Hacked business loses dispute over cyber cover advice
A business that had its claim for a large 2019 cyber attack denied has lost a dispute in which it accused its broker of breaching its duty of care and failing to procure appropriate cover.
The business said Bovill Risk & Insurance Consultants, which had been its insurance broker since 2013 and annually arranged renewals of its insurance cover, had not properly advised it in regard to cyber insurance.
The Australian Financial Complaints Authority (AFCA) ruled the broker’s actions had not caused any loss, and that the business had not established it would have bought a cyber policy even if it was satisfied with the broker’s work.
“The complainant has not established that, had it been properly advised – which it alleges it has not been – it would have taken out cyber insurance cover,” AFCA said. “Therefore, the broker’s actions cannot be causative of any loss and it bears no responsibility for any loss suffered by the complainant.”
Last year, three years after the cyberattack, the business submitted an initial inquiry with the broker to obtain cyber insurance, which it says was rejected. The broker said that was not correct and that rather, an insurer had requested information regarding multi-factor authentication processes but had not been provided with sufficient details.
“The potential insurer was not satisfied that the complainant had sufficient controls in place to be able to qualify for cover,” the AFCA ruling said.
Years before the cyber incident in 2016, the broker had told the business there was “huge benefit” in taking out additional insurance to cover potential cyber attacks. It elected not to.
At the next renewal, the broker said to make contact should advice regarding forms of insurance other than professional indemnity (PI) be required, and a year after that in 2018 the broker provided a list of insurable risks which included public liability, management liability and cyber insurance.
The business took up the offer of public liability and management liability insurance for the 2018/2019 year, but did not take out cyber insurance.
“The complainant did not seek cyber cover despite the advice; the complainant did not procure cyber cover although it did procure other additional insurances from the list,” AFCA said.
The business was a victim of a social engineering fraud in early 2019 when it made two payments to a fraudster that were intended for its clients. It suffered a loss of almost $500,000.
The business contacted the broker by email a few days later saying “Random one – do you guys offer cover for cyber security etc? We got hacked during the week … wondered whether if there is any such cover available that you can assist with? Pls let me know!”
On the same day, the broker replied: “That’s terrible! We don’t do a whole lot of it but it was part of that email that I shot to you back in November with the list of insurable risks. Leave it with me and I’ll aim to have a quote arranged for you by Monday.”
A claim for the cyber attack was later denied on the basis it related to trading debts, which was excluded from the insurance policy the business held.
In the months after the fraud incident, the broker’s email regarding its forthcoming PI renewal said to make contact if the insured “also wants to have another crack at obtaining the cyber cover and (if so) shoot a form across for that one too”.
In the each of the two years after the incident, the broker “expressly asked” the business about cyber insurance but it declined, saying in late 2020 it had changed the way its payments were made via a third party so its risk of fraud was reduced.
The broker responded by again recommending taking cyber cover, saying insurance could be of great benefit for risks such as ransomware which “can be detrimental if all of their files are locked and payment is demanded to unlock them, plus data recovery etc”.
“He (the complainant) said they have an IT guy so he will discuss it with him and get back to me if he wants to explore a quotation,” the broker’s notes stated.
AFCA’s panel of ombudsmen said it was particularly persuaded the broker was not at fault by “the complainant’s inaction regarding availing itself of appropriate cover, assuming it had been available”.
See the full ruling here.