Typically, comprehensive cyber
insurance policies, rather than commercial crime policies, respond to claims of
data breach and other cybercrimes. With the rise in hacking and ransomware
attacks worldwide, businesses that may have chosen not to purchase cyber
insurance may find themselves without coverage in the event of a cyberattack.

A recent decision by the Indiana
Supreme court rejected a policyholder’s attempt to force a cyber claim into
coverage under a commercial crime policy as a matter of law. In G&G Oil Co. of Ind. v. Cont’l W. Ins.
Co.
,[1] G&G
Oil (“G&G”) was subjected to a ransomware attack that left its computer
servers and drives encrypted and inaccessible. In order to obtain a decryption
passcode that would allow G&G to regain access to its servers, G&G paid
an approximate $35,000 ransom to the hacker in Bitcoin. Following the incident,
G&G filed a claim with its insurer, Continental Western Insurance Company
(“Continental”), seeking to recover the ransom it had paid.

Although G&G had
specifically declined to purchase computer hacking and computer virus coverage,
it sought coverage under the “computer fraud” section of its commercial crime
policy. That clause provided:

Computer Fraud

We
will pay for loss or damage to “money”, “securities” and “other property”
resulting directly from the use of any computer to fraudulently cause a
transfer of that property from inside the “premises” or “banking premises”:

  1. To a person (other than a “messenger”) outside those
    “premises”; or
  2. To a place outside those “premises”.

Continental denied the claim because G&G had declined to purchase the computer hacking coverage. More importantly, however, Continental also argued that the ransom payment did not fall within the computer fraud coverage because it did not result directly from the use of a computer and because the money was voluntarily paid and not fraudulently transferred.

The trial court sided with Continental, finding that G&G Oil’s payment to the hacker did not qualify as a loss “resulting directly from the use of a computer” under the Policy and instead “was a voluntary payment to accomplish a necessary result.”[2] The Court of Appeals affirmed the decision in a unanimous opinion, finding that “the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom” and that “the hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase Bitcoin.”[3]

On appeal,
the Indiana Supreme Court addressed whether the ransomware attack constitutes
“fraudulent conduct” under the policy, and whether the loss resulted directly
from the use of a computer. While the lower courts’ decisions were reversed,
the high court did not conclude that there was coverage available. Rather, it
held that neither party was entitled to summary judgment based on the facts.

First, the
Supreme Court recognized that G&G had failed to purchase the coverage that
may very well have applied to the ransomware attack. However, it did not find
that dispositive because each part of the policy must be read individually.

Next, the
Supreme Court considered the language of the computer fraud coverage. It found
the phase “fraudulently cause a transfer” to be unambiguous, but construed too
narrowly by the lower courts. The Court recognized that the “interplay between
computer fraud coverage and computer hacking is an emerging area of the law,”
and concluded that computer hacking can take multiple forms. The term
“fraudulently cause a transfer” meant “to obtain by trick.” The Court decided
that not every ransomware attack is fraudulent. For example, if no safeguards
were put in place, a hacker could enter servers and hold them hostage without
any trick. There was a question as to whether access to G&G’s computer
systems were obtained by trick, and little was known about the hack itself.

Next, the
Court examined whether the loss “resulted directly from the use of a computer.”
Continental had argued, and the lower courts had agreed, that G&G’s
voluntary transfer of Bitcoin was an intervening cause that severed the causal
chain of events from the computer to the loss. The Court concluded that
although G&G’s transfer was voluntary, it was made only after consulting
with the FBI and other computer tech services. The payment was made under
duress, essentially, and therefore it was not so remote that it broke the
causal chain.

The G&G Oil decision does not mean that
commercial crime policies will necessarily afford coverage for cyberattacks, or
that commercial crime insurance is a replacement for cyber insurance. In the
future, as this area of the law becomes further developed, we expect that
courts may also consider the fact that cyber policyholders often undergo a
thorough vetting process of their cybersecurity defenses. This process may help
to identify and address potential vulnerabilities before policies are issued,
and to allow insurers more of an understanding of the risks involved. By
contrast, the underwriting process for traditional crime insurance policies may
not include a cybersecurity focused examination of the potential insured.

What is
certain from the G&G Oil case is
that Indiana courts will interpret policy language based on the terms used, and
will evaluate each claim on the specific facts involved.


[1]
165 N.E.3d 82 (Ind. 2021)

[2]
G&G Oil Co. of Indiana v. Continental
Western Ins. Co.
, No. 49D06-1807-PL-028267, 2019 WL 12023254, at *3
(Ind.Super. May 30, 2019)

[3]
G&G Oil Co. of Indiana v. Cont’l W.
Ins. Co.
, 145 N.E.3d 842, 847 (Ind. Ct. App.), reh’g denied (June 4, 2020), transfer
granted, opinion vacated
, 157 N.E.3d 527 (Ind. 2020), and vacated sub nom. G&G Oil Co. of Indiana v. Cont’l W. Ins. Co.,
165 N.E.3d 82 (Ind. 2021).