The Insured engaged a third party supplier for assistance in marketing their organisation and gathering donors’ information; including names, emails and phone numbers. The Insured was advised that the third party supplier’s system was breached and data had been lost.
Outcome
The Insured notified DUAL who appointed a law firm to advise in relation to the Insured’s privacy legislation obligations. The Insured did not have to report the incident to the Privacy Commissioner based on individual circumstances and the IT data they had available to them. Payment was made in relation to the legal costs.
Following the sale of 2 properties, the Insured was required to make a payment of $400,000 to their property consultant. On the day the payment was due, the Insured received an email from the consultant advising their banking details had changed.
The Insured requested that this be sent to them in writing on the consultant’s letterhead which they received, including the signature of the director of the consultancy company. The Insured was later chased by the consultant for payment at which time it was discovered that the email and letter had been fraudulent. The Insured contacted their bank to stop the payment and were informed that the money had already been withdrawn and transferred overseas.
Outcome
The Insured made a claim on their Cyber policy which triggered the optional Social Engineering cover. DUAL appointed an IT forensic consultant who identified that the hacker had infiltrated the consultants system and intercepted correspondence between the Insured and the consultancy firm. The Insured was reimbursed for the outstanding funds (capped at the Social Engineering sub limit of $250,000).
We are seeing an increase in Management Liability claims for ‘white collar crime’ and in today’s environment, it is to be expected. Whilst we typically know that some employee crimes are covered under a Management Liability, we thought we would recap some of the other covers available under a typical Management Liability Policy:
Management Liability
Protects the Directors and Officers from claims arising from wrongful alleged acts against the Directors and/or Officers. Coverage is afforded to the Insured, but not limited to:
• Personal liability
• Fines and penalties
• Outside directorships including workplace health and safety
• Automatic unlimited run off for retired Directors
• Investigation and pre-investigation costs
Corporate Liability
Protection for the Company from claims arising from the alleged wrongful acts against the business. Cover includes, but not limited to:
• Environmental violation defence costs
• Defence and fraud
• Work Health & Safety defence costs
• Breach of Contract defence costs
• Tax audit and review costs
• Death or disappearance of named insured director
Employment Practice Liability
• Protects the business from claims for wrongful dismissal or discrimination by past or present employees, customers or suppliers. This includes cover for
allegations made against the insured for discrimination on the basis of sex, race, age, religious beliefs or disability.
Crime
• Protecting the company’s balance sheet from fraud and dishonest activities carried out by employees or third parties.
Statutory Liability
• Protects individuals and the company against fines and pecuniary penalties. This includes defence and investigation costs as well as Enforcement Expenses.
Here is an interesting AFCA Matter Involving Zurich: Hacked business wins $90,500 payout under management liability policy https://www.insurancenews.com.au/daily/hacked-business-wins-90500-payout-under-management-liability-policy
A landlord has won a partial payout during a claim dispute after evicted tenants left broken windows, graffiti and missing taps – although the majority of the damage was ruled to be subject to a policy exclusion for poor housekeeping and unhygienic habits.
We have seen a number of disputes arises over the recent months so it is important you review the wording to ensure you understand the difference between malicious damage and poor living habits by a tenant. The full article we are referencing can be found here: https://www.insurancenews.com.au/daily/nightmare-tenants-unhygenic-lifestyle-not-covered-by-insurance
CFC have kindly shared their latest cyber claim study called ‘Search Engine Set Back.
It tells a story how a hotel’s website was affected by malicious code stemming from a cryptojacking attack, resulting in lower search engine ranking results for the hotel’s website.
The key takeaways are as follows:
• The impact of a cyber event can last longer than we usually think. Many people assume that if your website or other computer systems get taken down or disrupted by a cyber event or system failure, then you only need to restore the affected systems in order to halt any potential business interruption loss. But this claim illustrates that even when a website has been restored to its full functionality, a return to normality is not guaranteed. In this case, the hotel was still seeing lower search rankings and reduced bookings even after the website was cleared of malware.
• The above point is important from a cyber insurance perspective because of the way indemnity periods vary from policy to policy. Some cyber policies will only reimburse policyholders for the financial losses incurred during the period that systems are down (in this case that would be the time during which the website was disrupted by the malicious code). Other policies will reimburse policyholders for the financial losses incurred while systems are down, plus an arbitrary number of days after computer systems are back up and running. And some policies, such as CFC’s, will continue to reimburse policyholders after systems have been restored to their normal functionality, up to the point where policyholders are back in the same financial position that they would have been in had the cyber event or system failure not occurred. This is a key distinction because a business can continue to be affected financially even after its systems have been restored, and any policy that doesn’t cover this could leave the business financially exposed.
• This claim also illustrates the increasing dependence that most modern businesses have on their digital assets, whether that be their electronic data, software programs or websites. In this case, although the hotel wasn’t completely reliant on its computer systems to operate, it did depend on its website for a substantial portion of its bookings. When that site was badly affected by malicious code, the website’s search engine ranking was impaired and the hotel saw fewer bookings as a result. With more and more businesses relying on their digital assets to generate revenue, having a cyber insurance policy in place can provide a valuable safety net in the event that these digital assets are damaged or become inaccessible.
