The high-profile cyberattack on Colonial Pipeline Company is a poignant reminder of the new and ever-evolving risks corporate policyholders face. In addition to the risk of loss or damage from conventional causes, such as physical damage to property and equipment, companies must also contemplate their exposure to losses involving electronic transactions and electronically stored information. While prudent organizations are taking note and making commitments to better their cybersecurity, a comprehensive approach that maximizes protection should involve thoughtful consideration and analysis of insurance coverage.
In the case of Colonial Pipeline, the company was the victim of a “ransomware” attack, which features a category of malware that holds an organization’s data hostage—typically by encrypting one’s files—until payment is made. It was reported that Colonial Pipeline capitulated and paid the hackers approximately $5 Million in ransom. Fortunately, Colonial Pipeline may have cyber insurance policies in place, which could help mitigate the impact of this attack on their business. However, the specific terms of coverage are unknown. Concerningly though, many in the power and energy industry forego such coverage. A recent survey of 125 oil and gas companies indicated that 74% do not have cybersecurity insurance or coverage for data breaches, despite 38% of those companies increasing their cybersecurity budgets in 2020.1 While improving an organization’s IT infrastructure is undoubtedly an essential component in protecting against cyber threats, insurance coverage is also important.
Unfortunately, securing adequate insurance coverage can be challenging. Capacity is down, and premiums are high as carriers retreat from the market. For example, one of Europe’s largest insurers, AXA, has announced that it will stop writing cyber-security policies in France that reimburse customers for paying off attackers.2 Moreover, the coverage obtained does not necessarily cover the full spectrum of risks associated with cyber-related injuries. Such insurance is often nuanced. For example, a cyber policy covering losses due to fraud may not apply to losses from a ransomware incident, like what Colonial Pipeline Co. experienced. A recent case involving ransomware highlights how insurers can deny coverage under traditional computer fraud provisions for these types of cyberattacks, arguing that ransomware attacks are more “akin to an act of theft rather than fraud” and that exclusions pertaining to losses from a computer virus or hacking apply.3 The Supreme Court of Indiana ultimately vacated lower court rulings that sided with the insurer’s arguments instead of finding that the policy covers the loss.4 However, the case nevertheless illustrates the challenges companies may face when making claims under cyber policies for computer-related losses.
Looking ahead, organizations would be well served by reviewing their current insurance coverage for cyber threats, including ransomware, and assessing the spectrum of coverage provided. Crime policies and Kidnap and Ransom (“K&R”) policies that may extend to computer-related risks (or not specifically exclude them) should also be examined/contemplated. Protecting one’s organization against the impact of devastating attacks such as the one faced by Colonial Pipeline Co. requires a diligent and broad approach.
For more information contact David G. Jordan at DJordan@sdvlaw.com.
*Special thank you to Oliver Stallmach, SDV Law Clerk.
3G&G Oil Company of Indiana v. Continental Western Insurance Company, 145 N.E.3d 842, 844 (Ind. Ct. App. 2020).
4G&G Oil Company of Indiana, Inc. v. Continental Western Insurance Company, 165 N.E.3d 82, 91 (Ind. 2021).