What does cyber insurance cover?

In Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883 the Federal Court of Australia was asked by the insured (Inchcape Australia) whether its Chubb Financial Institutions Electronic and Computer Crime Policy indemnified it for a “ransomware attack” on its computer system which, according to Inchcape, encrypted its primary server, deleted the primary and offsite backups, deployed malicious software to laptops and desktop computers, and copied data from a shared drive and published it on the dark web.

Inchcape claimed that this ransomware attack caused it to incur, and continued to incur, financial losses in repairing and/or replacing hardware, software and data, including investigation costs, hardware costs, resources costs, additional staffing costs, and data recovery costs.

Because the Chubb policy was limited to “direct financial loss” resulting directly from the insured events and not a separate cyber insurance policy covering loss resulting from damage to or destruction of the Insured’s Computer Systems, Justice Jagot determined that the policy did not cover:

• The costs of investigating the ransomware attack and preventing further effects of the attack (incident response) ;
• the costs Inchcape incurred in retrieving or reconstituting the electronic data stolen during the ransomware attack itself;
• The costs of replacing computer hardware including servers, laptops and PCs;
• The costs of “manual processing of orders” (eg business interruption loss).

The policy only covered the cost of actually reproducing damaged or destroyed electronic data as well as all loss said to be Direct Financial Loss directly resulting from physical loss of or damage to electronic data.

What risks should be covered?

Assuming that separate cyber insurance cover is available at a reasonable cost, a business needs to satisfy itself whether or not its insurance covers likely scenarios not involving physical damage such as:

• The insured’s costs of detecting any breach, responding to the incident, negotiating with the offenders, business interruption loss, data and system recovery, hardware damage, new network security, reputational harm including if data is released publicly), any actual ransom payment.
• third-party claims such as damage to devices belonging to employees and contractors, customer privacy breach remediation and compensation, shareholder actions and regulatory reporting, investigations and actions and penalties.

Resources

Actuaries Institute, “Cyber Risk and the Role of Insurance” September 2022

Cyber Security Cooperative Research Centre, “Underwritten or Oversold? How cyber insurance can hinder (or help) cyber security in Australia“.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

The post What does cyber insurance cover? appeared first on Bright Law.