This appeared last week:
Australian court finds insurer not liable for ransomware clean-up costs
By Ry Crozier on Aug 9, 2022 6:31AM
Victim left on the hook.
An Australian lawsuit over ransomware insurance cover has ruled the victim, automotive distributor and services firm Inchcape, can’t claim costs it incurred in the clean-up and recovery from the attack, such as for forensics, incident response and replacement hardware.
The judgment, handed down by the federal court last week, declares such costs as decisions taken by the victim, rather than as costs directly incurred from the attack and therefore not claimable under the insurance policy it held.
Only a small subset of costs relating to “blank media” and the copying of data onto that media are deemed claimable under the insurance policy that Inchcape Australia had with Chubb Insurance Australia.
As with all court cases, the decision is, to a large extent, specific to the parties, to the circumstances of the case, and to the specific wording of the insurance agreements.
Much of the case revolved around establishing the meaning of the phrase “direct financial loss resulting directly from”, which appears repeatedly in the insurance policy terms as a limitation to the insurer’s liability.
“It is not any ‘loss’ which is covered. It is only ‘direct financial loss’,” Justice Jayne Jagot wrote in her judgment, adding that the cover “is also subject to the exclusion of any indirect or consequential loss”.
Not 'incurred by every insured'
But the way “direct” - claimable - and “indirect” - unclaimable - costs incurred by an attack victim were described in the judgment could worry some organisations that think they have adequate cover for cyber incidents.
For “the costs of investigating the ransomware attack and preventing further effects of the attack”, and hardware replacement, the judgment states that “it is not apparent that these costs would necessarily have been incurred by every insured in the same circumstances.”
Gilbert + Tobin Partner Simon Burns saw potential for this part of the judgment to have a broader impact on the interpretation of claimable costs under cyber insurance policies.
“That statement really troubles me because I think you could argue the contrary - that every ransomware attack or every cyber incident is going to be investigated, and if the result of that incident is hardware is effectively bricked, it’s difficult to say that the decision to replace the hardware that was damaged as a result of the attack is an intervening step that breaks the chain of causation and makes that cost an indirect rather than direct loss,” Burns told iTnews.
The judgment does make clear that Inchcape Australia’s policy only “relates to direct financial loss directly resulting from (relevant) things done to electronic data (etc)” and not consequential losses “resulting from damage to or destruction of the insured’s computer systems”.
“The big lesson is if you want to be covered for those actions you should be really clear in the insurance cover and the policy that they’re in there,” Burns said.
“I think you really need to be very express on what is covered and what isn’t, otherwise your cover is going to be very limited as a result of this judgment.”
Burns said much of the case focused on the specific wording of the insurance policy, including its narrow coverage of cyber incidents and the types of costs defined as included or excluded.
“If you read the policy wording, it was very strict and very limited,” Burns said.
“The insurer was really trying to pin [the cost claim] back to the immediate loss, not all the steps an organisation would take that flow from a cyber event.
More here:
There was also this:
Good news for ransom payment reimbursement
By Velvet-Belle Templeman
Aug 5 2022 12:30PM
The tide may be turning for ransom payment reimbursement according to Andrew McCoomb, litigation partner at Norton Rose Fulbright.
For businesses smacked with a cyber attack, paying a ransom largely means never seeing that money again. But in a recent LinkedIn post McCoomb outlined how he, and Norton Rose Fulbright litigation associate Tyler Morrison this week obtained an order for relief from forfeiture for Bitcoin (BTC) reimbursement to be paid to an insurer client.
The client in question paid 11.26024682 BTC ($371,857.60) to high-profile NetWalker affiliate ransomware perpetrator Sebastien Vachon-Desjardins, said McCoomb.
Vachon-Desjardins pleaded guilty to five counts of offences involving extortion, theft of computer data, cryptocurrency ransom payments and criminal organisation activity.
I have read and accept the privacy policy and terms and conditions and by submitting my email address I agree to receive the Digital Nation newsletter and receive special offers on behalf of Digital Nation, nextmedia and its valued partners. We will not share your details with third parties.
According to the Ontario Court of Justice, "The Defendant personally profited greatly from these offences; he earned the equivalent of over $600,000 in cash (seized by police), bank balances of over $400,000, and Bitcoin transfers to money spent estimated at $1,755,000, and the value of at least 944 Bitcoins (720 seized and 224 paid in the days leading up to the seizure to invest in NetWalker), worth over $30,000,000 when seized."
Authorities seized over 680 BTC ($22,456,272.40) and $700,000 cash upon his arrest.
“At
sentencing, the judge made orders for restitution for a small number of victims
covering a small portion of the assets seized. But the criminal code doesn't
provide for any exhaustive claims process, and only some victims were given an
opportunity to seek to recover restitution,” said McCoomb.
More here:
https://www.digitalnationaus.com.au/news/good-news-for-ransom-payment-reimbursement-583647
Reading closely, for me, there are two lessons.
The first is that depending on the criticality of business proper insurance against ransomware attack may make sense.
The second is that you need to get good advice to make sure you are properly covered against loss!
Simple when you know but you need to stay alert as always!
David.
No comments:
Post a Comment