Comments

You must log in or register to comment.

Cyberinsurance t1_j25n7ly wrote

It’s not clear in the article but this ruling seemed to be over the insureds property policy(?). The direct physical loss requirement is pretty clear but carriers should still put on an unambiguous exclusion (which ISO has many). Either way, this is why cyber insurance is available in the market, coverage is typically not found in property or gl policies

163

themadweaz t1_j263f9u wrote

I disagree. I think a cyber exclusion is not necessary in property policies. You made the point itself: direct physical loss. Cyber insurance fits the niche here, and perhaps an optional coverage or endorsement for gl policies makes sense.

But you should not expect that cyber damage would be implicitly covered in a gl or property policy (imho). Unless there is legislation demanding it, in which case an exclusion would need to be added in order to implicitly sell a gl policy with no cyber component.

Exclusions are generally the result of some legislation that makes previous policies more ambiguous. See: recent cannabis exclusions. Since the government has been toying with the laws around the legality of cannabis, it's no longer assumed that it is illegal to produce and thus policies which previously did not cover it now "may" unless an exclusion is present.

Cyber has never been covered, as it isn't direct property loss. Unless the government defines software as a physical property, I see no reason for an exclusion.

20

fifa71086 t1_j28vpz6 wrote

This is accurate. My company maintain property insurance for the physical devices, but also a tech e&o policy for this exact scenario.

6

Auedar t1_j29xrnb wrote

I think there is a grey area as well. What if my server gets a virus that shuts off temp regulation, overheats my server, and then it bricks the server by starting a fire/frying the hardware? There is physical damage from the fire, but the origin is from a cyber vector.

I have direct physical loss. Does it still get covered?

1

Cyberinsurance t1_j2ac6ja wrote

You put the exclusion (or even better expressly carve out “cyber damage” from the definitions to avoid defense costs) since your buyers are less likely to have a risk manager who better understands the coverage. I agree with you that the exclusion isn’t necessary, but without it you will continue to have needless coverage litigation

1

themadweaz t1_j2ahjmd wrote

I'd fire any risk manager working for a tech company that is unaware cyber insurance exists.

The main issue I see here: cyber is already an established line. You would then need to add all optional coverages, exclusions, endorsements etc that the cyber line is currently offering to the gl policy as well. It would be hard (not impossible) and would make ISO gl worse than it already is. And BOP. And probably Marine... And any commercial auto (cars have computers, right?). It's just not worth it to extend those lines of business when you are offering an additional lob.

Having it as a separate line doesn't prevent an insurer from bundling the two lines, but it adds exceptional extra complexity to already complex lines.

Found this quote that kinda explains my perspective:

"If a company decides to rely on its GL policy to cover cyber losses the only certainty is that it will end up in a fight with its GL insurer"

Btw, I'm not an underwriter. I just used to program rating engines with ISO ERC data. I feel like I have a pretty decent grasp on how ISO decides to implement exclusions, so my comment was only to clarify from that perspective.

3

StephBGreat t1_j28w872 wrote

Many are putting on silent cyber exclusions. This started happening during the pandemic.

1

[deleted] t1_j25jpjn wrote

[deleted]

53

SsiSsiSsiSsi t1_j25jwkg wrote

Seriously, life is going to be a lot more bearable once people who grew up with tech are in a position to make these calls.

19

Cicero912 t1_j25mjk2 wrote

Is it? Theres only a small slice of people who are knowledgeable. A lot of people growing up nowadays/past few years have absolutely 0 knowledge of how to use tech unless its an app.

34

Lykeuhfox t1_j25r7w7 wrote

Case and point - the image used for a ransomware article is in HTML...

11

GreenAdvance t1_j25xije wrote

Case in point, all the comments here defending the company and saying the ruling is incorrect.

2

komAnt t1_j25vr89 wrote

Would you have preferred some proprietary source code instead? Or perhaps a dump of their users PII? I'm all for computer literacy but some of these comments are sensationalist. This is the same generation mining cryptocurrency and influencing stock markets as retail investors. Proponents for fixing climate change. An electorate with the highest voter turnout in the history of the country. Wouldn't write them off easily.

1

Kahrg t1_j25pias wrote

They are too busy doom scrolling on tiktok to learn valuable skills. :)

4

Cicero912 t1_j25rvx8 wrote

No, they just aren't taught anymore because "oh they've grown up with tech, they know what they are doing"

2

pm_me_your_buttbulge t1_j25x4be wrote

I dunno, I'd rather explain how to install an AdBlock to the younger folks than a 60+ year old.

My cousin who grew up with this has Asperger's Syndrome and is still significantly easier to explain tech to than... basically anyone that's 50+.

