Executive Summary: Key Legal and Evidentiary Issues

• Dispute over whether a $1.5M or $3M USD retention applied under a cyber insurance policy following a ransomware incident

• Interpretation of whether a specialized endorsement (Endorsement 23) applied to claims not explicitly made under it

• Determination of whether the insured’s purchase of new laptops qualified as a “reasonable and necessary” expense under the policy

• Assessment of whether a property damage exclusion could be used to deny coverage for ransomware-related losses

• Evaluation of admissibility and necessity of expert cybersecurity opinion in interpreting policy terms

• Application of standard insurance interpretation principles, including contra proferentem and burden of proof on exclusions.

Facts and procedural background

Panasonic Canada Inc., a subsidiary of Panasonic North America, experienced a cyberattack in February 2022 when a malicious file was opened by an employee, leading to a ransomware event. External hackers deployed malware, exfiltrated sensitive files, and demanded that Panasonic contact them—though no ransom was paid. Panasonic’s internal policy prohibited engagement with attackers. The company immediately initiated remediation, engaging several third-party experts for forensic IT services, legal advice, and credit monitoring. In its effort to avoid re-infecting its network, Panasonic purchased 140 new laptops after determining that many devices had been compromised.

At the time of the incident, Panasonic held a cyber insurance policy with XL Specialty Insurance Company. The policy had a standard retention (deductible) of $1.5 million USD, except under a specific ransomware endorsement—Endorsement 23—which applied a higher $3 million USD retention for “ransomware event losses.”

Panasonic made claims under the core parts of the policy (e.g., data breach response, business interruption, and data recovery), but explicitly did not make a claim under Endorsement 23, which covered actual ransom payments and associated negotiations. However, XL took the position that the ransomware endorsement’s definitions and higher retention applied to the entire policy, regardless of which section the claim was made under. XL also argued that replacing laptops was an unnecessary betterment rather than a covered mitigation expense.

Court’s analysis and findings

The Ontario Superior Court of Justice rejected XL’s position on multiple fronts. On the interpretation of the policy, the court emphasized that the definitions in Endorsement 23 were expressly limited to that endorsement alone. The policy stated that these definitions applied “solely for the purposes of this Endorsement,” and the court found that Panasonic was entitled to choose to proceed under other insuring agreements rather than Endorsement 23. Therefore, the lower $1.5 million USD retention applied.

The court also found the replacement of 134 laptops to be reasonable and necessary under the business interruption and extra expense coverage. Panasonic had provided evidence that the affected employees could not work without new devices and that alternatives such as leasing or replacing hard drives would not have been cost-effective. The court rejected XL’s claim that these expenses amounted to a betterment, as there was no such limitation in the wording of the extra expense coverage.

The insurer’s attempt to rely on a property damage exclusion also failed. The judge found that the exclusion did not apply because the breach occurred before any alleged “property damage” and therefore did not arise from it. Additionally, the court declined to admit expert evidence submitted by XL’s cybersecurity consultant, ruling that interpreting the insurance contract did not require specialized expertise, and the factual elements of the cyberattack were not in dispute.

Conclusion and outcome

The court ruled in favor of Panasonic, holding that the standard $1.5 million USD retention applied and that the expenses incurred in response to the cyberattack—including the laptop purchases—were covered under the policy. The property damage exclusion did not apply, and the expert evidence was deemed unnecessary. The claim for six additional laptops was denied, as they were not shown to be necessary. The parties had pre-agreed on damages and costs, which the court allowed to be formalized by subsequent order.