Cybercrime and Cyber Insurance

Cybercrimes are criminal acts committed using the Internet or through access to a computer system or network to facilitate the offences.¹ Cybercrimes include:

1. Computer intrusion, commonly referred to as hacking involving unauthorised access to a computer system, including a desktop, laptop, smartphone, or other device.
2. An attack on a computer system which targets computer data and information.
3. Malicious software which are programmes that perform tasks often discreetly without detection.
4. Cyber-enabled crimes which are any criminal act that could be committed without Information Communications Technology (ICT) or the Internet, but is assisted, facilitated or escalated in scale by the use of technology.

Cybercrime has increased massively in recent years. The latest Cyber Security Insights Report produced by the New Zealand watchdog, Computer Emergency Response Team (CERT) (CERT Report), states that New Zealanders have suffered the highest financial loss ever reported in a three-month period to the end of September 2022 of $8.9 million.² That was an increase of 128% from Q2 2022. The CERT Report confirms that the losses reported to CERT NZ from the previous eight quarters was $36.1 million.

The CERT Report also points out that one of the most common types of scams for businesses are unauthorised access scams involving business email compromise. This is where an attacker gets access to an employee’s email account to carry out malicious actions such as invoice scams, intercepting communications and changing payment details such as the bank account on an invoice.

For many businesses, with cybercrime on the rise and the importance of technology to conduct business, cyber insurance is an absolute necessity. Without question, cyber insurance is an important tool for professional service firms such as lawyers who are prone and vulnerable to attacks because they hold confidential information about their clients’ affairs and client funds on trust. The New Zealand Law Society has published guidance for the lawyers about the importance of cyber insurance.³ Although the purchase of such insurance is not a strict regulatory requirement, as is the case with professional indemnity insurance, for many firms, it is a sensible precaution to take (amongst others). There are valuable reputational losses at stake for organisations which are the victims of cybercrimes, that can cause long lasting damage.

A cyber insurance policy will typically provide a combination of first-party costs and third-party liability cover for the following “cyber incidents” (often with specified sub-limits for each):

1. The insured’s legal liability from any claim as a direct result of the breach of any privacy obligations or the theft of commercially confidential information.
2. System damage which includes the payment of rectification costs to repair or restore the insured’s computer systems or records as a direct result of a cyber event.
3. Business interruption which involves reimbursing the insured for business interruption loss incurred as a direct result of a cyber event.
4. Computer virus transmission and hacking. This provides cover for the insured’s legal liability from a claim for a third party’s financial losses arising directly from a hacking attack or virus that (a) passes through the insured’s computer systems; (b) prevents access to the insured’s computer systems; or (c) results in the loss or theft of the insured’s data.
5. Computer crime. This provides cover for the insured’s loss arising by reason of transferring funds or property as the direct result of the fraudulent modification of electronic data in the insured’s computer systems.
6. Cyber extortion which provides cover for cyber extortion costs arising solely from a security threat.

Cover is often triggered by the making of a claim or the discovery of loss during the policy period. This then triggers an obligation on the insured to notify any known circumstances that might result in a claim or loss that might be covered by the policy.

Insurers seek to limit their exposure by providing that the indemnity is limited to financial loss or claims that are the “direct result” or “result directly” from the cyber event. They often include specific exclusions for indirect or consequential loss. We are aware of cases where insurers have denied claims because the claimed loss was not the direct result of the relevant cyber incident. We discuss one of those cases, a decision of the Australian Federal Court, which considered the direct causal requirement, below.

Some policies include cover for social engineering fraud which is typically defined as the impersonation of an employee, principal, client or supplier of the insured by a third party which prompts the insured to issue an instruction to a financial institution to debit, pay, deliver or transfer money or securities from an account maintained by the insured to that of the third party, or another person or entity. It is commonly known as invoice fraud. This is not typically offered as standard cover, but might be an optional policy extension, subject to a sub-limit.

Often cyber policies will contain conditions requiring organisations to take reasonable steps to avoid circumstances that might result in a claim. An insurer will expect an insured to have taken reasonable care from a security perspective to avoid cyber-claims. This may include multi-factor authentication (to make unauthorised access more difficult) and staff training.

Cyber insurance is a developing area of the law. There have been very few cases in the common law world that have considered the extent of cover under cyber policies. We are not aware of any common law cases which have decided the liability of a professional for a hacking event because a cybercriminal has gained access to a business’s email or IT systems and is impersonating the professional and/or their client. However, it is not difficult to envisage liability arising where a professional or business has failed to take reasonable cyber security precautions against foreseeable risks.

One of the first such reported cases dealing with insurance coverage for a cyber-attack is a recent decision of Jagot J in the Federal Court of Australia in Inchcape Australia Ltd v Chubb Insurance Australia Ltd [2022] FCA 883. In that case, Inchcape sought indemnity for its first party losses arising from a “ransomware attack” on its computer system under a Financial Institutions Electronic and Computer Crime Policy issued by Chubb. One of the questions was whether the phrase “direct financial loss resulting directly from” in insuring clauses 2 and 3 included the costs of: (i) investigating the ransomware attack and preventing further effects of the attack; (ii) replacing computer hardware; (iii) ancillary tasks to reproduce damaged or destroyed Electronic Data, Electronic Media or Electronic Instruction (as defined); and/or (iv) manual processing of orders. Chubb argued that the sums claimed were not sufficiently causally connected to the cyber-attack to be regarded as “directly resulting from” that attack with the outcome that the insuring clauses were not triggered, and the consequential losses excluded.

Jagot J referred to Australian authorities on the concept of direct causation. Her Honour found that the words “loss resulting from” as used in the insuring clauses required that the proximate cause of the loss was an insured event. Further, that the phrase “direct financial loss” in the insuring clauses excluded losses incurred through an intervening event or which would not necessarily and inevitably be incurred by every insured given the occurrence of the insured event. As a result, she concluded the policy did not respond to the losses claimed.

Insurance is one important tool that can be used by businesses to mitigate against the risks of cybercrime. It is important that insureds understand the scope and limits of any cyber insurance they consider purchasing and the cyber risks they face to ensure that they are adequately insured for the potential losses.

Cyber policies do vary widely in their wording. Brokers who arrange cyber insurance and fail to take reasonable steps to understand their clients’ needs and instructions for insurance cover, beware.⁴ From insurers’ perspective, the cyber landscape is constantly evolving. There is a dearth of decisions in relation to the scope and extent of cyber policies, but that is likely to change as cybercrime continues to escalate. Watch this space for further developments!

1. See advice published by the New Zealand Police on its website: https://www.police.govt.nz/advice-services/cybercrime-and-internet/cybercrime
2. See Cert NZ latest quarter three report Cyber Security Insights Report dated 7 December 2022, which can be downloaded from: https://www.cert.govt.nz/individuals/
3. https://www.lawsociety.org.nz/news/legal-news/cyber-insurance-an-increasing-necessity/
4. See the recent decision of Doyle J in the Supreme Court of South Australia on the liabilities of an insurance broker whose inadequate advice led to the insured being under insured for business interruption in Adelaide (SA) Pools & Spa Manufacturing and Installation Pty Ltd and Others v Westcourt General Insurance Brokers Pty Ltd (No 2) [2021] SASC 123.

This publication is intended as a general overview and discussion of the content dealt with. It should not be used in any specific situation, in which case you should seek specific legal advice.