Share
Australian businesses are becoming increasingly aware of the potential costs of recovering from a cyber incident, and the importance of cyber insurance in covering those losses. However, cyber insurance policies vary widely in their wording, and so it is particularly important for an insured to consider whether a particular policy will cover the full range of costs it may incur in the event of an incident.
The recent Federal Court decision in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883 emphasises the importance of considering the precise wording of the policy when determining whether a cyber insurance policy will adequately cover an insured for potential losses. The case is the first Australian judicial decision to provide guidance on the meaning of the expression “direct financial loss resulting directly from” a cyber incident.
Background
Inchcape Australia Limited (Inchcape), an automotive services firm, suffered a ransomware attack on its systems which encrypted its primary server, deleted the primary and offsite backups, deployed malicious software to laptops and desktop computers, and exfiltrated data from a shared drive.
Inchcape incurred various costs in responding to the incident, including the costs of conducting an investigation of the incident, replacing hardware, restoring software, reconstructing data, and arranging additional staff to manually process orders.
Inchcape was insured by Chubb under its Financial Institutions Electronic and Computer Crime Policy (the Policy). The Policy is a specialised policy which covers direct financial loss arising from a number of types of computer crime, and is much narrower in scope than Chubb’s general cyber insurance policy.
Inchcape claimed indemnity for its losses under the Policy, relying on Insuring Agreements 2 and 3, which provided the following cover:
Insuring Agreement 2 - Computer Virus
"Direct Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured or for which the Insured is legally liable while stored within a Computer System covered under Insuring Agreement 1…"
Insuring Agreement 3 - Electronic Data, Electronic Media, Electronic Instruction
"Direct Financial Loss resulting directly from: (a) the fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction being stored within or being run within any system covered under Insuring Agreement 1, (b) robbery, burglary, larceny or theft of Electronic Data, Electronic Media or Electronic Instruction, or (c) the acts of a hacker causing damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured or for which the Insured is legally liable while stored within a Computer System covered under Insuring Agreement 1."
In addition, General Condition 4(i) of the Policy relevantly provided:
“In case of loss of, or damage to, Electronic Data, Electronic Media or Electronic Instruction used by the Insured in its business, Chubb shall be liable under this Policy only if such items are actually reproduced by other Electronic Data, Electronic Media or Electronic Instruction of the same kind of quality and then for not more than the cost of the blank media plus the cost of labour for the actual transcription or copying of data which shall have been furnished by the Insured in order to reproduce such Electronic Data, Electronic Media or Electronic Instruction, subject to the applicable Aggregate Limit of Indemnity and/or One -Loss Sub-Limit.”
Decision
Effect of General Condition 4(i)
Chubb successfully argued that Insuring Agreements 2 and 3 did not cover Inchcape’s losses, as General Condition 4(i) limited indemnity under those Insuring Agreements to:
- in the case of Electronic Media, the costs of replacing the affected media with suitable blank media; and
- in the case of Electronic Data, the labour costs for the actual transcription or copying of the electronic data.
Inchcape argued that the opening words of General Condition 4(i) “in case of loss of, or damage to, Electronic Data…” effectively meant “for loss of, or damage to, Electronic Data…” and were intended to define the scope of the limitation in General Condition 4(i).
By contrast, Chubb argued, and the Court accepted, that those words were intended to identify the event on which the operation of General Condition 4(i) depends, namely an event within the scope of Insuring Agreements 2 or 3. They effectively meant “in the event of loss of, or damage to, Electronic Data…” or “if there is loss of, or damage to, Electronic Data…”, and so the effect of the subsequent words “Chubb shall be liable under this Policy only if … and then for not more than…” was to limit the scope of the indemnity under Insuring Agreements 2 and 3.
Meaning of “direct financial loss resulting directly from”
In the alternative, Chubb argued that the fact that Insuring Agreements 2 and 3 only covered “direct financial loss resulting directly from” the insured events also had a limiting effect on the indemnity under those Insuring Agreements, and that Inchcape’s losses were insufficiently direct.
The Court also accepted this argument. Following an examination of the relevant authorities, the Court found that “direct financial loss resulting directly from” as used in Insuring Agreements 2 and 3 was limited to direct financial loss, the proximate cause of which is an insured event. The Court held that this meant there must be no intervening step between the insured event and the loss, and that the loss must be of a kind that would necessarily and inevitably be incurred by every insured which experienced the insured event.
Consequently, the Court held that the costs of investigating the ransomware incident, replacing computer hardware, and manually processing orders were not direct financial losses resulting directly from the insured events, because they required the intervening step of Inchcape deciding to undertake those steps. The Court also did not consider that these costs would necessarily have been incurred by every insured following a ransomware incident.
With respect to the costs of replacing computer hardware, the Court also considered that it was relevant that the Policy did not cover loss resulting from damage to or destruction of the insured’s computer systems, but only direct financial loss directly resulting from certain acts done to Electronic Data (etc). While there was a causal link between the ransomware incident and the replacement of Inchcape’s computer hardware, the costs were not sufficiently proximate to be a direct financial loss resulting directly from the insured events.
Furthermore, while the tasks involved in reproducing damaged or destroyed Electronic Data may be capable of constituting direct financial loss, in this case General Condition 4(i) expressly limited indemnity to the “cost of labour for the actual transcription or copying of data which shall have been furnished by the Insured” (emphasis added). As such, Inchcape was responsible for the costs of “furnishing” (or recovering or reconstructing) the data before it was copied onto the new or recovered computer systems.
Conclusion
Ransomware attacks can have devastating consequences for businesses and the costs of recovering from the incident can be substantial. Cyber insurance policies vary widely in their wording, and so it is particularly important for an insured to consider whether a particular policy will cover the full range of costs it may incur in the event of an incident.
This decision emphasises the importance of considering the precise wording of the policy when determining whether a cyber insurance policy will adequately cover an insured for potential losses. In this case, General Condition 4(i) and the limitation of coverage to “direct financial loss resulting directly from” an insured event meant that it covered only a fraction of Inchcape’s costs of recovering from the ransomware incident.
Inchcape filed an application for leave to appeal on 22 August 2022. We will continue to follow the developments of this case and provide an update following the hearing which, at the time of writing, is set down for 30 November 2022.
Further reading
Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883
Read other items in the Australian Insurance Brief – September 2022
Information technology
Insurance and reinsurance
Australia