Complainant loses 'misleading advice' cyber dispute
A cyber-attack victim who alleged their insurer misled them into purchasing replacement equipment for which it was not covered will not be compensated after losing a claims dispute.
The business lodged a claim on July 10 last year after its hardware became encrypted following a cyber breach.
Two days after the claim was lodged, Lloyd’s Australia offered the claimant the services of its cyber breach coach (CBC) “to manage and co-ordinate” responses to the event. The insurer told the complainant that the CBC was not a claims handler and was there to inform them of actions to take to manage the threat.
The CBC advised the business to replace the encrypted hardware “to minimise loss of revenue and maximise operational capacity”.
Lloyd’s Australia partially declined the claim on August 25, saying the affected hardware was would have been covered by the cyber event protection policy’s optional “tangible property” cover, which the claimant did not select when it renewed the policy in February.
The policyholder disputed the claim denial, saying it was advised by the insurer and its representatives not to pay the hacker to regain access to the hardware and instead purchase a replacement.
The business said it was misled to believe the cost to replace the hacked items was covered under the policy and wanted the insurer to reimburse it for money it spent on replacement hardware - amounting to $52,366.
The Australian Financial Complaints Authority (AFCA) said Lloyd’s Australia was entitled to decline the tangible property claim, saying that throughout the claims handling, the insurer informed the client that it did not have the appropriate cover for the loss.
Lloyd’s Australia provided telephone notes from July 13 and email records from August 2 showing that it reminded the complainant it did not have appropriate cover for the lost hardware before the claimant purchased replacement hardware on August 10.
AFCA said it was satisfied that the insurer did not mislead the complainant about the scope of cover or the role of the CBC.
“I have seen nothing that shows the CBC’s recommended actions (in terms of replacing the hardware in order to minimise loss of revenue, and maximise operational capacity) amounted to a confirmation that any such replacement would be covered under the terms of the policy,” AFCA said.
The ruling flagged the policy’s product disclosure statement (PDS) informed the insured that without the optional cover, it would not cover “equipment breakdown, property damage or the cost of replacement of tangible property or equipment”.
It noted the claimant’s admission that it purchased the hardware “quickly to minimise losses and reputational damage”, saying that regardless of the CBC’s advice, it was “more likely than not” that the business would have purchased replacement hardware.
AFCA acknowledged the complainant’s argument that if it did not replace the hardware, it would have been entitled to a claim under business interruption cover but said the cyber victim “took the appropriate steps” in relation to its obligation to mitigate losses.
Click here for the ruling.