Indiana Supreme Court Revives Insured’s Case for Ransomware-Related Coverage Under Commercial Crime Policy

The Indiana Supreme Court, applying Indiana law, has held that an insured may be entitled to coverage for a ransom payment under a commercial crime policy if the circumstances of the attack “fraudulently caused” the insured to make the payment.  The court also held that the ransom payment resulted “directly” from the use of a computer.  G&G Oil Co. of Ind., Inc. v. Continental W. Ins. Co., 2021 WL 1034982 (Ind. Mar. 18, 2021).

In November 2017, the insured, a Midwest-based oil company, experienced a ransomware attack.  Given the impact to its computer systems and business operations, the company elected to pay the demand—valued at approximately $35,000—to obtain a decryption key to unlock its systems.

The company sought coverage for its loss under the computer fraud provision of its commercial crime policy.  This provision afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.”  The insurer denied coverage because the company had voluntarily transferred the funds, and the threat actor had not transferred the funds directly from the company.  In the ensuing coverage action, the trial court ruled in favor of the insurer, holding that (i) the loss was not “fraudulently caused” but was instead the result of theft, and (ii) the payment did not qualify as loss “resulting directly from the use of a computer” and instead “was a voluntary payment to accomplish a necessary result.”  The appellate court affirmed.

The Indiana Supreme Court found that the extortion payment did indeed result “directly” from the use of a computer, rejecting the insurer’s argument that the company’s voluntary payment was “an intervening cause that severed the casual chain of events.”  The court found that the company’s actions were “nearly the immediate result—without significant deviation—from the use of a computer” and that the payment was “voluntary” only in the sense that the company consciously made the payment.  The court held that the payment more closely resembled a payment made under duress, in which case the “‘voluntary’ payment was not so remote that it broke the casual chain.”

However, the court found that further fact investigation was needed to determine whether the ransomware attack “fraudulently caused a transfer of money.”  The court noted that this could be met if the threat actor had obtained access to the insured’s systems “by trick.”  Despite questions surrounding the method of the intrusion—i.e., whether the threat actor obtained access unhindered through a system vulnerability, or instead through a deceptive phishing scheme—the court decided that “enough is known to raise a reasonable inference the system could have been obtained by trick.”  Accordingly, the court found that neither party was entitled to summary judgment and remanded the case for further proceedings.