The insured was locked out of its computer systems with the hard drives encrypted as a result of a ransomeware attack. It ultimately paid the requested ransom with four bitcoins valued at nearly $35 000 before it regained access to its computer systems. The court held that, if fraud was established, the insurers would have to pay the ransom loss under computer fraud coverage despite the fact that the insured had not purchased the available computer virus and hacking coverage.
The policy covered loss “resulting directly from the use of any computer to fraudulently cause a transfer of money”. The court held that the phrase “fraudulently cause a transfer” is unambiguous and could reasonably be understood to mean “to obtain by a trick”. If no safeguards were put in place and it was possible for a hacker to enter the company’s server unhindered and hold them hostage there would have been no trick. Therefore summary judgment was refused to see whether the insured could prove that the hack resulted from some sort of deception such as a targeted spear-phishing email. The court also held that the loss resulted “directly from the use of a computer”. Even although the payment of the bitcoin was voluntarily made, in the sense of consciously made, it was made under duress and resulted directly from the use of a computer. The payment of ransomeware would therefore be covered by the policy if deception was proved.
The court made the following observation: “First, the interplay between computer fraud coverage and computer hacking is an emerging area of law. Courts have had limited opportunities to construe these types of provisions. Second, computer hacking can take multiple forms. It can hardly be disputed that today’s digital environment invites evolving degrees of cyber-malfeasance”.
First published by: Financial Institutions Legal Snapshot