In the decision of Inchcape Australia Limited v Chubb Insurance Australia Limited  FCA 883, the Federal Court of Australia interpreted the terms of an insurance policy in the case of a cyberattack.
The facts of the case include a ransomware attack on Inchcape, destroying the company’s data on its primary server, offsite backup, and implementing malicious code into the business’s computers. Inchcape tried to rely on its insurance agreement to claim indemnity from financial loss suffered due to the ransomware attack. These losses included replacing/repairing damaged hardware, software, and data, as well as costs associated with data recovery, staffing resourcing, and investigating the culprits. The insurance company countered Inchcape’s claim by stating that the losses suffered from the cyberattack fell outside the scope of the insurance agreement.
The Federal Court examined this agreement with particular reference to the element of “directness”. The Court found that the terms of the insurance agreement did cover ‘direct financial loss by reason of loss resulting directly from damage or destruction of electronic data’. However, based on the facts of the case, the Court was not satisfied that the theft of electronic data via ransomware caused any direct financial loss to Inchcape. Moreover, costs for recovering or replacing hardware were not directly linked to the ransomware attack as this involved a secondary decision by Inchcape after the event. Additionally, costs associated with recovering data fell outside the scope of the insurance agreement.
This decision emphasises the specific wording required in an insurance agreement to capture losses suffered from cyberattacks. As such, businesses need to pay close attention to the wording of cyber insurance policies and potentially require further coverage if necessary.
It is yet to be seen whether this decision will be appealed by Inchcape.
Please let us know if you need any assistance with a review of your insurance policies.
For a full reading of the case, see here.