A recent decision of the Federal Court highlights the importance of policy wording in determining which categories of loss are covered by insurance.
- Following a ransomware attack, the applicant claimed indemnity from the respondent under a Financial Institutions Electronic and Computer Crime Policy (the Policy) with respect to financial loss suffered in repairing/replacing computer hardware, software and data. A coverage dispute ensued about the scope of cover and whether it extended to investigation costs, hardware costs, resources and additional staffing costs, and data recovery costs (Disputed Costs).
- In a trial of separate questions, the Court found that whilst relevant Insuring Clauses were triggered by the attack, cover was limited to the costs of actually reproducing damaged or destroyed Electronic Data, Media or Instruction (as defined). Whilst not determinative of that outcome given other applicable terms of the Policy, the court’s interpretation of the meaning of ‘direct financial loss resulting directly from…’ in the Insuring Clauses will be of interest to insurers and insureds.
The Insuring Clauses relevantly covered 'direct financial loss resulting directly' from the damage, destruction, fraudulent modification, theft, or acts of a hacker causing damage or destruction of Electronic Data, Media or Instruction (as defined). Justice Jagot was asked to decide whether that cover extended to the Disputed Costs.
Relevantly, Jagot J found that according to the authorities:
- ‘direct financial loss’ is direct loss that flows naturally without intervening cause and which every insured in the same position would suffer. Indirect loss does not so flow; and
- ‘direct’ in an insurance policy means “proximate” which does not exclude a step between the cause and the consequence, but, importantly, that is subject to other terms and conditions of a policy.
Applying these authorities to the Policy, Jagot J found that:
- the phrase ‘loss resulting directly from’ meant loss the proximate cause of which is an insured event, but subject to the requirement that such loss be ‘direct financial loss’;
- therefore, the Insuring Clauses covered ‘direct financial loss a direct (that is, proximate) cause of which is an insured event’ for which ‘the connection required excludes the prospect of any intervening step and losses that would not be necessarily and inevitably incurred by every insured given the occurrence of the insured event’; and
- the cover provided was also subject to an exclusion for any indirect or consequential loss.
On this basis, Jagot J found that the Disputed Costs were not direct financial loss resulting directly from an insured event because the disputed costs involved an intervening step taken by the insured, and would not necessarily have been incurred by every insured in the same circumstances. That is, the Applicant’s decision to investigate the ransomware attack, replace computer hardware, manually process orders, and incur ancillary costs constituted an intervening step. The Disputed Costs were therefore not direct financial loss resulting directly from the insured event for the purposes of the Insuring Clause and/or were excluded as indirect or consequential loss in any event.
Implications for you
Although the judgment stopped short of providing a clear judicial definition of ‘direct financial loss’ as a standalone term in the context of a first party crime policy, this case helps to unpack the impact of the ‘double direct’ wording in use in cyber and other crime policies (usually accompanied for good measure by an exclusion for indirect or consequential loss). It also highlights the value of triangulation fraud or other similar extensions in some crime policies that provide coverage in circumstances where the insured has incurred an indirect loss such as a liability to another party.
Although policy interpretation will be unique to the specific wording used, it is important to consider how your own policy might respond in similar circumstances, and what loss will actually be covered.