March 2023

PREVIOUS HOME NEXT

Cyber insurance landscape constantly evolving

By Darren Turnbull*

Insurance is an important tool for businesses to mitigate against the risks of cyber crime.

However, insureds must understand the scope and limits of any cyber insurance they consider purchasing and the cyber risks they face to ensure they are adequately insured for potential losses.

Cyber policy wordings vary widely. Brokers who arrange cyber insurance and fail to take reasonable steps to understand their clients’ needs and instructions for insurance cover, beware.

For insurers, the cyber landscape is constantly evolving and there is a dearth of decisions about the scope and extent of cyber policies, but that is likely to change as cyber crime continues to escalate.

Cyber crimes include:

  • Computer intrusion or hacking, involving unauthorised access to any computer system that targets computer data and information.
  • Malicious software, ie programs that perform tasks often discreetly without detection.
  • Cyber-enabled crimes are criminal acts that can be committed without information communications technology or the internet, but are assisted, facilitated or escalated by the use of technology.


CERT report

Cyber crime has increased massively in recent years. The New Zealand watchdog, Computer Emergency Response Team, in its latest Cyber Security Insights Report (CERT report), says New Zealanders suffered the highest financial loss ever in the three months to the end of September 2022 at NZ$8.9 million. That was up 128% from Q2 2022.

The CERT report confirmed losses reported to CERT NZ from the previous eight quarters was NZ$36.1 million.

The CERT report said one of the most common scams for businesses was unauthorised access, known as business email compromise (BEC). BEC attackers gain unauthorised access to an email account to conduct malicious actions, such as installing viruses and malware, sending phishing emails, intercepting communications and sending altered invoices or changing payment details to divert otherwise legitimate payments.

For many businesses cyber insurance is an absolute necessity. It is an important tool for professional service firms, such as lawyers, who are vulnerable to attacks because they hold confidential information about their clients’ affairs and client funds on trust. The New Zealand Law Society has published guidance for lawyers on the importance of cyber insurance.


Sensible precaution

Although buying cyber insurance, unlike professional indemnity insurance, is not a strict regulatory requirement, for many firms it is a sensible precaution. Valuable reputational losses are at stake for cyber-crime victims and the damage can be long lasting.

A cyber policy will typically provide a combination of first-party costs and third-party liability cover for cyber incidents, often with specified sub-limits for each.

Insurers seek to limit their exposure by restricting indemnity to financial losses or claims that are the “direct result” of or “result directly” from the cyber event. They often include specific exclusions for indirect or consequential losses. Insurers have denied claims because the claimed loss was not the direct result of a cyber incident.

One of the first reported cases on insurance coverage for a cyber attack was Justice Jayne Jagot’s decision in the Federal Court of Australia in Inchcape Australia Ltd v Chubb Insurance Australia Ltd [2022] FCA 883.  

Inchcape sought indemnity for its first party losses arising from a ransomware attack on its computer system under a financial institutions electronic and computer crime policy issued by Chubb.


Causal connection

One question was whether the phrase “direct financial loss resulting directly from” in insuring clauses 2 and 3 included the costs of:

  • investigating the ransomware attack and preventing further effects of the attack
  • replacing computer hardware
  • ancillary tasks to reproduce damaged or destroyed electronic data, electronic media or electronic instruction (as defined), and/or
  • manual processing of orders.

Chubb argued the sums claimed were not sufficiently causally connected to the cyber attack to be regarded as “directly resulting from” the attack, which meant the insuring clauses were not triggered and the consequential losses excluded.

Justice Jagot referred to Australian authorities on the concept of direct causation. She found the words “loss resulting from” as used in the insuring clauses required that the proximate cause of the loss was an insured event. She said the phrase “direct financial loss” in the insuring clauses excluded losses incurred through an intervening event or which would not necessarily and inevitably be incurred by every insured given the occurrence of the insured event. She found the policy did not respond to the losses claimed.

Some policies include cover for social engineering fraud, which is typically defined as a third party impersonating an employee, principal, client or supplier of the insured, which prompts the insured to instruct a financial institution to debit, pay, deliver or transfer money or securities from an account maintained by the insured to that of the third party or another person or entity. It is commonly known as invoice fraud. It is not typically offered as standard cover, but might be an optional policy extension, subject to a sub-limit.


Unauthorised access

Often cyber policies contain conditions requiring organisations to take reasonable steps to avoid circumstances that might result in a claim. An insurer will expect an insured to have taken reasonable care from a security perspective to avoid cyber claims. That may include multi-factor authentication (to make unauthorised access more difficult) and staff training.

Cyber insurance is a developing area of the law. There have been few common law cases that have considered the extent of cover under cyber policies. McElroys is unaware of any common law cases that have decided the liability of a professional for a hacking event because a cyber criminal has gained access to a business’s email or IT systems and is impersonating the professional and/or their client.

However, it is not difficult to envisage liability arising where a professional or business has failed to take reasonable cyber security precautions against foreseeable risks.

*Darren Turnbull is a Senior Associate at the New Zealand firm McElroys. This is an edited version of his original article, which is available here.
 
Back to top
 
 

Resolve is the official publication of the Australian Insurance Law Association and
the New Zealand Insurance Law Association.