So while I get the hate that's, I truly suspect is jealousy or something, it's simply just not the case.

When it comes to tech, I'll gamble with the younger folks over the older folks who specifically refuse to learn it (e.g. practically all politicians).

−2

Jaded-Moose983 t1_j25p887 wrote

I think that's an assumption that's proving to be incorrect. There's been computer tech for several generations now and there will always be those who just are not interested in anything but the tip of the iceberg.

I think it's comparable with an assumption that because I drive a car, I know how to maintain or fix it. It astonishes me how many people don't even know how to change their tire.

Additionally, those who are tech knowledgeable are less likely to be in legal or legislative positions. IMO, it places a greater burden on those who make judgements to elicit competent support on the technicalities. I see this gap widening over time, not narrowing.

6

sp3kter t1_j25qi5i wrote

All the people that understand and can fix this shit are 20 years from retirement. No kids these days know how to fix shit on computers, they grew up with touch screens not screw drivers.

5

Not_the_brightest t1_j25zx8s wrote

The court got it right here though.

The people in the wrong are those who thought “direct physical damage” covers loss of logical data. There is specialized insurance specifically for the kinds of losses incurred here.

2

hamlet9000 t1_j25u9da wrote

Not really.

The insurance policy in question was for PHYSICAL damage.

There are insurance policies you can get to protect against data loss, but the plaintiff in this case didn't have one.

It took me great effort to learn this. It involved reading the linked article. But I have suffered this hardship willingly to bring you knowledge.

14

shadowrun456 t1_j25mit5 wrote

It wasn't an absurd ruling thought. Do you really think the description "direct physical damage" (which the insurance was for) should apply to damage from hacks and ransomware?

12

[deleted] t1_j25qxl0 wrote

[deleted]

−3

chrometoucan t1_j25wkow wrote

What is ambiguous here? They excluded digital data by saying physical…

10

Sorge74 t1_j260uj6 wrote

I mean is digital data physical? I mean yes it's not magic.

−1

GreenAdvance t1_j25w6vc wrote

You didn't answer the question. To add, what is ambiguous about "direct physical damage"?

This is why you have breach insurance that includes a ransomware policy.

The appellate court was the one that made an absurd ruling on the level of "it's a series of tubes". Ransomware or any other loss of data does not constitute physical loss or damage.

9

devman0 t1_j2695wv wrote

In this case they got it right, this would be like saying your homeowners or renters insurance should cover losses due to a ransomware attack, which is patently absurd..

The case was bad on its merits and the rule is fine. If you want cyber security insurance you should buy an appropriate policy.

1

MaPoutine t1_j25v0qn wrote

You don't need to be young or old to read the policy wording to see what it covers and what it excludes.

Read the article. There is nothing in this case that hinges on some super high technology that the court just doesnt understand.

Software is not covered under the wording of that Property policy (FYI it is meant to cover tangible things like buildings and machinery and its wording is clear that it doesn't cover intangible things). Software and the like is intangible and the insurance industry has a separate product which does cover software and cyber claims (cyber policies). Just because the company didn't buy a Cyber policy doesn't mean the Property policy has to cover something its wording excludes.

11

Complex-Glass-8539 t1_j25q5d7 wrote

In insurance, if this is covered, everyone can enjoy very, very high premiums. The intent of coverage on a standard business policy is clear, if someone wants this coverage they need to purchase it, it’s a readily available coverage called Cyber Liability and Data Retention.

This court ruling would make all insurance significantly more expensive.

You should look at what the profit margins are for property and casualty carriers are in the US….they are low as fuck, many lose money. Only a few consistently make money. This isn’t health insurance, all the money goes to the brokers and agents who get paid commission without the risk and competition is terribly high. It’s not like adding coverage where none is intended won’t result in higher costs to be imposed on consumers, consumers who today often choose not to insure this exposure due to how expensive it is.

5

GreenAdvance t1_j25wjt8 wrote

This is covered under separate breach policies and it's common. I work for a financial institution and we carry breach insurance for this reason. It's essentially a requirement.

They didn't have a breach policy, and weren't covered.

4

CheithS t1_j25pa0c wrote

Looks like a pretty sensible ruling based on what was published.

If you want coverage for something then buy that type of coverage!

Seems to me the company was negligent, if anything, by not getting themselves appropriate coverage - no doubt to pinch a few more dollars - and them blames someone else.

51

Killerbean83 t1_j26dzb7 wrote

Over here the problem is not the cost of the insurance. The problem is renegotiating the price for the new one if you claimed it.

Funny thing is that almost everyone has a fire insurance, the change is like 1 out of 10.000 or something that it happens to you. Cybercrime attacks are around 1 out of 8 these days.

