The evolution of ransomware is bringing a wider range of risks to insurance policyholders, with new government regulations, exfiltration of data and state-sponsored actors adding to the mix, attorneys with the Anderson Kill law firm said during a webinar last week.

“It keeps morphing, and it keeps getting more perilous,” said Joshua Gold, a shareholder with the firm’s New York office.

Gold and Washington, D.C. partner Daniel J. Healy spoke during the fourth and final webinar for Anderson Kill’s annual policyholder advisor conference.

Gold said government regulators are adopting new rules that penalize organizations that don’t take proper precautions to prevent hackers from planting malware in computer networks.

For example, the California Privacy Rights Act will take effect on Jan. 1, imposing hefty penalties for violations of privacy rules and empowering California residents to file lawsuits against violators. Gold said the CPRA is an analog to the European Union’s General Data Protection Regulation, which brought “staggering fines” against organizations that did not prevent hackers from stealing personal information.

Ransomware itself has become more sophisticated. Healy said the “overwhelming majority” of ransomware attacks also exfiltrate data from the organizations they attack, adding the risk of privacy violations to the cost of the ransom.

Healy said recent attacks by hackers in Russia and Eastern Europe, such as the June 2021 ransomware attack that led to the shutdown of the Colonial Pipeline, show that infrastructure is a prime target. He said businesses that provide public services, such as pipelines and electrical transmission, need to protect not only their own computer networks but also demand strict safety protocols by any vendors that are linked in.

Insurers will often deny claims when the perpetrator is a suspected state-sponsored actor, citing the act of war exclusion that has been included in insurance policies for more than 100 years, the attorneys said. Insurers will also attempt to evade coverage by arguing that a ransomware attack did not lead to a “direct loss” by the policyholder.

Fortunately, recent court decisions have narrowed the range of exclusions available to insurers.

In January, the Superior Court of New Jersey ruled insurers cannot use the act of war exclusion to avoid covering about $1.4 billion in damages that Merck & Co. said it suffered from a spring 2017 cyber attack known as NotPetya. The court said the ancient exclusion was ambiguous in the context of a modern-day cyber attack.

On Dec. 6, the U.S. District Court in Oregon ruled that Federal Insurance Co. must reimburse Yoshida Foods, an international food distributor, for the $100,000 that its president paid to restore access to the company’s computer network. The judge rejected the insurer’s argument that there was no coverage because of a “fraudulent instruction” exclusion and that the company did not suffer a direct loss because its president paid the ransom out of his personal funds and was not reimbursed until 14 months later.

Gold said because the law is in a constant state of flux, policyholders should never assume that a cyber loss is or is not covered.

“Even if you have good insurance, you may have to fight for your coverage,” he said.