Federal Court rules on Chubb's ransomware dispute

Federal Court rules on Chubb's ransomware dispute | Insurance Business Australia

Federal Court rules on Chubb's ransomware dispute

The Federal Court of Australia (court) has finally released its judgement on a ransomware dispute between insurance giant Chubb Insurance Australia (Chubb) and automotive services firm Inchcape Australia (Inchcape).

The court ruled that the victim, Inchcape, cannot claim costs incurred in the clean-up and recovery from its ransomware attack – such as costs for forensics, incident response, and replacement hardware – because they were decisions taken by the firm rather than costs directly incurred from the attack. Therefore, they are not claimable under the firm’s insurance policy.

However, the court acknowledged that a small subset of costs related to “blank media” and copying data onto the media are claimable under the firm’s insurance policy.

“It is not any ‘loss’ which is covered. It is only ‘direct financial loss’,” Justice Jayne Jagot said, as reported by IT News, adding that the cover “is also subject to the exclusion of any indirect or consequential loss.”

For the costs of investigating the ransomware attack and preventing further impacts on the firm, Justice Jagot said: “It is not apparent that these costs would necessarily have been incurred by every insured in the same circumstances.”

Read more: Chubb reaches new heights in Q2 earnings

Commenting on the case, Gilbert + Tobin partner Simon Burns said the judgement might have a broader impact on the interpretation of claimable costs under cyber insurance policies.

“That statement really troubles me because I think you could argue the contrary – that every ransomware attack or every cyber incident is going to be investigated, and if the result of that incident is hardware is effectively bricked, it’s difficult to say that the decision to replace the hardware that was damaged as a result of the attack is an intervening step that breaks the chain of causation and makes that cost an indirect rather than direct loss,” Burns said, as reported by IT News.

Meanwhile, Wotton + Kearney partner Kieran Doyle said he does not see the ruling as a particular cause for alarm.

“For a long time, the insurance market has been talking about this concept of ‘silent cyber’, where cyber touches a range of policies that aren’t designed to cover a cyber risk per se, but there might be a bit of scope creep in the cover able to be accessed via that policy,” Doyle said, as reported by IT News.

Insurers have been focusing on battling cyberattacks since the COVID-19 pandemic forced everyone to stay at home. Most recently, global brokerage Gallagher shared tips on handling ransomware attacks.