The Indiana Supreme Court unanimously ruled Thursday that neither a W.R. Berkley Co. unit nor an oil company is entitled to summary judgment in a dispute over coverage of a ransomware incident, sending the case down to the lower court for further proceedings.

However, a policyholder attorney says the ruling in G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co. is a positive development for the insured.

The court’s ruling, which overturns two lower court rulings in Berkley’s favor, states the issue is whether a computer was used to “fraudulently cause a transfer,” as required under the commercial crime coverage provision in the oil company’s policy.

Muncie, Indiana-based G&G Oil discovered in November 2017 it was locked out of its computer systems in a ransomware attack, but was able to restore its operations after paying nearly $35,000 in bitcoins, according to the ruling.

Berkley unit Continental Western denied its claim for coverage and G&G Oil filed suit against the insurer. The trial court ruled in Berkley’s favor on the basis the loss was not “fraudulently caused” but was instead the result of theft. 

The ruling was affirmed by a state appeals court, which held the hacker did not engage in deception to induce the company to purchase the bitcoin.

The term “‘fraudulent cause a transfer’ can be reasonably understood as simply ‘to obtain by trick,’” the ruling said, in citing an earlier case. “We cannot say with confidence G&G Oil has designated reliable evidence to entitle it to summary judgment,” it said.

“We do not think every ransomware attack is necessarily fraudulent. For example, if no safeguards were put in place, it is possible a hacker could enter a company’s servers unhindered and hold them hostage. There would be no trick there. G&G’s Oils’ belief of a spear-phishing campaign does not entitle it to summary judgment.

“Nor is summary judgment appropriate for Continental,” the ruling said. “We think – as above – there is a question as to whether G&G Oil’s computer systems were obtained by trick.

“Though little is known about the hack’s initiating event, enough is known to raise a reasonable inference the system could have been obtained by trick,” it said, in remanding the case for further proceedings.

Scott Godes, a partner with Barnes & Thornburg LLP in Washington, who submitted an amicus brief in the case on behalf of United Policyholders, an insurance consumer advocate organization,  supporting the gas company, said he is hopeful the trial court will rule in the company’s favor.  “This (ruling) has given the policyholder a clear shot at coverage,” he said.

“This is a great decision for policyholders,” on an issue that has not seen a lot of judicial authority, he said. “It’s nice to see the court recognize that crime insurance can cover ransomware losses.”

Other attorneys in the case did not respond to requests for comment.

Much of the increased claim frequency and severity for cyber coverage, which is expected to lead to 20% to 50% rate increases this year, is driven by ransomware, according to a report issued earlier this month.