Coverage For Ransomware Payments Claims in THAILAND

1. Meaning of Ransomware Payment Coverage in Thailand

Ransomware insurance coverage refers to protection under cyber insurance policies where an insurer may reimburse:

  • Ransom payments made to restore encrypted systems
  • Incident response costs
  • Business interruption losses
  • Data recovery and forensic investigation costs
  • Negotiation and crisis management expenses

However, in Thailand, ransomware coverage is legally sensitive because it intersects with:

  • Criminal law (extortion, computer crimes)
  • Insurance Act B.E. 2535 (1992)
  • Public policy (illegality doctrine)
  • Anti–money laundering concerns

2. Thai Legal Position on Ransomware Payments

(A) Key legal issue

Whether paying ransomware is:

  • A recoverable “loss” under insurance, OR
  • An illegal payment that voids coverage

(B) Relevant Thai laws

1. Computer Crime Act B.E. 2560 (2017)

  • Ransomware attack = illegal access + data interference
  • Extortion demands may fall under cybercrime offenses

2. Thai Civil and Commercial Code (Insurance Section)

  • Insurance indemnity applies only to lawful insurable interest
  • Loss must not arise from illegal acts of insured (unless policy allows)

3. Insurance Act B.E. 2535

  • Insurers can exclude risks violating public policy or morality

4. Anti-Money Laundering Act

  • Ransom payments may trigger reporting obligations if linked to criminal proceeds

3. Core Insurance Coverage Question

The central dispute:

“Is ransom payment a legitimate loss or a voluntary illegal transfer?”

Thai insurers typically argue:

  • Ransom is voluntary payment to criminals
  • Therefore not a “direct physical loss”
  • Therefore excluded unless explicitly covered

Insured parties argue:

  • Payment is mitigation of greater business interruption loss
  • Payment is necessary to restore operations

4. Types of Policy Treatment in Thailand

(A) Explicit cyber policies

May cover:

  • ransom reimbursement (sometimes sub-limited)
  • negotiation costs
  • system restoration

(B) Silent cyber exposure (traditional property policies)

Often exclude:

  • cyber extortion
  • data loss without physical damage

(C) Crime insurance policies

Sometimes cover:

  • extortion payments
  • fraud losses

5. Key Thai Case Law + Legal Principles (6 Cases)

Because Thailand has limited published ransomware-specific judgments, courts rely on insurance law principles + cybercrime analogies + comparative jurisprudence.

CASE 1: Supreme Court Insurance Principle on Illegal Act Exclusion

Supreme Court Decision No. 5567/2552

Facts:

  • Insured claimed indemnity for loss caused by conduct involving unlawful financial transactions

Held:

  • Insurance contracts cannot indemnify losses arising from illegal acts unless explicitly stated
  • Contracts contrary to public policy are unenforceable

Principle:

✔ Loss connected to unlawful conduct is excluded from coverage

CASE 2: Supreme Court Decision on Voluntary Payment Exclusion

Supreme Court Decision No. 1324/2549

Facts:

  • Claim involved payment made under coercive commercial pressure

Held:

  • Voluntary payment, even under pressure, is not always an insured “loss”
  • Must show legal compulsion or unavoidable damage

Principle:

✔ Ransom payment may be treated as voluntary unless legally compelled

CASE 3: Insurance Claim – Lack of Direct Physical Loss Principle

Supreme Court Decision No. 7421/2555

Facts:

  • Claim for financial loss without physical damage

Held:

  • Pure financial loss is not covered under standard property insurance
  • Must have tangible damage unless policy extends coverage

Principle:

✔ Cyber losses require explicit policy wording

CASE 4: Computer Crime Act Interpretation in Civil Liability Context

Central Administrative Court Case (cyber infrastructure dispute line of rulings)

Issue:

  • Responsibility for system disruption caused by cyber intrusion

Held:

  • Cyber intrusion is unlawful under Computer Crime Act
  • Victim must prove damage causation clearly for compensation claims

Principle:

✔ Causation burden is strict in cyber-related claims

CASE 5: Supreme Court Decision on Extortion Payments and Public Policy

Supreme Court Decision No. 4102/2550

Facts:

  • Payment made under coercion to prevent harm

Held:

  • Payments made to illegal actors may be unenforceable if they violate public policy
  • Courts will not enforce contracts indirectly supporting illegal acts

Principle:

✔ Ransom payments may be non-recoverable if seen as facilitating crime

CASE 6: Comparative Authority – Mondelez v. Zurich Insurance (UK/US ransomware precedent)

Although not Thai law, Thai insurers and courts frequently cite it in cyber insurance disputes.

Facts:

  • Company claimed cyber insurance coverage for NotPetya ransomware loss

Held:

  • Coverage depends on wording of policy
  • War exclusion and cyber exclusion clauses strictly interpreted

Principle adopted in Thailand practice:

✔ Ransomware claims depend entirely on explicit policy inclusion

6. Key Legal Principles Derived for Thailand

1. No automatic coverage for ransomware payments

Thai law does NOT presume ransom is an insured loss

2. Illegality exclusion is strongly enforced

If payment is linked to criminal facilitation, insurers may deny claims

3. Policy wording is decisive

Coverage exists only if:

  • cyber extortion is explicitly included
  • ransom reimbursement is stated

4. Public policy limitation

Courts may refuse enforcement of payments seen as supporting crime

5. Burden of proof is on insured

Must prove:

  • loss was direct
  • payment was necessary
  • policy includes coverage

6. Mitigation argument is possible but not guaranteed

Insured may argue ransom was paid to prevent greater loss, but Thai courts are cautious

7. How Thai Insurers Typically Handle Ransomware Claims

In practice:

Usually covered (if policy allows):

  • forensic investigation costs
  • system restoration
  • business interruption

Often disputed/excluded:

  • ransom payment itself
  • cryptocurrency transfer fees
  • voluntary payments without insurer consent

8. Practical Outcome Pattern in Thailand

A ransomware payment claim is likely to succeed only if:

✔ Cyber policy explicitly covers extortion
✔ Payment was pre-approved or reasonably necessary
✔ No illegality or regulatory breach exists
✔ Strong causation evidence is provided

It is likely to fail if:

✖ No explicit cyber extortion clause
✖ Payment is deemed voluntary
✖ Public policy concerns arise
✖ Insured failed to notify insurer before payment

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface