The recent decision in Inchcape Australia Limited v Chubb Insurance Australia Limited signifies the importance of policy wording in determining which categories of loss are covered by cyber insurance.
Facts of case
Following a ransomware attack, Inchcape sought an indemnity from Chubb under a Financial Institutions Electronic and Computer Crime Policy, for financial losses incurred in repairing computer hardware, software and data.
However, a coverage dispute ensued. The disputed clauses were as follows:
鈥業nsuring Agreement 1 鈥 Computer Systems, 鈥淒irect Financial Loss 鈥 as the direct result of the fraudulent input of Electronic Data 鈥 directly into (1) the Insured鈥檚 Computer System;鈥 or 鈥(2) a Customer鈥檚 Communication System;鈥 or 鈥(3) a Service Entity鈥檚 Computer System;鈥 or 鈥(4) an Electronic Funds Transfer System.鈥 (IA1);
Insuring Agreement 2 鈥 Computer Virus, 鈥淒irect Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction 鈥 while stored within a Computer System covered under Insuring Agreement 1 鈥︹ (emphasis added) (IA2); and
Insuring Agreement 3 鈥 Electronic Data, Electronic Media, Electronic Instruction, 鈥淒irect Financial Loss resulting directly from: (a) fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction 鈥 within any system covered under Insuring Agreement 1 鈥︹ (emphasis added) (IA3).
A dispute arose as to whether 鈥榙irect losses鈥rising directly from鈥︹ extended cover to include investigation, hardware, resources, additional staffing and data recovery costs.
Judgment
The court found that whilst the 鈥榙ouble directness鈥 wording covered the attack, cover was limited to the direct costs of reproducing damaged or destroyed electronic data, media or electronic instruction, as defined in the policy wording.
In answering whether the wording extended to the other disputed costs, the court held that:
鈥樷榙irect financial loss鈥 is direct loss that flows naturally without intervening cause and which every insured in the same position would suffer. Indirect loss does not so flow; and
鈥榙irect鈥 in an insurance policy means 鈥榩roximate鈥 which does not exclude a step between the cause and the consequence, but importantly, that is subject to other terms and conditions of a policy.鈥
Therefore, 鈥榙irect financial loss a direct (that is, proximate) cause of 鈥 an insured event鈥 for which 鈥榯he connection required excludes the prospect of any intervening step and losses that would not be necessarily and inevitably incurred by every insured given the occurrence of the insured event鈥.
The disputed costs were found to not be a direct financial loss directly from the insured event. The claimant鈥檚 decision to investigate the ransomware attack, replace computer hardware, manually process orders, and incur ancillary costs constituted an intervening step.
Conclusions
This case serves as a useful reminder as to the relatively narrow interpretation of the meaning of 鈥榙irect鈥 (in Australia, although similar interpretations are applied in other jurisdictions). It also serves as a warning to underwriters as to the potential breadth of cover when 鈥榙irectly鈥 or similar qualifications are not applied.