The Matrix

The Ohio Supreme Court recently ruled that the “Electronic Equipment” endorsement of a property insurance policy does not provide coverage for a policyholder’s losses following a ransomware attack.  In EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022), the Ohio Supreme Court reversed an appellate court’s decision which held, among other things, that there was potential coverage under the “Electronic Equipment” endorsement because damage to software could constitute “direct physical loss of or damage” to covered property.  

The increase in cyber breaches and hacks has resulted in litigation, some involving policy interpretation, and some involving new theories of liability. The two cases described below are illustrations of the types of issues that businesses, insureds and insurers continue to face as result of cyber liability. In the first case, the court found that a traditional general liability policy could provide coverage for a cyber breach, a result likely not anticipated by the insurance carrier, nor possibly by the insured. The second case involves injury and death, allegedly caused by a hospital’s inability to use monitoring equipment during a birth because the equipment was inoperable due to a ransomware attack, that likely would be covered under a traditional medical malpractice policy despite the fact that it was a cyber attack that gave rise to the claim for injury and medical negligence.

Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks.  The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021).  In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.   

As cybersecurity incidents increase in frequency and scope, cyber insurance policies are an important tool for companies to mitigate loss from such incidents.  Recent surveys of small and medium businesses reveal, however, that many respondents do not carry cyber insurance.[1] And for those that do, the cost of such coverage is rising.  For companies considering purchasing or renewing a cyber policy in light of new or increasing risk, this article provides a brief primer on the types of coverages that cyber policies offer, potential add-ons to coverage, common conditions and exclusions, and other cyber insurance-related questions.