This case review examines insurance policies covering cyber risks and causation, and the associated "directness" requirement.
Cyber insurance is a speciality insurance designed to protect and mitigate risks to businesses from online or information-technology related threats, and is one of the most effective ways to transfer cyber risk.
Understanding first-party loss insurance
First-party coverage under insurance policies covering cyber risks insulates businesses against the financial impact of a cyber attack by covering a proportion of financial losses resulting from the event. Such financial losses can include the costs of recovering lost or damaged data, the impact of business interruption, crisis communication expenses and/or extortion loss.
However, coverage for first-party losses is not unlimited. Insurers usually introduce limiting words, conditions and exclusions to make clear that indemnity is limited to financial losses that resulted directly from the cyber event, and often include specific exclusions for indirect and consequential losses.
The question of causation, or what is known as the "directness" requirement for covered losses, is important in this assessment.
The directness requirement
Depending on the insurance policy wording, there are varying degrees of the "directness" requirement. The recent Federal Court judgment in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883 is the first Australian judicial decision on an insurance policy wording covering cyber risks (specifically an electronic and computer crime policy) that uses two directness requirements to limit the scope of cover for first-party losses.
In this article, we take a deep dive into the cyber coverage dispute and the Court's construction of the insurance policy's "directness" requirement for first-party losses.
Coverage arguments
The Insured, Inchcape, had taken out a Financial Institutions Electronic and Computer Crime Policy (Policy).
As a result of a ransomware attack, Inchcape incurred financial losses in repairing and/or replacing hardware, software and data, including:
- (a) costs to investigate the ransomware attack and prevent further effects of the attack;
- (b) costs to replace the hardware;
- (c) costs of actually reproducing damaged or destroyed data;
- (d) costs of ancillary tasks in respect of reproducing damaged or destroyed data; and
- (e) manual processing of orders
Note: items (a) to (e) combined constitute Repair and Replacement Financial Losses
Inchcape sought indemnity for Repair and Replacement Financial Losses under the Policy pursuant to two insuring clauses:
-
Insuring Agreement 2: Computer Virus (IA2): Cover for "Direct Financial Loss by reason of the loss resulting directly from the damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured or for which the Insured is legally liable while stored within a Computer System covered under Insuring Agreement 1…"
-
Insuring Agreement 3: Electronic Data, Electronic Media, Electronic Instruction (IA3): Cover for "Direct Financial Loss resulting directly from: (a) the fraudulent modification of Electronic Data, Electronic Media or Electronic Instruction being stored within or being run within any system covered under Insuring Agreement 1, (b) robbery, burglary, larceny or theft of Electronic Data, Electronic Media or Electronic Instruction, or (c) the acts of a hacker causing damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured or for which the Insured is legally liable while stored within a Computer System covered under Insuring Agreement 1."
(Bolding added for emphasis by Lander & Rogers)
Chubb contended that there was no cover for Repair and Replacement Financial Losses under IA2 and IA3 because:
- there can be no indemnity under IA2 or IA3 unless Insuring Agreement 1 - Computer Systems (IA1)1 was also satisfied (Contention 1).
- in the alternative, indemnity under IA2 and IA3 is limited by the operation of General Condition 4(i)2 under the Policy, which confined cover to the cost of the blank media plus the cost of labour for the actual transcription or copying of data which shall have been furnished by the Insured in order to reproduce such data (Contention 2).
- further and in the alternative, the Repair and Replacement Financial Losses are insufficiently direct for the purposes of IA2 and IA3, or are indirect or consequential losses excluded under clause 3(e) of the Policy (Contention 3).
Decision on scope of cover for first-party losses
The Court did not accept Contention 1 but accepted Contention 2 and Contention 3. Firstly, Chubb's contention that indemnity under IA2 or IA3 requires IA1 to also be satisfied was not accepted because although IA2 and IA3 cross-reference IA1 (see underlined words above), that reference is simply to Computer Systems covered under IA1 and not a reference to loss that is covered under IA1 of the Policy.
Secondly, in relation to Contention 2, the Court held that the words "in case of" in General Condition 4(i) mean "in the event of" or "if there has been". As such, the event of loss or damage to Electronic Data, Electronic Media or Electronic Instruction is a precondition to the operation of General Condition 4(i).
