In Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883 the Federal Court of Australia was asked by the insured (Inchcape Australia) whether its Chubb Financial Institutions Electronic and Computer Crime Policy indemnified it for a “ransomware attack” on its computer system which, according to Inchcape, encrypted its primary server, deleted the primary and offsite backups, deployed malicious software to laptops and desktop computers, and copied data from a shared drive and published it on the dark web.
Inchcape claimed that this ransomware attack caused it to incur, and continued to incur, financial losses in repairing and/or replacing hardware, software and data, including investigation costs, hardware costs, resources costs, additional staffing costs, and data recovery costs.
Because the Chubb policy was limited to “direct financial loss” resulting directly from the insured events and not a separate cyber insurance policy covering loss resulting from damage to or destruction of the Insured’s Computer Systems, Justice Jagot determined that the policy did not cover:
- The costs of investigating the ransomware attack and preventing further effects of the attack (incident response) ;
- the costs Inchcape incurred in retrieving or reconstituting the electronic data stolen during the ransomware attack itself;
- The costs of replacing computer hardware including servers, laptops and PCs;
- The costs of “manual processing of orders” (eg business interruption loss).
The policy only covered the cost of actually reproducing damaged or destroyed electronic data as well as all loss said to be Direct Financial Loss directly resulting from physical loss of or damage to electronic data.
What risks should be covered?
Assuming that separate cyber insurance cover is available at a reasonable cost, a business needs to satisfy itself whether or not its insurance covers likely scenarios not involving physical damage such as:
- The insured’s costs of detecting any breach, responding to the incident, negotiating with the offenders, business interruption loss, data and system recovery, hardware damage, new network security, reputational harm including if data is released publicly), any actual ransom payment.
- third-party claims such as damage to devices belonging to employees and contractors, customer privacy breach remediation and compensation, shareholder actions and regulatory reporting, investigations and actions and penalties.
Resources
Actuaries Institute, “Cyber Risk and the Role of Insurance” September 2022
Cyber Security Cooperative Research Centre, “Underwritten or Oversold? How cyber insurance can hinder (or help) cyber security in Australia“.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.