Website redesign not covered after cyber attack

Report proposes 'self-funding' insurance model for export industries

A business owner who tried to claim additional costs under a cyber policy to improve his website after it was hacked has failed to win the full amount sought.

Lloyd’s offered $42,050 as a settlement to repair damages to the website and compensate for a loss of revenue, but the complainant disagreed and sought $64,950 for the claim.

The Australian Financial Complaints Authority (AFCA) determined that the insurer’s settlement was fair but awarded an additional $10,000 to the claimant as aspects of the website repair cost could not be quantified.

An assessor and cyber expert appointed by Lloyd’s said some repair costs were attributed to a website redesign and improving system management, which Lloyd’s said was not covered by the cyber event protection policy.

The experts said the systems were outdated and should have been maintained and updated by the complainant.

Lloyd’s set $20,000 for data restoration and offered to pay for repairs but said it would not cover costs associated with system upgrades to strengthen the website’s security.

AFCA referred to a statement by SP, the website repair team, to say that the insurer did not have to cover some of the work done.

“In order to correct this security compromise, [SP] can help… bring the site up to date with the latest patches for all software used,” SP said.

The panel said the complainant failed to show how the website changes were part of the policy, but the website did require repair work to restore it to its state before the cyberattack.

It reaffirmed Lloyd’s pay $16,540 for repair costs and increased the data restoration contribution to $30,000. It said the increase was because it was not possible to “accurately quantify all individual aspects of [repair] work.”

See also  How far back does a hard credit check go back?

The insurer offered to pay $5760 for business interruption caused by the event, despite no evidence pointing towards that amount. It offered the claimant a forensic accountant to assess the loss of revenue if they believed that the amount was inadequate.

AFCA determined that the amount was fair and that if the complainant disputed the amount, they would have to file evidence within 30 days after the ruling.

The business owner also claimed public relations costs of $22,252 for the damage done to the business’s reputation from the event and an alleged drop in stock prices.

AFCA said it would be fair for the insurer to cover proposed public relations costs of $11,700, involving personalised letters and contact with high priority disgruntled clients, provided evidence of costs incurred was presented.

See the full ruling here.