Even then, coverage for such loss is limited by - "for not more than" - the cost of the blank media plus the cost of labour for the actual transcription or copying of data to the new Computer System which shall have been furnished by the Insured. On this basis, Chubb’s liability does not extend to the costs Inchcape incurred in retrieving or reconstituting the data as this is an item “which shall have been furnished by the Insured” at its own expense.
Thirdly, Justice Jagot opined that because of her decision on Contention 2, the issue of Contention 3 does not arise. However, if she is wrong on Contention 2, then her Honour's view was that the costs to investigate the ransomware attack and prevent further effects of the attack, costs to replace the hardware, costs of reproducing damaged or destroyed data, and the manual processing of orders are not "Direct Financial Loss resulting directly from…" the insured cyber event (and therefore not covered under the Policy) because they required the intervening step of Inchcape deciding to undertake those steps and costs that broke the direct causal chain.
Concept of proximate cause
The requirement that only direct financial losses that resulted directly from the insured cyber event will be indemnified is not a new or unique concept. The use of such limiting words provides confirmation of the intention of underwriters to limit their exposure by not allowing recovery for indirect or consequential losses (the excluded losses).
However, this is the first judicial decision in Australia considering the construction of such a clause with the use of two directness requirements to limit the scope of cover for first-party losses under a cyber insurance policy.
Applying the relevant Australian authorities on the concept of direct causation,3 the Court confirmed that the concept of proximate cause remains the law in Australia when considering the issue of direct causation. The meaning of "direct" ("direct means direct" causally and temporally or "direct means proximate") as used in the United States was noted by the Court as "interesting but not material".
As such, “loss resulting directly from” as used in IA2 and IA3 means loss the proximate cause of which is an insured event. However, because coverage is further limited to “Direct Financial Loss”, her Honour opined that this means that the cover in IA2 and IA3:
- is for direct financial loss, a direct (that is, proximate) cause of which is an insured event; and
- excludes the prospect of any intervening step and losses that would not be necessarily and inevitably incurred by every insured given the occurrence of the insured event.
Applying the above, it is interesting to note that the Court concluded that the costs to investigate the ransomware attack and prevent further effects of the attack, costs to replace the hardware, the costs of ancillary tasks in respect of reproducing damaged or destroyed data, and the manual processing of orders were not covered under IA2 or IA3 because they were considered:
- not to be direct financial losses resulting directly from the insured events because they required the intervening step of Inchcape deciding to undertake those matters - be it investigating the ransomware attack, replacing the hardware, reproducing the data or manually processing the orders;
- costs that would not have necessarily been incurred by every insured in the same circumstances; and
- costs that are also indirect or consequential losses excluded by cl 3(e) under the Policy.
Implications
As mentioned above, the use of limiting words including the use of two directness requirements in the policy wording to limit the scope of cover for first-party losses is not new.
That said, the Court's decision means careful attention needs to be given to each cost incurred to see whether it meets the precise causation requirement in the Policy.
It remains to be seen whether this decision will be appealed.
1 IA1 provides cover for Direct Financial Loss by reason of the Insured having transferred funds or property as a direct result of fraudulent input of Electronic Data or fraudulent preparation or fraudulent modification of Electronic Instruction directly into Computers Systems.
2 General Condition 4(i) provides that in case of loss of, or damage to, Electronic Data, Electronic Media or Electronic Instruction used by the Insured in its business, Chubb shall be liable under this Policy only if such items are actually reproduced by other Electronic Data, Electronic Media or Electronic Instruction of the same kind of quality and then for not more than the cost of the blank media plus the cost of labour for the actual transcription or copying of data which shall have been furnished by the Insured in order to reproduce such Electronic Data, Electronic Media or Electronic Instruction.
3 *Australian Capital Financial Management Pty Ltd v Australian Financial Complaints Authority Limited* [2021] NSWSC 1577 at [69], [70] per Ball J. *Lasermax Engineering Pty Ltd v QBE Insurance (Australia) Limited* [2005] NSWCA 66; (2005) 13 ANZ Ins Cas 61-643 at [82]–[83], [101]. *Outerbridge t/as Century 21 Plateau Lifestyle Real Estate v Hall* [2020] NSWCA 205; (2020) 102 NSWLR 921.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted. Lander & Rogers is furthermore committed to providing legal advice and content that is factual, true, practical and understandable. Learn more about our editorial policy.