�������ϲ�����

The recent decision in Inchcape Australia Limited v Chubb Insurance Australia Limited signifies the importance of policy wording in determining which categories of loss are covered by cyber insurance.

Facts of case

Following a ransomware attack, Inchcape sought an indemnity from Chubb under a Financial Institutions Electronic and Computer Crime Policy, for financial losses incurred in repairing computer hardware, software and data.

However, a coverage dispute ensued. The disputed clauses were as follows:

‘Insuring Agreement 1 – Computer Systems, “Direct Financial Loss … as the direct result of the fraudulent input of Electronic Data … directly into (1) the Insured’s Computer System;’ or ‘(2) a Customer’s Communication System;’ or ‘(3) a Service Entity’s Computer System;’ or ‘(4) an Electronic Funds Transfer System.” (IA1);

Insuring Agreement 2 – Computer Virus, “Direct Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction … while stored within a Computer System covered under Insuring Agreement 1 …” (emphasis added) (IA2); and

Insuring Agreement 3 – Electronic Data, Electronic Media, Electronic Instruction, “Direct Financial Loss resulting directly from: (a) fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction … within any system covered under Insuring Agreement 1 …” (emphasis added) (IA3).

A dispute arose as to whether ‘direct losses…arising directly from…’ extended cover to include investigation, hardware, resources, additional staffing and data recovery costs.

Judgment

The court found that whilst the ‘double directness’ wording covered the attack, cover was limited to the direct costs of reproducing damaged or destroyed electronic data, media or electronic instruction, as defined in the policy wording.

In answering whether the wording extended to the other disputed costs, the court held that:

‘‘direct financial loss’ is direct loss that flows naturally without intervening cause and which every insured in the same position would suffer. Indirect loss does not so flow; and

‘direct’ in an insurance policy means ‘proximate’ which does not exclude a step between the cause and the consequence, but importantly, that is subject to other terms and conditions of a policy.’

Therefore, ‘direct financial loss a direct (that is, proximate) cause of … an insured event’ for which ‘the connection required excludes the prospect of any intervening step and losses that would not be necessarily and inevitably incurred by every insured given the occurrence of the insured event’.

The disputed costs were found to not be a direct financial loss directly from the insured event. The claimant’s decision to investigate the ransomware attack, replace computer hardware, manually process orders, and incur ancillary costs constituted an intervening step.

Conclusions

This case serves as a useful reminder as to the relatively narrow interpretation of the meaning of ‘direct’ (in Australia, although similar interpretations are applied in other jurisdictions). It also serves as a warning to underwriters as to the potential breadth of cover when ‘directly’ or similar qualifications are not applied.