Australian court finds insurer not liable for ransomware clean-up costs – Security
An Australian lawsuit over ransomware insurance cover has ruled the victim, automotive distributor and services firm Inchcape, can’t claim costs it incurred in the clean-up and recovery from the attack, such as for forensics, incident response and replacement hardware.
The judgment, handed down by the federal court last week, declares such costs as decisions taken by the victim, rather than as costs directly incurred from the attack and therefore not claimable under the insurance policy it held.
Only a small subset of costs relating to “blank media” and the copying of data onto that media are deemed claimable under the insurance policy that Inchcape Australia had with Chubb Insurance Australia.
As with all court cases, the decision is, to a large extent, specific to the parties, to the circumstances of the case, and to the specific wording of the insurance agreements.
Much of the case revolved around establishing the meaning of the phrase “direct financial loss resulting directly from”, which appears repeatedly in the insurance policy terms as a limitation to the insurer’s liability.
“It is not any ‘loss’ which is covered. It is only ‘direct financial loss’,” Justice Jayne Jagot wrote in her judgment, adding that the cover “is also subject to the exclusion of any indirect or consequential loss”.
Not ‘incurred by every insured’
But the way “direct” – claimable – and “indirect” – unclaimable – costs incurred by an attack victim were described in the judgment could worry some organisations that think they have adequate cover for cyber incidents.
For “the costs of investigating the ransomware attack and preventing further effects of the attack”, and hardware replacement, the judgment states that “it is not apparent that these costs would necessarily have been incurred by every insured in the same circumstances.”
Gilbert + Tobin Partner Simon Burns saw potential for this part of the judgment to have a broader impact on the interpretation of claimable costs under cyber insurance policies.
“That statement really troubles me because I think you could argue the contrary – that every ransomware attack or every cyber incident is going to be investigated, and if the result of that incident is hardware is effectively bricked, it’s difficult to say that the decision to replace the hardware that was damaged as a result of the attack is an intervening step that breaks the chain of causation and makes that cost an indirect rather than direct loss,” Burns told iTnews.
The judgment does make clear that Inchcape Australia’s policy only “relates to direct financial loss directly resulting from (relevant) things done to electronic data (etc)” and not consequential losses “resulting from damage to or destruction of the insured’s computer systems”.
“The big lesson is if you want to be covered for those actions you should be really clear in the insurance cover and the policy that they’re in there,” Burns said.
“I think you really need to be very express on what is covered and what isn’t, otherwise your cover is going to be very limited as a result of this judgment.”
Burns said much of the case focused on the specific wording of the insurance policy, including its narrow coverage of cyber incidents and the types of costs defined as included or excluded.
“If you read the policy wording, it was very strict and very limited,” Burns said.
“The insurer was really trying to pin [the cost claim] back to the immediate loss, not all the steps an organisation would take that flow from a cyber event.
“I think a dedicated cyber policy would more naturally deal with these things expressly, and they do.”
Wotton + Kearney Partner Kieran Doyle did not see the judgment as a particular cause for alarm, noting the insurance policy Inchcape held did not appear to be cyber security specific.
“For a long time, the insurance market has been talking about this concept of ‘silent cyber’, where cyber touches a range of policies that aren’t designed to cover a cyber risk per se, but there might be a bit of scope creep in the cover able to be accessed via that policy,” Doyle told iTnews.
Specific cyber insurance policies typically cover costs like incident response and forensics. In doing so, insurers also provide specialist expert assistance to investigate the incident and assist with recovery.
“The good news for businesses is that cyber policy does what it says on the tin. It’s fit for purpose,” he said.
“All other things being equal, it should pick up most of the incident response losses that seemingly weren’t covered in the Inchcape matter.
“Policies obviously vary depending on the insurer and their at-risk appetite, but the basic core of the policy and the first clause that gets triggered in almost every cyber incident is the incident response cover.
“Most policies have a purpose-built incident response cover. It’s not just reimbursement cover – it’s immediate access to experts that are selected by the insurer for their specific expertise to help.”
Whether cover extended to hardware replacement would very much depend on the policy, and Doyle said other legal principles would come into play around claims of this nature.
“Beyond incident response, it becomes about the appetite of the insurer and what they’re prepared to cover. A key issue we often come across with insurance in this space is where’s the line when it comes to, say, replacement of systems? At what point is the insured arguably getting a windfall for getting a better system – what we call betterment?
“It’s a core principle of insurance that you’re indemnified for losses, and usually not for getting something better than what you had before. It’s a key issue we see popping up in cyber incident recovery where insurance is involved.”
Doyle noted that cyber insurance is still somewhat in its infancy in Australia – “Hence a case like this”.
He added that cyber insurance is only one component of cyber risk management, and should not be relied upon as the only cyber risk management strategy.
Inchcape Australia was infected by ransomware at the end of 2020.