An Australian company has been struck a blow after the Federal Court ruled its insurer was not liable for recovery costs following a ransomware attack.
Automotive distributor and services firm Inchcape lost in a lawsuit over a ransomware-related insurance claim, leaving it to foot costs for several clean-up and recovery measures following a significant ransom attack.
The firm, which employs more than 1,500 employees in Australia, appears to have originally suffered the ransomware attack in 2020, wherein cyber criminals compromised Inchcape systems and leaked a selection of stolen data on the dark web, including administration information, customer fulfilment and client details.
Since the initial attack, it has been notoriously difficult to find further information online regarding the alleged ransom incident.
However, recent court proceedings released by the Federal Court of Australia provide more insight into the ensuing damages faced by Inchcape.
In a legal dispute between Inchcape and insurance provider, Chubb Insurance Australia (Chubb), Inchcape argued that Chubb was liable for a range of insurance claims related to the incident, including costs of replacing computer hardware and investigating the ransomware attack, ancillary costs related to the retrieval of electronic data, and the costs of "manual processing of orders".
In an order given by long-running Justice, The Hon Jayne Margaret Jagot, it was concluded the above costs did not qualify as "Direct Financial Loss" in relation to Chubb's policy and insuring agreements.
Only a small portion of expenses pertaining to “blank media” and copying data onto said media have been deemed claimable under the Chubb insurance policy, leaving Inchcape out of pocket for the rest.
Sorting through the semantics
Initially, the court ruling agreed Chubb could have been more explicit in certain sections of its insurance policy, with Justice Jagot stating, "At a conceptual level, the loss of Electronic Data (etc) is not the same as loss resulting from the loss of Electronic Data."
"Furthermore, it would have been easy in general condition 4(i) in respect of Electronic Data (etc), to say 'in case of any loss resulting from loss of, or damage to, Electronic Data,'" Justice Jagot added.
Although this jargon-like observation seems to point out the potentially misleading wording in Chubb's policy, a closer examination ruled Chubb's approach was correct, thus invalidating several requested insurance claims by Inchcape.
Why did things fall in favour of Chubb?
Much of the decision in this case boiled down to discerning the meaning of a few repeated terms in Chubb's insurance policy: "direct financial loss" and "loss resulting directly from".
Among other things, these terms stipulated coverage for losses in direct relation to damage or destruction to data or media, or loss directly resulting from criminal acts such as robbery, burglary, or "the acts of a hacker causing damage or destruction of Electronic Data, Electronic Media or Electronic Instruction owned by the Insured".
In the resulting orders given by Justice Jagot, the meaning of “direct financial loss" was examined with and informed by citation of previous legal cases.
In one such case, Justice Michael Ball stated, "The expressions 'direct financial loss' and 'indirect financial loss' are not terms of art, and their meaning depends on the context in which the issue arises."
The ultimate ruling made frequent reference to the wider context of the insurance policy, and in doing so, determined many of the costs following Inchcape's ransom incident, such as replacement of computer hardware and "reproducing damaged or destroyed Electronic Data", did not qualify as "Direct Financial Loss" under Chubb's policy.
The judgement also stated, "it is not apparent that these costs would necessarily have been incurred by every insured in the same circumstances,” indicating the post-incident choices made by Inchcape may have been different for another company, and therefore, so too the costs.
Legal experts have voiced concern over this statement in particular, and its bearing on future interpretation of insurance policies in relation to cyber attacks.
Picking the right policy
Upon further review, the claims attempted by Inchcape were done so under Chubb's Electronic and Computer Crime Policy, rather than its Cyber Insurance policy.
While the purchased insurance does provide cover for losses due to a range of cyber-related activities, such as "the acts of a hacker causing damage or destruction to electronic data or software", it is a distinctly separate policy from Chubb's cyber insurance.
Chubb's web page describes the Electronic and Computer Crime Insurance as "sold alongside Chubb Financial Institutions Bond Insurance for all-round protection against the risks of online crime."
The two products do have a certain degree of overlap, however, Chubb's Cyber Insurance likely could have covered more of the costs related to Inchcape's ransom incident.
SMEs increasingly excluded from insurance
Since the advent of COVID-19, businesses have become increasingly dependent on technology for matters such as e-commerce and remote working, and consequently, cybercrime has become more lucrative.
Given the ubiquitous increase of tech use, particularly in small and medium enterprises (SMEs), attackers are finding more security openings and opportunities to compromise business systems.
The period of 2020 to 2021 saw an increase of 13 per cent in ransomware attacks, which is more than the previous five years combined.
Furthermore, the average ransom pay-out has gone up 71% in 2022, recently recorded at $1,288,867 (US$913,000) according to Palo Alto Networks.
While this increase in ransom attacks has encouraged SMEs to invest in a cyber insurance policy, the simultaneous increase in ransom pay-outs is driving insurers to charge higher premiums and stricter limits on their coverage.
An earlier version of this story incorrectly stated Inchcape had cyber insurance. This was not the case. The story has been updated to reflect this.