Complainant loses 'misleading advice' cyber dispute

Report proposes 'self-funding' insurance model for export industries

A cyber-attack victim who alleged its insurer misled them into purchasing replacement equipment for which it was not covered will not be compensated after losing a claims dispute.

The business lodged a claim on July 10 last year after its hardware became encrypted following a cyber breach.

Two days after the claim was lodged, Lloyd’s Australia offered the claimant services to its cyber breach coach (CBC) “to manage and co-ordinate” responses to the event. The insurer told the complainant that the CBC was not a claims handler and was there to inform them of actions to take to manage the threat.

The CBC advised the business to replace the encrypted hardware “to minimise loss of revenue and maximise operational capacity”.

Lloyd’s Australia declined the claim on August 25, saying the affected hardware was covered by the cyber event protection policy’s optional “tangible property” cover which the claimant did not select when it renewed the policy in February.

The policyholder disputed the claim denial, saying it was advised by the insurer and its representatives not to pay the hacker to regain access to the hardware and instead purchase a replacement.

The business said it was misled to believe the cost to replace the hacked items was covered under the policy and wanted the insurer to reimburse it for money it spent on replacement hardware – amounting to $52,366.

The Australian Financial Complaints Authority (AFCA) said Lloyd’s Australia was entitled to decline the claim, saying that throughout the claims handling, the insurer informed the client that it did not have the appropriate cover for the loss.

See also  Munich Re: ~€500m Helene loss dents Q3, to beat full-year profit target despite Milton

Lloyd’s Australia provided telephone notes from July 13 and email records from August 2 showing that it reminded the complainant it did not have appropriate cover for the event before the claimant purchased the replacement hardware on August 10.

AFCA said it was satisfied that the insurer did not mislead the complainant about the scope of cover or the role of the CBC.

“I have seen nothing that shows the CBC’s recommended actions (in terms of replacing the hardware in order to minimise loss of revenue, and maximise operational capacity) amounted to a confirmation that any such replacement would be covered under the terms of the policy,” AFCA said.

The ruling directed to the policy’s product disclosure statement (PDS) that informed the insured that without the optional cover, it would not cover “equipment breakdown, property damage or the cost of replacement of tangible property or equipment.”

It noted the claimant’s admission that it purchased the hardware “quickly to minimise losses and reputational damage”, saying that regardless of the CBC’s advice, it was “more likely than not” that it would have purchased replacement hardware.

AFCA acknowledged the complainant’s argument that if it did not replace the hardware, it would have been entitled to a claim under business interruption cover but said the cyber victim “took the appropriate steps” to its obligation to mitigate losses.

Click here for the ruling.