10

YnotBbrave t1_j28rwoj wrote

If there is a high likelihood of cyber attack then real premiums will be sky high

6

danielisbored t1_j29klve wrote

Cyberinsurance is hella high, and to qualify you have to pass a strict security audit. So they cover themselves on both ends, high premiums and enforcing policies that reduce the chance of a payout. Most mom and pops won't be able to buy into such plans and just have to absorb the risk.

1

YnotBbrave t1_j2d28by wrote

That’s the world we created by tolerating cyber crime

I would like to see crack cia assassin teams finding hackers and shooting them all around the world, as a way to stop the legitimacy of cyber crime, but instead we get crimes criminals getting probation. Well we get what we pay for/vote for

1

lookmeat t1_j26qbla wrote

This was, to the company, a reasonable risk. They already had a loss, large enough that it was worth it to get lawyers and try to argue as hard as they could. Sometimes you do the math and spending thousands for a 1% shot at recovering millions of worth it.

Negligence is the correct assessment, but more often than not it's lack of understanding, but penny pinching. At least you wouldn't see them spending this much on lawyers. People get experts to make certain things are safe, but many don't understand that IT person is not a cyber security expert. For all we know this court theater was to argue they were legitimately lead to believe they were covered for this situation and therefore can point at someone else.

That said this is based on generalisms, and I've seen a lot of companies with serious mismanagement. This specific case could certainly be the case of someone who would not listen to reason or advise. All I'm stating here is, as far as I can tell, there's not enough info to be reasonably certain.

3

Mr_ToDo t1_j29tguv wrote

Not that I disagree, but did they know it was available?

How many different options exist? I know I didn't know that house to curb utility insurance existed as an option for years, but it does. Does having something, purely as an option that's not disclosed make it enough of a defence to not pay out? how many other options do I not know about?

1

clickwir t1_j26vccz wrote

That just seems like a quick way to spiral out of covering anything and coming up with little policies to cover lots of little things.

That's just more expensive and seems like a way for insurance companies to weasel out of their job while at the same time blaming the customer and trying to pull in more money.

0

Kahrg t1_j25pgil wrote

Ransomware insurance is a specific type of insurance.

This ruling actually makes sense, they tried to take a policy that didnt cover something... to make it cover something.

36

clickwir t1_j26w042 wrote

Sounds more like insurance companies trying to weasel out of it. Creating specific policies for every little thing is just a way for the insurance companies to not pay while making more money.

2

Mysterious_Nerve9433 t1_j28dt29 wrote

You buy flood insurance. Later on, you left the bath tub running and your overflow wasn't working properly and water runs over the tub and all over your house for a few hours.

Flood insurance is going to deny your claim here.

8

Ok_Ruin4016 t1_j29opu0 wrote

Because flood insurance is usually a catastrophe policy that is sold or subsidized by the Federal Government for flood water damage caused specifically by a natural disaster and causing massive damage to a large area and many residents. It's not meant to cover your overflowing bathroom

2

teddytwelvetoes t1_j25vgik wrote

if you're one of the many, many wildly profitable companies that routinely shrugs off all IT-related costs whether it's years-overdue server replacements, years-overdue security measures, etc. so that some suit can buy his dozenth sports car or fifth vacation home I hope that your bafflingly neglected money-printer gets bricked by a teenager in Yugoslavia and that you get told to eat shit by the insurance company

9

sdawson26 t1_j25kxf2 wrote

Great. That screenshot puts us all in danger! /s

8

RhoOfFeh t1_j25mn16 wrote

Damn, they think that the physical is more important than the data in business today? The hardware is the cheap and easy part to deal with.

7

Ancillas t1_j25np7m wrote

No, they said the policy defined the coverage as applying to physical loss only.

There was no assertion of value or importance.

18

clickwir t1_j26w9at wrote

You missed the point of what they said. They were blaming the customer for covering physical items. The physical items are cheap and replaceable.

This person is agreeing with the ruling.

3

Ancillas t1_j26x6cu wrote

Okay, I see what you’re saying. I had assumed that the policy holder assumed their data was covered by their property policy, but I guess that isn’t necessarily true.

To the point you clarified, it would seem irrational to prioritize insuring hardware over data.

Thanks for the clarification.

2

sojithesoulja t1_j25t22e wrote

The files are in the computer.

−3

Ancillas t1_j25tew9 wrote

It’s so simple.

Unless they’re using dedicated storage arrays.

3

Dumcommintz t1_j26x2kq wrote

So I'm rappelling down Mount Vesuvius when suddenly I slip, and I start to fall. Just falling, ahh ahh, I'll never forget the terror. When suddenly I realize "Holy shit, Hansel, haven't you been smoking Peyote for six straight days, and couldn't some of this maybe be in your head?"

