Brought to you by:

Hacked business wins $90,500 payout under management liability policy

A business has won a dispute over a claim denied by Zurich after hackers accessed its accountant’s email and fraudulently lured payment from a customer.

The Australian Financial Complaints Authority (AFCA) ruled Zurich’s interpretation of its management liability product disclosure document was “unfair in the circumstances, and inconsistent with the intention of the policy” and there was no basis to deny the claim.

The hackers emailed the unsuspecting customer an altered invoice directing payment of $US138,401 ($178,395) to an unknown bank account, rather than to the business' account.

A few days later, the owner was concerned about the missing funds and followed up payment with the customer and engaged a computer expert, who found the hacker had gained access to the accountant’s email account.

The business recovered just over half the payment from the customer by delivering agreed cargo and then sought the balance - $US61,652 - by lodging a claim under a management liability insurance policy held with Zurich, under the cover section for ‘Crime’.

The claim amount came to just over $90,500 in local currency, calculated using the foreign exchange rate on the date of discovery of the loss.

Zurich denied the claim, saying cover for theft was only intended toward "physical property or cash, rather than cyber theft of a non-physical item through the alteration of an invoice".

But AFCA found “that is not what the policy says” and said Zurich’s interpretation was “unfair”.

“Cyber crimes are specifically contemplated by the policy and I do not accept the wording of the policy reflects an intention to restrict cover to losses of ‘physical’ money or property only,” the AFCA ombudsman said.

“That would mean the policy had limited value or relevance in the current world where business, banking and financial transactions are largely conducted by electronic means."

Zurich also said the business had not established the claimed loss was a direct result of “alteration of any ‘financial instrument’ for a fraudulent or dishonest purpose” as an invoice was not a financial instrument in the same vein as a cheque or draft.

AFCA ruled the loss was defined in the policy wording for financial instruments which covered “cheques, drafts or similar written promises, orders or directions to pay a certain sum of money that are made, drawn by or drawn upon an insured or by anyone acting or purporting to be acting as the insured’s agent”.

The intent of the policy and the “usual and ordinary” understanding of the word invoice meant it was fair and appropriate to treat the fraudulently altered invoice as a “financial instrument”.

“Implicit in the definition is the requirement that the invoice is to be acted upon: it is a direction to the customer to pay. I am satisfied it is fair and appropriate to treat an invoice as a financial instrument for the purposes of the policy,” AFCA said.

“The hacker’s amendment of the invoice, by changing the details of the bank account into which payment was to be deposited, amounts to a material alteration of that financial instrument.”

The policy also “clearly” contemplated losses incurred by actions including computer fraud and other electronic means.

“The complainant has been unlawfully permanently deprived of money by a means which falls within the broad … policy definition of ‘theft’,” AFCA said.

Zurich was directed to calculate the loss in Australian Dollars and pay it, with interest from late 2019.

See the full ruling here.