In late December, a state supreme court ruled that a cyber insurance policy covering physical loss to electronic equipment and "media" did not cover a ransomware attack that left software encrypted and inoperable. The court ruled both that the software itself is not protected "media" and that the encryption of the software is not physical damage.  

Why It Matters

If your business depends on software, your best bet for protecting against ransomware and other attacks is a multipronged plan. Insurance is important -- make sure you know what is covered -- but so are capabilities such as redundant availability/restore from back-up, appropriate technical security, and training of employees on phishing and social engineering methods. There is no single solution that can prevent an attack, but having a combination of prevention and mitigation strategies can make a cyber event a manageable annoyance rather than a crippling loss.  

The justices rejected the company's argument, saying that while computer software is included in the definition of "media," it is included only when it is "contained on covered media." The justices also held that the policy requires direct physical loss of or damage to that media containing the software for the policy to provide coverage for the software.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.