experienced advisors to develop a cohesive response strategy when cyber incidents occur.  OFAC’s guidance also should remind policyholders to carefully scrutinize cyber insurance coverages (and others) to ensure they provide the broadest possible coverage for cyber risks while still following OFAC guidance.

Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.

A Maryland federal court recently awarded summary judgment to National Ink and Stitch, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  We discussed the significance of the decision in a January 27 blog post that can be found here.

A Maryland federal court awarded summary judgment last week to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property And Casualty Insurance Company, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  This is significant because it demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.

In a recent Global Data Review article, Hunton Andrews Kurth insurance practice head Walter Andrews commented on the FBI’s guidelines on ransomware payments and the insurance industry’s aggressive marketing of ransomware policies, noting that policyholders now have a resource that can help cover the cost of such an attack. The full Global Data Review article can be found here.

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

Notwithstanding the absence of a congressional war declaration since Japan bombed Pearl Harbor, Zurich American Insurance Company has invoked a “war exclusion” in an attempt to avoid covering Illinois snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.

In a recent article published in Internet Retailer, Syed Ahmad, Lorelie (Lorie) Masters, and Katie Miller discuss the risks retailers face when using smartphone-reliant technology and contactless payment systems, including ransomware attacks and other security breaches, and the insurance coverage necessary to address these potential risks.

Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain's National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user's computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

Reports of recent cyberattacks continue the discussion we started with yesterday’s blog post about common hurdles to coverage.  The hurdle for today’s discussion?  Ransomware.

Ransomware attacks are on the rise.  Security services company SonicWall reported that ransomware attacks increased by a factor of 167, from 3.8 million in 2015 to 638 million in 2016.  Similarly, insurer Beazley reported that ransomware claims quadrupled in 2016, and are expected to double again in 2017.

Despite these trends, many standard cyber forms do not cover ransoms to restore system access or to ...