The Matrix

The Ohio Supreme Court recently ruled that the “Electronic Equipment” endorsement of a property insurance policy does not provide coverage for a policyholder’s losses following a ransomware attack.  In EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022), the Ohio Supreme Court reversed an appellate court’s decision which held, among other things, that there was potential coverage under the “Electronic Equipment” endorsement because damage to software could constitute “direct physical loss of or damage” to covered property.  

Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks.  The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021).  In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.   

Last week, the Federal Bureau of Investigation issued a private industry notification warning that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI cautioned that ransomware attackers research publicly available information and target companies involved in significant, time-sensitive financial dealings such as M&A and other transactions. This initial reconnaissance, according to the FBI, is later followed by a ransomware attack and a subsequent threat that unless the victim pays the ransom, the attackers will disclose the information publicly, causing potential investor backlash and affecting the victim’s stock value.

On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog. 

In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities.  OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI).  The  pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients. 

Given the speculation and concern over ransomware attacks impacting the 2020 U.S. election, the recent spate of private companies falling victim to such attacks, and the October 1, 2020 advisory issued by the Department of Treasury (“Advisory”), it is no surprise that ransomware is trending in cybersecurity.