Does computer fraud coverage include ransomware payments? The Indiana Supreme Court believes so
For several years now, courts have wrestled with the issue of whether computer fraud coverage under a commercial crime policy covers business email compromise (BEC) attacks. An example of a BECs is where an insured is emailed new payment instructions purportedly coming from a vendor when in fact the email comes from a threat actor, thereby tricking the insured into wiring payment to a wrong account. Compare Apache Corp. v. Great Am. Ins. Co., 662 F. App'x 252 (5th Cir. 2016) with Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co., 895 F.3d 455 (6th Cir. 2018). Last week, the Indiana Supreme Court in G&G Oil Co. v. Continental Western Insurance Company, 2021 WL 1034982 (Ind. Mar. 18, 2021), suggested that computer fraud coverage may exist for a company that sustains a ransomware attack and pays the resulting ransom demand.
The holding is not insignificant. On the one hand, the holding’s logic could expand cases under non-cyber policies when, at the same time, regulatory bodies like the New York Department of Financial Service (NY DFS) in its Cyber Insurance Risk Framework, and the Bermuda Monetary Authority in its Cyber Underwriting Report want insurers to narrow their cyber exposures under such insurance contracts for the good of the insurance industry. On the other hand, given that the holding relies upon some grammarian mental gymnastics, and implicates Office of Foreign Assets Control (OFAC) requirements prohibiting ransom payments to designated organizations, the impact of the decision may be more limited than first blush suggests. The underlying facts are straightforward.
G&G Oil Company of Indiana (“G&G Oil”) suffered a ransomware attack and ultimately paid a $35,000 ransom in Bitcoin to recover their data. G&G Oil, 2021 WL 1034982 at *1-2. G&G Oil thereafter tendered a claim for the ransom payment under its commercial crime policy. The policy provided computer fraud coverage as follows:
We will pay for loss or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Id. at *1.
The insurer denied coverage on the grounds that (1) G&G Oil had declined computer hacking and computer virus coverage in an “Agribusiness Property and Income Coverages” section of the Policy, and (2) by paying the ransom, G&G Oil had voluntarily and deliberately paid the ransom to the threat actor, thereby breaking any casual chain to any “fraudulent” transfer. Id. at *2. Coverage litigation ensued. The trial court granted summary judgment in the insurer’s favor, and Indiana appellate court affirmed. The Supreme Court of Indiana reversed, holding that the matter involved the loss of money “resulting directly from” “the use of any computer.” It then remanded the case for further proceedings to determine whether the ransom payment satisfied the “fraudulently cause a transfer of that property” requirement. Its holding, however, suggested that it did.
The Use of Any Computer
The Indiana Supreme Court found that the matter satisfied the “resulting directly from” “the use of any computer” requirements. There was little argument that the use of malware to encrypt a system involved the “use of a computer.” Instead, the key issue was the meaning of the phrase “resulting directly from.” Id. at *5-6. The court first observed dictionary definitions of “direct” to mean “immediate; proximate; without circuity,” and noted that other jurisdictions have “settled on a definition of ‘immediate’ or ‘proximate.’” Giving the matter little analysis, the court thereafter determined that the phrase “resulting directly from” required either immediate or proximate causation, thereby declining to delve deeply into the issue.
These definitions inform our understanding of the Policy term “resulting directly from the use of a computer.” In order to obtain coverage under this provision, G&G Oil must demonstrate that its loss resulted either “immediately or proximately without significant deviation from the use of a computer.” We think that G&G Oil has satisfied that definition.
Id. at *6.
The Court believed G&G Oil satisfied this definition; namely, that the transfer of $35,000 in Bitcoin was “nearly the immediate result—without significant deviation—from the use of a computer.” Id. In so holding, the court noted, ironically (as discussed further below) the deliberative process of a cyber-victim making the decision to pay a ransom:
Though certainly G&G Oil’s transfer was voluntary, it was made only after consulting with the FBI and other computer tech services. The designated evidence indicates G&G Oil’s operations were shut down, and without access to its computer files, it is reasonable to assume G&G Oil would have incurred even greater loss to its business and profitability. These payments were “voluntary” only in the sense G&G Oil consciously made the payment. To us, however, the payment more closely resembled one made under duress. Under those circumstances, the “voluntary” payment was not so remote that it broke the causal chain.