3

squidking78 t1_j26w486 wrote

They have computers in Ohio?

5

Fragrant_Onion7021 t1_j25wekx wrote

The article is a fucking roller coaster. Basically, should have purchased cyber insurance; They only insured their physical servers?

2

discgman t1_j25opao wrote

Why did this company not buy tech insurance? Obviously if they did they would be out of compliance because they had a security hole and got hacked.

1

hombrent t1_j25vt9r wrote

If you think that being in compliance means that you can't be hacked, you've never worked in compliance.

Being in compliance just means that you have giant piles of paper with checkboxes that are all checked. None of those checkboxes actually enforce real security.

6

discgman t1_j260nvg wrote

Actually I’ve been involved in said policies and we had to have actual equipment and software in place

1

hombrent t1_j266uod wrote

Yeah, but you don't need to configure it well. You just need to document that you have it, and that only authorized people can configure it.

​

Oh yeah. And you need to write a policy that says that you need to have it.

5

discgman t1_j26h6oa wrote

We also did a security audit paid for by state funding

0

GreenAdvance t1_j25x6ks wrote

That wouldn't invalidate the coverage. As long as you can show your company and employees have policies and procedures in place and are being followed your claim will be approved.

Source: personal experience making a claim on a cybersecurity policy.

1

discgman t1_j260hfl wrote

Recently we have been required to have specific safeguards in place to be approved. They were very specific and required more money being invested in security. If we didn’t adhere to said list we would have been dropped

3

All_The_Nolloway t1_j25vh0q wrote

damn, don't you just hate when insurance doesn't cover everything?

1

Thatguyxlii t1_j26fx3q wrote

EMOI must not have bribed enough Republicans.

1

AnimalAllusion t1_j26j2bp wrote

Love how html is somehow considered software.

1

themorningmosca t1_j26uol2 wrote

They all have a “cyber policy”. I would bet this group did not take the cyber policy and we’re probably told that this is the way to cover the loss that they are experiencing now.

1

AidenNo1 t1_j284i8o wrote

Fuck insurance

1

[deleted] t1_j2946uk wrote

I feel like the lawyers failed this one for the company that was randsomware attacked. They could very easily say that the attack caused a physical loss of data, because while everyone likes to pretend that stuff stored on computers is digital, the reality is, its physical. Every program, every email, everything is a long string of 1 and 0s physically written to a hard drive. All the media is physically stored on a hard drive the same way we used to store paper with writting in a filing cabinet. If a fire burned down an office building and bunch of files were lost, that would be covered by insurance. I see no difference between that and a ransomware attack physically re-writting or erasing the data on hard drives.

1

TheseLipsSinkShips t1_j29wvuq wrote

This may turn out to be America’s Achille’s heal. I hope there is funding to help…, at least our public infrastructure.

1

Inconceivable-2020 t1_j2bcl1h wrote

Refused to budget IT security. Got asses handed to them. Tried to make somebody else pay for their fuckup.

1

stuckinaboxthere t1_j274myf wrote

Yeah, just assume your insurance provider won't cover anything, they don't want to and will fight you to not have to

0

raz0rbl4d3 t1_j25slqu wrote

Suddenly, Ohio's Supreme Court fell victim to a ransomeware attack

−5

homothebrave OP t1_j25kjlx wrote

As a judge I would have focused on the intent behind the policy not just the wording. Showing that the insurance issuer acted in bad faith

−6

hamlet9000 t1_j25um00 wrote

"I think you should owe money you don't actually owe because I say so."

Probably a good thing you're not a judge.

15

CPargermer t1_j25vqdm wrote

Cyber insurance has been around for years though to specifically cover damage from cyber crimes. Like homeowner's insurance covers many things that can happen to your home, but some forms of loss/damage require specific coverage. It's no-more bad faith than than.

Cyber insurance may be priced differently by company based on the specific digital risk and whatever mitigating factors the company have in place (software, hardware, security policies), like physical insurance may be priced differently for physical mitigating factors (fences, locking mechanisms, cameras, security personnel).

12

OCGHand t1_j290g7n wrote

Cyber Insurance premiums are high now, asking businesses questions, provide proof of their IT process, and sometimes deny their claim when businesses are hit with ransomware because of business negligence in their IT process.

1

KaliGracious t1_j26418n wrote

There is no bad faith here but the intent of a property policy is not to cover cyber claims. There is no “cyber” in Basic 1 or 2, Broad, or Special. Most property policies have a cyber exclusion on them by this point.

4

GreenAdvance t1_j25wxd7 wrote

I'm glad you're not a Judge as they made the correct ruling here. The company did not have breach insurance.

1