Cyber Coverage for Ransomware Attacks

By David A. Gauntlett*

Introduction

Cyber attacks are a serious threat to all businesses and anyone who uses the internet or computer systems.[1] It is a common misconception that cyber attacks prey on those ignorant to cyber operations; however, that is not the case. Anyone can fall prey to the manipulation of cybercrimes because they target the natural tendencies of human behaviors such as taking shortcuts and using quick judgment. Knowing these natural human behaviors, cybercriminals have manipulated human behavior to allow successful cyber attacks. Securing proper cyber insurance policies that cover these kinds of attacks cyber attacks requires careful pursuit of cyber insurance policies in an increasingly resisting market. This is the time to locate specialists in cyber insurance coverage and employ their networks.

The Growing Expense and Risk of Ransomware 

Ransomware addresses a breach in network security through viruses or other malware to infect a computer system. Even more dangerous is the manner in which malware can manipulate computer functionality. Compared to other attacks like “cryptojacking,”[2] ransomware is less profitable, but it’s easier to perform and remains a major threat to online operations. Ransomware attacks extort monies from businesses and typically demand payment in forms of cryptocurrency, making attacks more difficult to track.

Insurers often deny coverage to claims results from ransomware attacks especially where numerous claims can be involved such as system damages, reputation loss, business interruption, data breach and loss, as well as cyber extortion loss.[3]

For example, a Connecticut district court, in New England Sys. v Citizens Ins. Co. of Am.[4] determined that in denying coverage to New England for business interruption claims after a ransomware attack, Citizens engaged in bad faith under the policy provision “Cyber Business Interruption and Extra Expense.” The court reasoned that “Citizens intentionally misrepresented pertinent policy provisions when it allowed NSI to undertake self-repair work without disclosing that Citizens knew it would consider NSI ineligible for business-interruption coverage if it performed such work . . . [and] engaged in no investigation of its claims whatsoever.”[5]

Insurers have also attempted to deny coverage to claims resulting from ransomware attacks by applying the “war and terrorism” exclusion contending that ransomware attacks are forms of cyber terrorism that fall within the scope of this exclusion.[6] For example, in Merck & Co., Inc. v. Ace Am. Ins. Co.,[7] a New Jersey court analyzed Ace’s denial of coverage for Merck & Co.’s claims resulting from a NotPetya ransomware attack in 2017. Ace contended that Merck & Co.’s claims fall within the scope of the policy’s war-risk exclusionary clause and relied on a broad definition of “terrorism” and terms related to terrorism to deny coverage.[8] In contrast, Merck asserted that the “all risks” policy covers all risks to property damage “including destruction, distortion, or corruption of computer data, coding, program, or software.”[9]

The court first noted that no case in the country had determined that a “war and terrorism” exclusion had been applied to facts remotely similar to those at issue.[10] The court went on to conclude that the term “act of war” in the war-risk exclusion as applied to cyber attacks is ambiguous and applying it to the NotPetya event would disappoint the reasonable expectations of Merck.[11] The court properly noted that the onus is on the insurer to update its policy language if it wishes to exclude newly developed threats.[12]

“Business Interruption Loss” Is Naturally Implicated by Ransomware Attacks

Given the reliance that most modern businesses have on access to their computer systems and online networks, a ransomware attack often results in a crippling interruption for a business that prevents any ordinary operations. Luckily, cyber policies typically include coverage for “Business Interruption Loss,” defined as “Income Loss and Extra Expense incurred by the Insured Organization during the Period of Recovery which exceeds the Waiting Period, due to an Interruption of Service as a result of a Network Security Incident.”

Despite this clear path to coverage, insurers are often quick to deny claims by reflex. The recently filed case of DeVaughn James, LLC v. Palomar Excess and Surplus Ins. Co.[13] is illustrative. There, the insured was a “paperless” law firm where “client files, case documentation, legal work, and communications are maintained, processed, and transmitted digitally.”[14] Because the law firm operates in that manner, a ransomware attack compromised many of the firm’s critical systems.

