Gasp! Insurance Company Refuses to Pay Ransomware Claim

Sherwood, Arkansas-based non-profit telemarketing company The Heritage Company raised and distributed funds for various organizations and, like many of us on the planet, depended on properly functioning and accessible computers, computer networks and computer data to do its job. To protect itself and its operations, it purchased what was billed as a “smart cyberinsurance” policy from an insurance company. The policy included coverage for business interruption, contingent business interruption and other damages and losses.

On October 15, 2019, Heritage’s systems were hacked and shut down by a ransomware attack. As a result of the hack, they shut down for two-and-a-half months and it took them another month after that to restore their systems. During that time, they were unable to engage in the fundraising business and, just five days before Christmas in 2019, Heritage’s CEO fired all 300 employees since there was no work to be done. This not only included workers in Sherwood but in Searcy and Jonesboro, Arkansas, as well. The company reopened in early February 2020, after rehiring its employees.

According to a lawsuit filed on January 28, 2022 in the Pulaski County (Arkansas) circuit court (Heritage v. Hudson Excess Insurance, Dkt. No. 4:22-cv-00082-JM), Heritage’s insurer—Corvus Insurance (and various affiliates and reinsurance companies)—refused to pay Heritage’s claim. The bare-bones complaint is light on substance, asserting that the marketing company “relied on the explanations and representations” of the insurance companies and on the fact that “the policy meant what it said” and that the marketing company “was to be compensated in the event of a loss.” Otherwise, the marketing company asserted, they would not have bought the policy.

The insurance policy is 54 pages of, well, insurance language. Without more detail about the nature of the claim and the reasons why the claim was denied, it is impossible to know whether the dispute is about the scope of the coverage itself; whether the loss was direct or indirect or whether the insurance company is asserting that some exclusion applied to the claim. That’s what litigation is for, right? But the case represents a trend that followers of this space are all too familiar with—a company bought what they thought was a comprehensive insurance policy that covered losses from attacks like ransomware, data loss, data destruction and other incidental losses; but upon filing a claim, found that their coverage either is not what they were told, not what is in the policy or that the insurance company is taking either a narrow view of what is covered or an expansive view of what is excluded. In other words, insurance.

Companies can minimize these risks by having a comprehensive policy review performed and by understanding what is—and what is not—covered by cyberinsurance and cyberrisk policies. Carriers, burdened by massive claims for things like ransomware, are increasingly unwilling to pay claims (though they are happy to take in premiums.)

Know what you are buying and what risks you are taking. And then, check your policy again.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 208 posts and counting.See all posts by mark