A case quietly settled in the Ohio Supreme Court earlier this month contains language that could signal further trouble amid ongoing shifts in cyber insurance, particularly for healthcare providers relying on alternative insurance policies to protect the enterprise in the event of a network outage.
Seven Ohio justices unanimously ruled in the favor of Owners Insurance Company in a case filed against the insurer by EMOI, a medical billing software vendor in the healthcare space. Owners Insurance provided EMOI with an all-risk policy and denied a claim regarding damage brought on by a September 2019 ransomware attack.
In the ruling, the justices asserted that the policy’s electronic-equipment endorsement was unambiguous in requiring direct physical loss or damage to electronic media.
The language that directly followed this statement should trouble most tech and cyber leaders: “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case.”
The defined section of EMOI’s policy describes media as being physical in nature, which the judges ruled can’t apply to software as it doesn’t physically exist under these definitions. "'Covered media' means media that has a physical existence,” according to the decision.
“Computer software cannot experience 'direct physical loss or physical damage' because it does not have a physical existence,” the ruling continued. “Software is essentially nothing more than a set of instructions that a computer follows to perform specific tasks… While a computer or other electronic medium has physical electronic components that are tangible in nature, the information stored there has no physical presence.”
“In other words, the information — the software— is entirely intangible,” it added.
From a purely technical perspective, this language clearly misses the mark. As Dave Bailey, vice president of security services for Clearwater’s CynergisTek explains: “If it's not usable anymore, while it may not be ‘physically destroyed,’ it's literally something you throw in the garbage.”
Plainly, no security-forward company would use a drive that is unable to be cleaned or recovered from an attack, as there would be no assurance that the threat is completely eliminated. The drive would instead go through a destruction process and wouldn’t be used again.
EMOI’s policy with Owners may, indeed, include language that goes beyond these technical elements, which is a broader issue from an overall enterprise risk perspective.
Owners Insurance Company denied EMOI's claim for damaged software
The legal case stemmed from a claims denial by Owners Insurance, brought on in response to the 2019 ransomware attack. After weighing the restoration time and cost, EMOI opted to pay a ransom demand of $35,000 to restore its systems. While the provided decryptor restored the majority of its systems, the server for its automated phone system remained encrypted.
EMOI filed a claim to recoup its losses from the damaged software. But Owners denied the claim on the basis that there was no physical loss or damage directly tied to the attack as required by the policy language.
The denial prompted a lawsuit that was initially dismissed before an appeal led a lower-court judge to rule in EMOI’s favor. But the Ohio Supreme Court’s decision vacated that ruling.
Owners issued an “all risk policy,” and to get the decision made by the Ohio Supreme Court, the insurer had to go through a “pretty tortured interpretation of the policy language,” said Cristina M. Shea, ReedSmith partner.
A decision, Shea said, was completely wrong.
“I think the Ohio Supreme Court got it wrong on the face of the policy,” said Shea, namely that the issue is that the definition of "media" within the policy includes the software language, which “implies or assumes that software can be covered” and “can suffer physical loss or damage.”
“Otherwise, there's no reason to have the word software in there; if the rationale they're applying to this decision were to make any sense,” she continued.
While Shea noted that the case may have limited scope outside of Ohio, for now, she and Bailey provided insights to SC Media into what organizations should be considering now in the face of the changing insurance landscape.
Experts say healthcare entities should review policy language
As extensively reported by SC Media, healthcare has been one of the hardest hit by the shifting requirements of cyber insurance. Even health systems with well-equipped security programs have struggled to meet new guidelines. The changes have led many to consider policy alternatives to cyber insurance, such as self-insuring or other non-cyber policies.
To do so, without understanding risk profiles and policy language, could leave many entities without a safety net in the event of a network outage or related cyberattack.
When a policyholder purchases an all-risk policy, it’s assumed the coverage includes “all risks except for those that are very specifically excluded,” Shea explained. This case did not play out this way, which should serve as a lesson to review all policies to verify contract language, particularly if they don’t have a traditional, standalone cyber policy.
EMOI’s policy was not cyber insurance, which is a potential vulnerability. Shea stressed that policyholders should truly scrutinize their insurance coverage to ensure their business operations and existing “risks are covered under the policies they've purchased.”
“It's much more nuanced, I think, under a traditional policy that has some kind of cyber endorsement,” she added.
For the EMOI case, it appears that the underwriting language used in the policy was potentially not updated for a modern digital landscape, Bailey explained. The carrier didn’t want to pay out the claim and focused on the dated language, which enabled the state’s decision.
All organizations should review their editing policies, with a keen focus on what it actually covers, what to expect after an incident, and whether the policy covers key risk areas.
Traditionally, cyber insurance policies were designed with the sole purpose of paying for the incident and supporting continued operations, explained Bailey. But now, entities are using policies to pay for communication, follow-up litigation, and similar response needs.
With the emergence of destructive ransomware and what it’s done to organizations around the globe, these policies can no longer support that model.
Although it’s added pressure to security teams to meet those goals, it also provides an opportunity to obtain greater investment in security needs from the C-Suite and boards. Security leaders should flip the script and evaluate the criticality of systems on the function of patient care and overall business operations, like billing, then have those tough conversations with leadership.
When speaking with the CFO, questions should center around the loss of revenue each day a system is down, the cost of care diversion, and how much is lost in billing each day a system is down. As seen with the recent temporary closure of an Illinois hospital, there is real world evidence to provide the organization’s decision makers to obtain broader cyber funding.
Bailey was pressed to add that from a purist-security standpoint, everything cyber insurance carriers are requiring of systems are functions and tools that organizations should be doing in the modern threat landscape.
In healthcare, however, the ability to implement these requirements is a massive challenge. Many entities are operating on 1% to 2% margins, even before COVID-19 struck. There are reasons behind the lack of implementing best practice security, “and it’s not because they're stupid.”
These requirements are “an investment.” Bailey stressed that what carriers are really saying is that “if you want to prevent today's threats, you have to focus on the identities,” multi-factor authentication, EDR tech, and good incident response plans. “It's potentially going to be the difference between continuing to operate as a business or not.”