According to the complaint, “they were essentially unusable from Monday, August 4, 2025, through Friday, August 8, 2025. Plaintiff’s computer system was only partially operational on Monday, August 11 and Tuesday, August 12, 2025.”[15] Despite the firm’s complete shutdown for an entire week and reduced capacity for two additional days, the insurer maintained that the firm “suffered absolutely no loss of profit.”[16]

 Other Policies May Cover Ransomware, But Expect an Uphill Battle

Policyholders may be able to find coverage for ransomware claims under traditional commercial liability coverage.[17] However, “property damage” and “property loss” do not encompass computer systems and data so policyholders will more often than not find themselves without coverage for ransomware. For example, Sony was denied coverage after experiencing a data breach by hackers accessing secure company information because Sony’s standard Coverage B under its CGL policy did not extend to third-party acts (e.g. hackers).[18]

Conclusion

With the always increasing reliance on computer technology for day-to-day business functions and cloud-based storage for recordkeeping, ransomware attacks represent a greater risk than ever. The only reasonable response to this simple reality is securing appropriate cyber coverage to mitigate the harm of any such incident. These policies offer robust coverage, though insurers will often deny claims no matter how clearly covered they are. In such cases, coverage counsel can assist in securing the policy benefits you are owed, including potential damages for bad faith if the insurer’s conduct meets the jurisdictional standard.

*David A. Gauntlett is a principal of Gauntlett Law and represents policyholders in insurance coverage disputes regarding intellectual property, antitrust, and business tort claims, as well as in the underlying actions. Mr. Gauntlett can be reached at (949) 514-5662 or dag@gauntlettlaw.com. For more information, visit Gauntlett Law at www.gauntlettlaw.com.

[1] For more information on the basic policies available to combat those risks, see David A. Gauntlett, Insurance Coverage for and IT Consultant’s Role in Media/Cyber Policy Application, https://www.gauntlettlaw.com/blogs/insurance-coverage-for-and-it-consultants-role-in-mediacyber-policy-application (Oct. 14, 2021).

[2] Typically defined in a Cyber policy as “the Unauthorized Access or Use of Computer Systems to mine for Digital Currency that directly results in additional costs incurred by the Insured Organization for electricity, natural gas, oil, or internet.”

[3] See National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 684–85 (D. Md. 2020) (“[A]lthough the intended use of the software might sever it from the tangible form in which it was originally transmitted…Maryland courts would find physical damage to Plaintiff's computer software, despite its installation on Plaintiff's computer system, because the software was rendered entirely unusable by the ransomware attack.”)

[4] New England Sys. v. Citizens Ins. Co. of Am., No. 3:20-cv-01743 (JAM), 2021 U.S. Dist. LEXIS 93601 (D. Conn. May 17, 2021).

[5] Id. at *11.

[6] See Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018).

[7] Merck & Co. v. Ace Am. Ins. Co., 2021 N.J. Super. Unpub. LEXIS 4566.

[8] Id. at *2–3.

[9] Id. at *2.

[10] Id. at *13.

[11] Id.

[12] Id. at *14.

[13] DeVaughn James, LLC v. Palomar Excess and Surplus Ins. Co., Case No. 2:26-cv-02064 (D. Kan., filed Feb. 2, 2026).

[14] Complaint, ¶ 19.

[15] Complaint, ¶ 18.

[16] Complaint, ¶ 25.

[17] National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 686 (4th Cir. (Md.) Jan. 23, 2020) (A ransomware attack can cause “loss of use, loss of reliability, or impaired functionality demonstrate[ing] the required damage to a computer system, consistent with the "physical loss or damage to" language in the Policy (emphasis added).”)

[18] Zurich Am. Ins. Co. v Sony Corp of Am. et al, Case No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014).