Reposted from the On the Level Newsletter - Click Here to Subscribe
The construction industry, like many other industries, is becoming increasingly dependent on the internet and on internet-enabled technologies. While use of these technologies offers several benefits to construction and design professionals, it also heightens their risk of cyber-attack. Unfortunately, multiple examples have surfaced in recent years of project owners, architects, and contractors’ digital assets (e.g. business plans and acquisition strategies; proprietary construction plans and designs; customer, contractor, and supplier lists and pricing; personally identifiable information of employees; protected health information of personnel; and facilities security information) falling victim to cyber-attack. As a result, the question of what losses arising from a cyber-attack will be covered by cyber insurance and/or non-cyber polices has become regular construction industry topic.
A recent Ohio Court of Appeals decision potentially opened the door for broader coverage from cyber-attacks under traditional insurance policies. In
Emoi Servs., LLC v. Owners Ins. Co., 2021-Ohio-3942, an Ohio-based company sued its insurance company after the insurer denied coverage for the losses the company incurred following a 2019 ransomware attack that left the company's computer files encrypted and inaccessible. The insurer argued and the trial court agreed that the company had not shown direct physical loss of its "media," as required by its non-cyber insurance policy, because the company could still access much of its database and files after it paid the hacker a $35,000 ransom for a decryption key.
In a split decision, Ohio's Second Appellate District reversed the trial court’s grant of summary judgment in the insurer’s favor holding that the company’s temporary loss of access to its system could constitute covered property damage under the policy. This ruling was surprising considering it seems to conflict with the recent rulings in hundreds of Covid-19 coverage cases filed by businesses who claimed their insurers should have compensated them for loss of use and revenue when the COVID-19 pandemic forced them to close. Most courts in those cases held that, even if the virus was present on a business' premises, it didn't represent a physical loss or damage to the property and, therefore, was not covered by insurance.
While encouraging that there may be alternative coverage available under traditional insurance policies for a cyber-attack, it remains in your company’s best interest to implement an appropriate cybersecurity program, which includes specific cyber-insurance coverage. Please consult with your insurance broker and attorney on what will and will not be covered under your current insurance program. The last thing you will want after surviving a cyber-attack is a prolonged coverage battle with your insurance company.