Gasp! Insurance Company Refuses to Pay Ransomware Claim
Sherwood, Arkansas-based non-profit telemarketing company The Heritage Company raised and distributed funds for various organizations and, like many of us on the planet, depended on properly functioning and accessible computers, computer networks and computer data to do its job. To protect itself and its operations, it purchased what was billed as a “smart cyberinsurance” policy from an insurance company. The policy included coverage for business interruption, contingent business interruption and other damages and losses.
On October 15, 2019, Heritage’s systems were hacked and shut down by a ransomware attack. As a result of the hack, they shut down for two-and-a-half months and it took them another month after that to restore their systems. During that time, they were unable to engage in the fundraising business and, just five days before Christmas in 2019, Heritage’s CEO fired all 300 employees since there was no work to be done. This not only included workers in Sherwood but in Searcy and Jonesboro, Arkansas, as well. The company reopened in early February 2020, after rehiring its employees.
According to a lawsuit filed on January 28, 2022 in the Pulaski County (Arkansas) circuit court (Heritage v. Hudson Excess Insurance, Dkt. No. 4:22-cv-00082-JM), Heritage’s insurer—Corvus Insurance (and various affiliates and reinsurance companies)—refused to pay Heritage’s claim. The bare-bones complaint is light on substance, asserting that the marketing company “relied on the explanations and representations” of the insurance companies and on the fact that “the policy meant what it said” and that the marketing company “was to be compensated in the event of a loss.” Otherwise, the marketing company asserted, they would not have bought the policy.
The insurance policy is 54 pages of, well, insurance language. Without more detail about the nature of the claim and the reasons why the claim was denied, it is impossible to know whether the dispute is about the scope of the coverage itself; whether the loss was direct or indirect or whether the insurance company is asserting that some exclusion applied to the claim. That’s what litigation is for, right? But the case represents a trend that followers of this space are all too familiar with—a company bought what they thought was a comprehensive insurance policy that covered losses from attacks like ransomware, data loss, data destruction and other incidental losses; but upon filing a claim, found that their coverage either is not what they were told, not what is in the policy or that the insurance company is taking either a narrow view of what is covered or an expansive view of what is excluded. In other words, insurance.
Companies can minimize these risks by having a comprehensive policy review performed and by understanding what is—and what is not—covered by cyberinsurance and cyberrisk policies. Carriers, burdened by massive claims for things like ransomware, are increasingly unwilling to pay claims (though they are happy to take in premiums.)
Know what you are buying and what risks you are taking. And then, check your policy again.