Software’s ‘intangible’ nature raises insurance concerns in court ruling

Lawsuits quietly settled in the Ohio Supreme Court earlier this month include health care providers relying on alternative insurance policies to protect businesses during network outages, among others, amid continuing changes in cyber insurance. It contains language that may suggest further problems to the reader.

Seven Ohio judges have ruled unanimously in favor of Owners Insurance Company in a lawsuit brought against the insurance company by EMOI, a medical claims software vendor in the healthcare sector. Owners Insurance provided EMOI with an all-risk policy and denied claims for damages caused by the September 2019 ransomware attack.

In his ruling, the judge argued that the policy’s electronic warranty was clear in requiring direct physical loss or damage to electronic media.

The language that immediately follows this statement should baffle most technology and cyber leaders.

Although the defined sections of EMOI’s policy describe media as being physical in nature, the judge ruled that under those definitions it was not applicable to software because it does not physically exist. Did. According to the decision, “‘Covered Media’ means media that physically exists.

“Computer software cannot experience ‘direct physical loss or damage’ because it has no physical existence,” the ruling continued. “Software is essentially just a set of instructions that a computer follows to perform a particular task. Computers and other electronic media have essentially tangible physical electronic components that store The information contained has no physical existence.”

“In other words, information, or software, is completely intangible,” he added.

From a purely technical point of view, the language is clearly irrelevant. Dave Bailey, vice president of security services for his CynergisTek at Clearwater, explains:

Clearly, there is no guarantee that threats will be completely eliminated, so no security-conscious company will use drives that cannot be cleaned or recovered from attacks. The drive instead goes through the disposal process and is never used again.

In fact, EMOI’s policy for owners may include language beyond these technical elements, which is a broader issue from an enterprise-wide risk standpoint.

Owners Insurance Company has denied EMOI claims for corrupted software.

The lawsuit stems from a denial of claim by Owners Insurance in response to a 2019 ransomware attack. EMOI decided to pay a ransom of $35,000 to restore the system after considering the time and cost of restoration. The provided decryptor restored most of the system, but left the Automated Phone System servers encrypted.

EMOI has filed a claim to recover losses from damaged software. However, the owner denied the allegations on the grounds that there was no physical loss or damage directly related to the attack, as required by the policy language.

This denial prompted a lawsuit that was initially dismissed before an appeal sent a lower court judge to rule in favor of EMOI. However, the Ohio Supreme Court ruling reversed that ruling.

The owner issued an “all-risk policy,” and in order to get a decision by the Ohio Supreme Court, the insurer had to go through “a fairly tortured interpretation of the policy’s language,” said Reedsmith’s partner. One Christina M. Shea said:

According to Shea, the decision was completely wrong.

“I think the Ohio Supreme Court got it wrong on the face of policy,” Shea said. covered” and “may result in physical loss or damage”.

Otherwise there’s no reason to put the word software in there. If the rationale they’re applying to this decision makes any sense,” she continued.

Shea noted that the lawsuit may have limited scope outside of Ohio, but for now, she and Bailey are left wondering what organizations should be considering now in the face of the changing insurance landscape. provided SC Media with insight into the

Experts say healthcare providers need to review policy language

As widely reported by SC Media, healthcare is one of the sectors hit hardest by the changing cyber insurance requirements. Even health systems with well-equipped security programs are struggling to meet new guidelines. I came to

Doing this without understanding the risk profile and policy language could leave many entities without a safety net in the event of a network outage or related cyber attack.

When policyholders purchase all-risk insurance, coverage is assumed to include “all risks except those that are very specifically excluded,” Shea explained. This case did not unfold like this. This should serve as a lesson for reviewing all policies to verify contract wording, especially in the absence of traditional stand-alone cyber he policies.

EMOI’s policy was not cyber insurance for potential vulnerabilities. Shea stressed that policyholders need to truly scrutinize their insurance coverage to ensure that their business operations and existing “risks are covered by the insurance they purchase.”

“I think it’s much more nuanced under traditional policies that have some kind of cyber support,” she added.

In the EMOI case, the underwriting language used in the policy may not have been updated for today’s digital landscape, Bailey explained. The carrier did not want to pay the claim and focused on the dated wording, thus allowing the state’s decision.

All organizations review their redaction policies with a focus on what they actually cover, what to expect after an incident, and whether they cover key risk areas is needed.

Traditionally, cyber insurance policies were designed only to pay for incidents and support ongoing operations, Bailey explains. But now, entities use policies to pay for communications, follow-up litigation, and similar response needs.

With the advent of devastating ransomware and its impact on organizations around the world, these policies can no longer support that model.

Security teams are under added pressure to meet these goals, but also an opportunity to get more investment in their security needs from executives and boards. Security leaders must flip the script and assess the system’s criticality to patient care functionality and overall business operations, such as billing, and then have tough conversations with management.

When you talk to your CFO, questions should center around the loss of daily revenue if the system goes down, the cost of diversion of care, and the amount lost in daily billing if the system goes down. There is real-world evidence for organizational decision makers to capture broader cyber funding, as seen in the recent temporary closure of Illinois hospitals.

Bailey added that from a purist security perspective, all the cyber insurers demand from their systems are the features and tools organizations should be doing in the modern threat landscape.

However, in healthcare, the ability to implement these requirements is a major challenge. Many businesses are operating with 1% to 2% margins even before COVID-19. There’s a reason security best practices aren’t implemented.

These requirements are an “investment”. Bailey said what carriers are really saying is, “If we want to prevent today’s threats, we need to focus on identity, multi-factor authentication, EDR techniques and good incident response plans.” I emphasized that “That could be the difference between continuing to operate as a business or not.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *