Victim is still liable.
According to a ruling in an Australian dispute regarding ransomware insurance coverage, the victim, automotive distribution and services company Inchcape, cannot collect expenses it incurred for forensics, incident response, and replacement hardware during the clean-up and recovery from the attack.
According to the federal court's ruling last week, these expenses were made by the victim rather than directly related to the attack and were not covered by the insurance policy it carried.
Under the insurance contract that Inchcape Australia has with Chubb Insurance Australia, only a tiny portion of expenses related to "blank media" and the transfer of data onto that media are judged to be claimable.
Like in every court case, the outcome is largely dependent on the parties, the facts of the case, and the precise language of the insurance contracts.
Defining the meaning of the phrase "direct financial loss emanating directly from," which constantly appears in the insurance policy conditions as a limitation on the insurer's liability, was important to the case.
"There is no 'loss' that is covered. The cover "is also subject to the exclusion of any indirect or consequential loss," Justice Jayne Jagot stated in her ruling, stating that it only covers "direct financial loss."
However, not "incurred by every insured"
But some organizations that believe they have appropriate coverage for cyber disasters may be concerned about how "direct" and "indirect" costs paid by an attack victim were stated in the judgment.
According to the ruling, it is "not evident that these expenditures would necessarily have been spent by every insured in the identical circumstances" for "the costs of investigating the ransomware attack and avoiding additional impacts of the attack" and hardware replacement.
Partner Gilbert + Tobin According to Simon Burns, this section of the ruling may have a greater influence on how claimable expenses are interpreted by cyber insurance policies.
It's difficult to say that the decision to replace the hardware that was damaged as a result of the attack is an intervening step that breaks the chain of causation and makes that cost an indirect rather than direct loss, Burns told iTnews. "That statement really troubles me because I think you could argue the contrary - that every ransomware attack or every cyber incident is going to be investigated," Burns said.
The verdict does make it plain that consequential losses "coming from damage to or destruction of the insured's computer systems" are not covered by Inchcape Australia's policy, which only "relates to direct pecuniary loss immediately resulting from (relevant) activities done to electronic data (etc)".
The main lesson is that you must be very explicit in the insurance cover and policy that you want to be protected for certain actions, according to Burns.
Your coverage will be severely limited as a result of this ruling, therefore I truly think you need to be very clear about what is and isn't covered.
According to Burns, a significant portion of the lawsuit centered on the insurance policy's precise wording, particularly the policy's limited coverage of cyber incidents and the categories of costs that were characterized as included or excluded.
According to Burns, the policy's phrasing was "extremely stringent and very constrained."
"The insurance really tried to link [the cost claim] back to the immediate loss, rather than all the actions a company may take as a result of a cyber occurrence.
I believe that a specific cyber policy would more naturally deal with these issues, which they do.
Inaudible cyber
Kieran Doyle, a partner at Wotton + Kearney, noted that the insurance policy Inchcape possessed did not appear to be tailored for cyber security, thus he did not regard the ruling as particularly cause for concern.
According to Doyle, "the insurance industry has long discussed the idea of'silent cyber', where cyber affects a range of policies that aren't specifically meant to cover a cyber risk but may have some scope creep in the coverage that may be accessed through that policy.
Costs like incident response and investigations are often covered by specific cyber insurance policies. In doing so, insurers also offer specialized professional assistance to help with recovery and incident investigation.
"Cyber policy actually accomplishes what it is intended to do, which is fantastic news for businesses. It serves its purpose, he declared.
"If everything else is equal, it should pay the majority of the incident response losses that appeared to be excluded from the Inchcape matter.
"Policies obviously vary depending on the insurer and their appetite for risk, but the incident response cover is the fundamental component of the policy and the first clause that is activated in almost every cyber attack.
The majority of policies include a special incident reaction clause. In addition to payment coverage, there is also rapid access to professionals who have been hand-picked by the insurer for their experience in providing assistance.
The policy would determine in large part whether coverage included replacing hardware, and Doyle noted that additional legal rules would apply to claims of this sort.
Beyond incident response, it boils down to the insurer's appetite and what they're willing to pay for. Where to draw the line, for example, when it comes to system replacement, is a major problem we frequently have with insurance in this area. When is the insured potentially receiving a windfall for upgrading to a better system—what we refer to as betterment?
"A fundamental tenet of insurance is that you are compensated for losses, not often for gaining something greater than what you already have. It's a significant problem that we frequently encounter in insurance-related cyber incident recovery.
Because cyber insurance is still relatively new in Australia, Doyle stated, "a situation like this"
Cyber insurance is merely one part of managing cyber risks, he continued, and it shouldn't be relied upon as the only method.
At the tail end of 2020, ransomware attacked Inchcape Australia.
