Like all forms of insurance, the cover actually provided by policies which might be thought to cover losses arising from ‘cyber risk’ depends on the precise terms of the policy. Before placement, those terms should be carefully considered to ensure the cover is appropriate for the policyholder, in particular the types of risks its business faces and the losses it may suffer if those risks occur.
This is illustrated by the recent Federal Court decision in Inchcape Australia Ltd v Chubb Insurance Australia Ltd  FCA 883. The policy in question provided cover for electronic crime exposures, and in this case was triggered by a ransomware attack. However, Justice Jagot of the Federal Court held that cover for loss resulting from the damage or destruction of data was limited merely to the cost of replacing that data and did not extend to providing cover for the broader range of consequential losses suffered by the policyholder.
Insurance for computer crime and associated cyber risks are relatively new products in the market, with few reported decisions on coverage, and a variety of policy wordings and product classes, which means careful consideration of the terms upfront remains critical.
Inchcape operates an automotive distribution, retail and logistics business, which was impacted when a “ransomware attack” encrypted its data, deleted backups, installed malware on computers, and published its data on the “dark web”. It incurred various costs in repairing or replacing hardware, software and data, as well as in manually processing orders while its computer systems were being restored, and in investigating and responding to the cyber attack.
It made a claim for those losses under Chubb’s “Financial Institutions Electronic and Computer Crime Policy” (the Policy), which insured it against, amongst other things:
Insuring Agreement 1 – Computer Systems
Direct Financial Loss by reason of the Insured having debited any account, paid or delivered any funds or property, given any value or transferred, paid or delivered any funds or property as the direct result of the fraudulent input of Electronic Data or the fraudulent preparation or fraudulent modification of Electronic Instruction directly into
(1) the Insured’s Computer System; or
(2) a Customer Communication System; or
(3) a Service Entity’s Computer System; or
(4) an Electronic Funds Transfer System.
Insuring Agreement 2 – Computer Virus
Direct Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured…
Insuring Agreement 3 – Electronic Data, Electronic Media, Electronic Instruction
Direct Financial Loss resulting directly from:
(a) the fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction…,
(b) robbery, burglary, larceny or theft of Electronic Data, Electronic Media or Electronic Instruction, or
(c) the acts of a hacker causing damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured…
Relevantly, a valuation clause in the Policy provided:
In case of loss of, or damage to, Electronic Data, Electronic Media or Electronic Instruction used by the Insured in its business, Chubb shall be liable under this Policy only if such items are actually reproduced by other Electronic Data, Electronic Media or Electronic Instruction of the same kind of quality and then for not more than the cost of the blank media plus the cost of labour for the actual transcription or copying of data which shall have been furnished by the Insured…
Chubb also argued that Insuring Agreements 2 and 3 only applied if cover was available under Insuring Agreement 1, ie that in order for any loss at all to be covered, a fraudulent transfer must have occurred. It argued that the policy title “Financial Institutions Electronic and Computer Crime Policy” (emphasis added) indicated that the most significant risk covered by the policy was the loss of funds by reason of fraudulent interference.
Relying on the valuation clause, Chubb argued that Insuring Agreements 2 and 3 did not respond to Inchcape’s losses because the extent of the insurer’s liability in the case of “loss of, or damage to, Electronic Data” was limited to the cost of blank media plus the cost of transcribing or copying any data which is actually reproduced. In an increasingly common feature of insurance litigation in the Federal Court, the issue was determined by Jagot J by answering several “separate questions” framed by the parties (the responses to which were capable of determining the whole dispute without the need for a further hearing).
Despite accepting Inchcape’s argument that Insuring Agreements 2 and 3 are not concerned only with the loss of or damage to Electronic Data, Jagot J nevertheless concluded that a “closer examination” of the Policy terms supported Chubb’s argument. In particular, her Honour found that the opening words to the valuation clause, “In case of loss of, or damage to, Electronic Data”, would necessarily be triggered if there was an insured event under Insuring Agreements 2 and 3. Those words were to be treated as meaning “in the event of” or “if there has been” relevant loss or damage, such that the subsequent words “Chubb shall be liable under this Policy only if … and then for not more than …” defined the scope of Chubb’s liability under Insuring Agreements 2 and 3. It followed that the insurer was successful on this principal argument.
In the alternative, Chubb argued that the meaning of “direct financial loss” had the same effect, such that Inchcape’s losses were insufficiently direct for the purposes of Insuring Agreements 2 and 3, or were excluded as indirect or consequential losses. This was also accepted, with Jagot J concluding that the requirement of “directness”, when read subject to the terms of the Policy, meant that Inchcape was only covered under Insuring Agreements 2 and 3 for “loss that every [insured] in a like situation will suffer”. That cover did not extend to losses which required an “intervening step” which would not necessarily have been taken by every insured. It followed, so her Honour found, that the costs of investigating and responding to the ransomware attack, manually processing orders, and replacing computer hardware were not covered because they involved the intervening step of Inchcape deciding to take those actions.
Regarding Chubb’s argument that Insuring Agreement 1 must first be triggered, the Court held that Insuring Agreements 2 and 3 were not dependent on cover being available under Insuring Agreement 1. Jagot J was not persuaded that the reference to Insuring Agreement 1 in Insuring Agreements 2 and 3 should be read in that way or that the title of the policy required such an interpretation.
The conclusions reached by Jagot J are noteworthy considering the apparently broad terms of Insuring Agreements 2 and 3 (which were read down by reference to the valuation clause) and the stringent directness requirement which was applied. We understand that Chubb has filed an application for leave to appeal the decision. We expect the appeal to be focused on the first instance judge’s conclusion that cover under Insuring Agreements 2 and 3 was not dependent on a fraudulent transfer of funds having occurred (Insuring Agreement 1).
Regardless of the outcome on appeal, the decision demonstrates the importance of carefully considering the terms of your insurance policies before placement, rather than needing to litigate coverage once loss has occurred. In this case, the policy taken out was designed as a Crime insurance policy and focused on direct financial loss, and did not specifically cover consequential (business interruption) losses caused by the ransomware attack. More generally, consideration should start with the loss intended to be covered so the policy is fit for purpose, and include ascertaining the meaning and operation of any limitation, exclusion or like clause and how these affect the scope of cover provided by the insuring clauses. Policyholders should consider whether their cyber risk is best covered by a specific cyber insurance policy which allows a bespoke approach to selecting coverage for specific risks caused by cyber incidents including business interruption losses.