To Fraudulently Cause a Transfer of that Property
The Court remanded the case to determine whether transmission of malware “fraudulently cause[d] a transfer of” the ransom payment. The insured argued that the requirements were met under the theory that a phishing email had tricked an employee into releasing the malware payload into its computer system. Id. at *4. The insurer, on the other hand, argued that the requirement remained unsatisfied because the policy language required that the use of the computer must manipulate the transfer. The insurer also argued that there could be no coverage because the insured specifically had declined computer hacking and computer virus coverage under a separate coverage form.
As for the latter argument, the court rejected it, reasoning that the declination of cyber coverage elsewhere in the policy was dispositive. Id. at *3. The court reasoned that because “the structure of the present Policy leads us to believe each part should be read individually unless otherwise specified,” its inquiry should focus only on “whether coverage is provided under the Commercial Crime Coverage provisions of the Policy.” Id.
Turning its attention to the phrase “to fraudulently cause a transfer of,” the court found the phrase and the word “fraudulent” unambiguous, looking to dictionary definitions and courts’ interpretation of the term fraud in the context of federal bankruptcy decisions. Id. at *4. Analyzing the issue under the Sixth Circuit’s decision in American Tooling, supra, the court also concluded that the policy language “did not require that the fraud cause a computer to do anything.” Id. at *4. Broadly construing the term fraud, as found under a bankruptcy case, the court concluded that the phrase “to fraudulently cause a transfer” could be “reasonably understood as simply ‘to obtain by trick.’ Id. The Indiana Supreme Court then remanded the case to determine whether the payment had been the result of a trick.
… there is a question as to whether G&G Oil’s computer systems were obtained by trick. Though little is known about the hack’s initiating event, enough is known to raise a reasonable inference the system could have been obtained by trick. Resolving this question in G&G Oil’s favor precludes summary judgment for Continental.
Id. at *5. In so doing, the Court appears to have accepted the insured’s argument – that falling victim for a phishing attack – satisfies the insurance agreement’s requirements. Noting that “[w]e do not think every ransomware attack is necessarily fraudulent,” the court remanded the action to permit the insured opportunity to produce the requisite evidence. Id.
What Does This Case Mean? Does the Indiana Supreme Court really mean that payment of a ransom in crypto currency can satisfy a use of any computer to fraudulently cause a transfer of that payment? The holding presents problems.
In terms of policy interpretation, the suggestion that a phishing incident may constitute use of a computer “to fraudulently cause a transfer of” property has problems. The court tries to address them in the context of causal chains, but it is really an issue of grammar. It is about determining which word the adverb (hint) “fraudulently” modifies. If fraudulent means “to obtain by trick,” then fine. However, the word modifies the verb “cause,” splitting the infinitive. It does not the phrase “use of a computer.” There is nothing in the payment of a ransom that is a trick, unknown, or devious. The payment of a ransom by crypto currency is a deliberate act involving significant process. There is no “trick” about it. The court highlights this non sequitur further by its own reasoning in support, when it states “[w]e do not think every ransomware attack is necessarily fraudulent.” Huh? That statement is problematic. Begin to tug at it, and the reasoning becomes undone like a button and string.
Second, but not least, the holding implicates the November 2020 advisory issued by OFAC that making ransom payments to designated organizations or regions in response to ransomware attack violates federal law. In its recent Cyber Insurance Risk Framework, the NY DFS advised against such payments, although it did not outlaw them. Many policies have endorsements negating coverage for any payment that would violate OFAC requirements. Even in the absence of such endorsements, it is questionable whether such payments would be insurable as a matter of law. The decision just stepped into this hornets’ nest.