Beware - your computer crime policy may not give you the cyber coverage you may expect

INCHCAPE AUSTRALIA LIMITED V CHUBB INSURANCE AUSTRALIA LIMITED [2022] FCA 883

TLDR

The insured could not recover the costs of investigating and preventing a ransomware attack, replacement hardware costs or the costs or retrieving or reconstituting affected data because the relevant insurance policy (a computer crime policy) excluded ‘indirect and consequential loss’ and limited loss or damage to electronic data, media or information to the costs of replacement media and labour costs for transcription and copying.

Background | Inchcape makes a claim under its insurance policy

The Federal Court of Australia has recently considered the construction of an insurance policy taken out by the automotive distributor, Inchcape Australia Limited (Inchcape0) ^[1].  The effect of the decision was that the policyholder, Inchcape, was unable to be indemnified for certain losses it suffered because of a ransomware attack.

Inchcape held a Financial Institutions Electronic and Computer Crime Policy (the Policy) with Chubb Insurance Australia (Chubb). Inchcape claimed indemnity under that Policy for losses it incurred following a ransomware attack on its computer system.  The ransomware attack encrypted its primary server, deleted primary and offsite backups, deployed malicious software to laptops and desktops, and published data from a shared drive on the dark web. The financial losses Inchcape claimed, but could not recover under the Policy, included costs associated with investigating the attack, replacing hardware, additional staffing and data recovery following the attack. 

Background | Relevant provisions of the Policy

The Policy included a number of insuring clauses, three of which were relevant to the contest between Inchcape and Chubb. Those clauses relevantly provided cover for:

• Insuring Agreement 1 – Computer Systems, “Direct Financial Loss … as the direct result of the fraudulent input of Electronic Data … directly into (1) the Insured’s Computer System; or (2) a Customer’s Communication System; or (3) a Service Entity’s Computer System; or (4) an Electronic Funds Transfer System.” (IA1);
• Insuring Agreement 2 – Computer Virus, “Direct Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction … while stored within a Computer System covered under Insuring Agreement 1 …” (emphasis added) (IA2); and
• Insuring Agreement 3 – Electronic Data, Electronic Media, Electronic Instruction, “Direct Financial Loss resulting directly from: (a) fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction … within any system covered under Insuring Agreement 1 …” (emphasis added) (IA3).

The Policy excluded “indirect or consequential loss of any nature”, and contained a general condition (“Electronic Data, Electronic Media, or Electronic Instruction”) which provided that “In case of loss of, or damage to, Electronic Data, Electronic Media or Electronic Information” Chubb would be liable only if those items were reproduced by other such items and then for not more than the cost of the blank media and the cost of labour for transcription and copying etc (the General Condition). Perhaps indicating the age of some of the policy wording, “Electronic Media” was defined quaintly as including “punched cards” and “punched tapes”. 

The words, and concept of “direct” losses and “indirect” losses or consequential losses will be familiar to many corporates who use that or similar terminology in other commercial contracts. 

Decision

In this decision Justice Jagot addressed questions about the scope of coverage in IA2 and IA3. The Court had previously made orders that questions concerning policy construction should be considered separately. Her Honour substantively considered two of those separate questions:

Question - Is cover under IA2 and IA3 only available if cover is available under IA1?

Inchcape and Chubb took different positions on how the insuring clauses should be construed.

In plain terms, Inchcape argued that IA2 and IA3 were standalone insuring clauses, whereas, Chubb contended that the reference in IA2 and IA3 to a “system covered under Insuring Agreement 1” meant that there could be no indemnity under IA2 and IA3 unless IA1 was also satisfied.

Justice Jagot rejected Chubb’s construction, finding that on a natural reading of the insuring clauses the reference to a “system covered under [IA1]” was a reference to the computer systems covered by IA1, not the direct financial loss covered under IA1. The Court considered the reference to the computer systems was nothing more than a drafting convenience intended to avoid repetition of the systems in full, and Chubb’s preferred construction was not supported by the text of the insuring clauses ^[2]. 

Justice Jagot also considered the significance of the words “financial institutions” in the title of the Policy. Chubb argued that the Policy was a “financial institutions” policy and that IA1 addressed the most significant risk under such a policy – being loss of funds due to fraudulent interference in computer systems. Her Honour considered that the use of this phrase in the title, and the status of the named Insured in the Policy, was irrelevant to this issue of construction. Even if it were relevant, the significance of the risks covered by IA1 did not exclude coverage of other types of risk ^[3]. 

Question - Is the cover available under IA2 and IA3 limited to only the cost of actually reproducing damaged or destroyed Electronic Data (etc)?

Justice Jagot accepted Chubb’s separate contention that its liability under IA2 and IA3 was limited by the General Condition to replacement costs for Electronic Media and labour costs for transcription of Electronic Data. Her Honour found that the opening words of the General Condition, “in case of loss of, or damage to”, were a pre-condition to the engagement of the General Condition and captured all the events that would fall within IA2 and IA3 (which would involve loss of, or damage to, Electronic Data etc). Thus, Chubb’s liability under IA2 and IA3 was limited to the loss specified in the General Condition ^[4].

Alternatively, if the General Condition did not cover the field and limit all types of liability that could arise for Chubb under IA2 and IA3, it would be necessary to consider whether the types of loss claimed were “direct financial loss resulting directly from” the insured events contemplated in IA2 and IA3. 

Taking into consideration relevant authorities including the concept of “normal loss” drawn from the judgment of Nettle JA in the Environmental and Peerless ^[5] case, Justice Jagot considered that this phrase (“Direct Financial Loss”) in IA2 and IA3 excluded losses incurred through an intervening event or which would not necessarily and inevitably be incurred by every insured given the occurrence of the insured event. 

Consequently, the Court concluded that in this case, the insurance policy would not respond to any of the following losses, costs or expenses:

• the costs of investigating and preventing further effects of the attacks;
• the costs of replacing computer hardware;
• the costs of retrieving, reconstituting or reproducing data; or
• the costs of manually processing orders,

because they were not a direct financial loss resulting directly from the insured event ^[6]. 

Practical takeaways

This decision is underscores the criticality of policy wording.  Justice Jagot observed, insurance policies will often include a level of “overkill” or redundancy in drafting in order to “obliterate the conceptual target” ^[7]. As a result, the interpretation of such policies can become a complex exercise which has significant implications for the scope of coverage unprovided. Policy wording is obviously critical to policy response.

Policyholders should consider:

• the types of costs anticipated to be incurred following a cyberattack (for instance, costs associated with investigating the attack, taking steps to prevent a further attack, replacing hardware, software and data lost or damaged, resourcing and staffing following the attack);
• the types of costs intended to be insured, and the type of costs which can be absorbed; and
• whether their insurance policy covers the types of cost they wish to insure. This will involve an analysis of the insuring clauses, and also how loss is conceptualised or defined in the policy and other conditions of the policy.

Policyholders could also consider, and speak with their broker, about purchasing a standalone cyber policy (which may have broader cover than a computer crime policy).

This decision is also a timely reminder that the cover provided by insurance policies are not absolute.  In that vein, insurance is one risk mitigation tool. But it is not a substitute for comprehensive and robust cyber security processes and practices, including alignment with an established third party cyber security standard such as the ISO 27000 series, the NIST Cybersecurity Framework or the ACSC’s “Strategies to Mitigate Cyber Security Incidents”.

At the time of writing Chubb has commenced an appeal of this decision.