The Ohio Supreme Court rules that insurance policies do not cover software cyberattack

The Ohio Supreme Court unanimously overturned an Ohio Second District Court of Appeals ruling on Tuesday and held that an insurance policy must cover a “direct” physical loss or physical damage to the company’s computer software.

Owners Insurance Company of Lansing, Michigan, claimed that the insurance contract clearly stated that only “direct physical loss” or “direct physical damage” to media would be covered under the insurance policy in the three-year legal battle between the more extraordinary Dayton medical billing software maker EMOI and its insurance service provider.

In its ultimate decision, the Ohio court said that although a computer may have fundamental, physical, and electrical components, the information stored within does not have a “physical existence.” As a result, an insurance policy for the corporation does not cover a ransomware assault on its software. A software developer cannot utilize its property insurance to pay damages, according to the ruling against EMOI.


Ohio Supreme Court Rules for Insurance Policy

EMOI’s lawsuit against Owners, which the developer filed mere months after the incident, was rejected by a district judge. However, the appeal court decided in favor of EMOI in November 2021, finding that the claimant may file a lawsuit against the insurance company for allegedly processing the claim in bad faith by failing to adequately analyze “the various types of damage that might occur to material such as software.”

Owners insurance, in its memorandum in support of jurisdiction, wrote: “Everything from personal phones and computers to cars, voting machines, and pipeline control systems have been “hacked” or “ransomed.” The increased use and reliance on digital information and services developed over the years have opened ripe new target areas to exploit.”

“A specialized type of insurance protection has been developed to provide insurance for digital ransom or other “cyber loss.” It was developed because traditional commercial or business property insurance does not contemplate such coverage…Wish as it might that it had purchased a ‘cyber’ policy that might have provided coverage for this situation, EMOI did not.”

Similar claims have been resolved in insurance companies’ favor, starting a pattern of excluding cyber attack incidences from liability insurance coverage for the private sector. As a result, demand for specialized cyber insurance has increased to cover situations like ransomware attacks that do not directly result in physical harm.

In response, the cyber insurance industry has made efforts to raise rates, place limits on underwriting, and create its own set of exclusions, chief among them cyberattacks linked to armed conflict. In addition, the U.S. government launched a study in September to determine whether it should provide a backstop or other safety measures to ensure that cyberattacks with catastrophic consequences are covered.