At a glance:
Boardrooms need to understand the scope of cyber insurance coverages and how their program may or may not respond to an event.
Two recent Federal Court judgements provide important guidance on the scope of cyber insurance and risk management.
In this article we examine the scope of cover under cyber insurance policies and evaluate the recent case of Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883 (1 August 2022).
Scope of cyber insurance coverage
A recent judgment from the Federal Court examining the cover available for losses associated with a ransomware event is a reminder that businesses need to have a clear understanding of the scope of their insurance coverages and how their broader insurance program may, or may not, respond to an event.
The Cyber Attack
The automotive services provider, Inchcape Australia was the subject of ransomware attack in December 2020. The effect of the attack on the business was significant. The primary server was encrypted, primary and offsite backups were deleted and malicious software was deployed to user computers. In addition, Inchcape found itself in the position of having to deal with a data breach, with documents stolen from a shared drive and published on the dark web.
Inchcape made a claim under its Financial Institutions Electronic and Computer Crime Policy with Chubb, seeking costs incurred in:
investigating and responding to the ransomware attack,
repairing and replacing hardware and data,
the costs of recovering data, including actually reproducing damaged or destroyed data; and
additional staffing costs.
Reports indicate the value of Inchcape’s claim on the policy was approximately $2.3m and the overall losses were in the order of $4m.
Chubb denied that the losses claimed fell within the insuring clauses of the implemented Crime policy.
The Federal Court decision
In judgment delivered this month in Inchcape Australia Limited v Chubb Insurance Australia Limited, Justice Jagot examined the scope of the insuring clauses and in particular, the meaning of “direct financial loss resulting directly from”.
Insuring Agreement 1 was not met as this required there to have been a loss of funds as a result of some fraudulent input or modification of an electronic instruction in a computer system. Justice Jagot did not agree with Chubb’s first contention, that the other insuring clauses relied on by Inchcape (IA2– Computer Virus and IA3 – Electronic Data, Electronic Media, Electronic Instruction) were predicated on the first insuring clause being triggered.
The ransomware event and in particular the loss of or damage to Electronic data could be considered under these insuring clauses however, the type of financial loss covered here was very limited.
Given the policy language cover was limited to only the “cost of the blank media plus the cost of labour for the actual transcription or copying of data if such data (etc) is actually reproduced by other Electronic Data, Electronic Media or Electronic Instruction of the same kind of quality.”
Interestingly, the Court found “loss resulting directly from” as used in IA 2 and IA 3 means loss the proximate cause of which is an insured event. It does not allow for any intervening step.
Inchcape’s decision to investigate the ransomware attack and the decision to replace hardware and reproduce damaged electronic data and manually process orders were characterised as intervening steps. They would not necessarily be inevitably incurred in the same way by every insured in the same situation. The Consequential Loss exclusion was also found to apply here.
The Implications of the decision
Businesses need to be aware of circumstances where the event is one that would likely trigger a dedicated Cyber Insurance policy, however the loss is one that would not be met by a more traditional Crime policy.
Inchcape helps demonstrate that a traditional computer crime policy does not often provide cover for all of the types of costs that can be expected when faced with a ransomware or other serious cyber attack.
Dedicated Cyber policies are designed to fill this gap and traditionally provide cover for the types of costs Inchcape was unable to recover here.
Areas of First party cover are likely to include:
Incident breach response costs:
- Specialist incident response managers (traditionally lawyers) to manage and advise on an incident
- Costs of specialist IT forensic vendors to investigate, establish the scope of the incident and mitigate the event
- Costs of a PR firm to manage reputational risk and response communication
- Notification costs to notify affected individuals of a data breach and the relevant regulatory agencies and authorities.
Cyber extortion loss including in some instances ransom payment;
Legal costs of dealing with regulatory proceedings, privacy related matters and contractual obligations/breaches; and
Business Interruption including increased staffing costs and loss of income
In some cases, cyber insurers may also offer cover extending to some hardware replacement costs, subject to betterment.
Regulator Focus
The financial, operational and reputational implications of a cyber attack on a business can be significant and broad ranging.
Australian regulators are demonstrating an increased appetite for enforcement action where a company fails to have adequate cybersecurity and cyber risk management controls and frameworks in place.
In the first ever enforcement action, reported in May this year ASIC was successful in establishing AFSL licensee RI Advice Group Pty Ltd had contravened ss 912A(1)(a) and (h) Corporations Act.
A key area of weakness was failure to improve processes and implement measures to strengthen cyber security in a timely way once deficiencies had been identified through various cyber incidents. The Court noted that while it is not possible to completely eliminate cyber risk, it is possible to materially reduce cyber risk to an acceptable level through the implementation of adequate cyber security documentation and controls.
The Court made orders requiring RI Advice to engage a cybersecurity expert to identify any further cyber security and cyber resilience documentation and controls necessary for RI Advice to adequately manage its risk. RI Advice was also ordered to pay $750,000 towards ASIC’s legal costs.
Following the judgment ASIC Commissioner Danielle Press reminded Boards:
We expect directors to educate and equip themselves to drive their organisation’s cyber resilience culture. ASIC encourages directors to:
Consider their risk management framework and risk appetite to ensure it adequately deals with cybersecurity risk
Enquire about incident response and business continuity plans to determine the organisation’s preparedness to respond to cybersecurity incident.
Ensure access to appropriate resources to effectively manage cybersecurity risk, whether it be in-house or through commercial arrangements."[4]
Cyber insurance policies can directly and indirectly address all of these three points, through insurer value add, and incident response panel access. ASIC noted that a failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties.
"ASIC encourages directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources. Failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties."
Implementing a Cyber Insurance policy assists in demonstrating that the Executive and Board seriously address Cyber risk through investment, education and risk transfer.
Key takeaways
It is more important than ever for businesses to have adequate and well tested plans and procedures in place for assessing and strengthening their cybersecurity on an ongoing basis, identifying deficiencies and responding in a proactive manner once events occur.
Organisations should look to identify their risks, mitigate their exposures as best possible, and transfer the remaining risk (through a tailored insurance program).
Developing and ever-changing technology and cyber risks cannot and should not be addressed on a single policy basis. It is important to understand the scope of cover available under any particular computer crime or Cyber policy, whilst also considering your broader insurance program implications.
Implementing a dedicated Cyber Insurance policy to cover off the unknowns is the role of cyber insurance and should continue to be implemented as part of an organisation’s broader risk management strategy.
Endnotes
[1] Cameronne, Cindy, 1 Aug 2022, https://www.lawyerly.com.au/chubb-falls-short-in-2-3m-dispute-over-coverage-for-inchcape-ransomware-attack/
[2] [2022] FCA 883 (1 August 2022)
[3] (ASIC v RI Advice Group Pty Ltd [2022] FCA 496).
[4] Press, Danielle, 1 July 2022, “Be prepared”, https://www.aicd.com.au/risk-management/framework/cyber-security/be-prepared-cybersecurity-risk.html
[5] https://asic.gov.au/about-asic/news-centre/articles/cyber-risk-be-prepared/