Bank of New York Mellon (International) Ltd v Cine-UK and other cases [2021] EWHC 1013 (QB)

A person holding a sign

Description automatically generated

Issue: Whether tenants of commercial premises remain responsible to pay their rents despite the enforced closure or inability to trade from their premises because of COVID-19 and COVID-19 Regulations?

The Claimant (Landlord) requested a summary judgment (CPR 14.2)  to be made against the Defendants (tenants) for the rent of three (3) commercial premises that became due during the COVID-19 pandemic. The tenants are Cine-UK Limited (Cine-UK), Mecca Bingo Ltd and Sports Direct.com Retail Ltd. The landlords are Bank of New York Mellon (BNY / Superior landlords) and AEW respectively. The annual rent to be paid in advance by quarterly instalments on the usual days. The tenants claimed that the COVID-19 Regulations meant that public access was restricted to their business premises which eventually led to their closure for substantial periods. As a result, the tenants claim that they did not have to pay all or parts of the rent. The tenants believe they have a real prospect of defending the Claims based on the following reasons: the rent cesser clauses should be construed or be implied so that at least whilst the businesses are closed because of COVID -19 and COVID-19 Regulations and on the assumption that the landlords have insurance, they do not need to pay rent. Alternatively, the landlord is to recover the rent by their insurance. Even if the rent cesser clause did not have such effect by construction or implication, a similar effect could be achieved from suspensory frustration or  an application of principles of supervening event in terms of illegality and or the doctrine of temporary failure of consideration. Finally, such effect could be achieved by an application of Government guidance requiring negotiations and ameliorative measures between landlords and tenants as it relates to the payment of rent during the pandemic.

The landlords’ position is this is a matter of allocation of risk in relation to events that were foreseeable and for which the tenants should have negotiated a cesser clause. They argue that the insurance may cover some liabilities to the landlord but does not extend to covering loss or rent where there are no relevant rent cessation provisions in the leases and the relevant tenants can pay. Therefore, the rent including the value added tax (VAT) and interest continue to fall due despite the COVID-19 Regulations and its effects.

Mecca Bingo and Sports Direct had additional claims concerning mistaken payments and miscalculations which they are seeking to recover, however the details of such claims will not be addressed herein.

Lease Agreements

The leases are written in a standard commercial form, for a defined number of years and after 18 months of closure, the Cine -UK lease would have 12.5 years to run or 2.5 years if the break clause were to be exercised, The Mecca and Sports Direct leases would have another 11 years to run.[1] There were provisions made in each lease for the insurance of specific events including against property loss or damage by insured risks. Equally relevant is the presence of a rent cesser clause in each lease where the property has been destroyed or damaged or access to it denied or the property is unfit for occupation and provided the insurance is not vitiated or payment of insurance monies is not refused as a result of the act or default of the tenant.[2] There is also an extension of cover clause for ‘Murder Suicide or Disease[3] where insurers agree to indemnify the insured for loss of rent resulting from interruption of the business during the indemnity period following any human infectious or contagious disease manifested by any person whilst in the premises or within a 25 mile radius of it.

Issues: Construction of Rent Cesser Clauses

The landlords submit that the rent cesser clause would operate to only suspend rent where the insured risks have caused physical damage or destruction which prevents the premises from being fit for occupation or use.  Conversely, the tenants maintain that the word “physical” was not used, thus they propose that what has happened is damage or destruction even though not of a physical nature. Even if destruction must be physical, damage which is used as an alternative to destruction, need not be.

Master Dagnall held that the usual meaning of the word damage relates to a physical state. The tenants referred to Halbury’s Law[4] definition of “damage” which had a wider meaning representing ‘any disadvantage suffered by a person as a result of the act or default of another…’, however “damage” as used in that context was based on the law of “damages” and not the lease of a property. Additionally, ‘damage or damaged’ was used as an alternative to destruction thus there must be a link to a physical item. Whereas the words ‘damage or damaged’ could apply to nonphysical events, it is imperative that the context in which the words are used is analysed. Throughout the agreement, ‘damage or damaged’ is used with or surrounded by words which connote a physical state for example ‘reinstatement work or physical remediation.’[5]. In any event, ‘it will be a stretch of the definition of the words “damage or damaged” if it should include nonphysical disadvantage as suggested by the tenants.’[6] Master Dagnall reasoned this would ‘introduce a modern colloquial meaning into standard form documents’[7].

The rent cesser clause is subject to the requirement that the inability to use the premises must be caused by physical damage or destruction and not a mere inability to use the premises without more. The real subject of the insurance is the property of the landlord, that is the ‘brick and mortar’, in other words the physical property rather than the ‘effects on the trade’.[8] Accordingly, the rent cesser clause will operate where the closure to the insured property is due to physical damage or destruction, it is not sufficient for it to be in consequence of closure without physical damage or destruction.[9] In concluding on this issue, the court agreed with the landlords’ that the rent cesser clause is only triggered by physical damage or destruction to the insured premises. This is also the natural meaning of the words ‘damage or damaged’ used on their own or in the context of the agreement.[10] Furthermore, this interpretation is consistent with a possible commercial purpose and in line with the ‘brick and mortar’ aspects of the provisions.

Implication of the Rent Cesser Clauses

Master Dagnall acknowledged that it would be fair and reasonable to imply the rent cesser clause as proposed by the tenants. Yet, it might be prejudicial to the insurers who may not have contemplated this liability when they agreed the premium even though it is their responsibility to consider both the expressed and implied terms of the relevant lease.[11]

There is no warranty in the leases that the premises can always be utilised for its permitted use but the obligation to pay the rent remains unless the parties agree otherwise. Moreover, if the parties intended for the rent cesser clause to operate where there is nonphysical damage, the parties should have expressly provided for this in the agreement. As such, the court agreed with the landlords’  that the lease sets out all the circumstances under which the rent cesser clause would apply including where an insured peril has occurred. Even though COVID-19 and COVID-19 Regulations may be unprecedented, in respect of SARS and the consequent fears, it is not convincing that COVID-19 and COVID-19 Regulations were unforeseeable.[12] The case is not fit for an ‘Aberdeeen implication’, because it is not clear what both parties would have intended if they were notified of the potential of and had considered COVID-19 and COVID-19 Regulations.[13]  Based on the foregoing, Master Dagnell concluded that the tests for implication of the rent cesser clause proposed by the tenants was not met, therefore they do not have any real prospect of success for summary judgement on this issue.

Tenants’ reliance on the Insurance

Master Dagnall agreed with the landlords that the insurance policies do not compel the insurers to pay the landlords the outstanding rent where the rent cesser clause does not operate.[14] The court’s decision is influenced by the following points[15]:

  1. Without the operation of the rent cesser clause (no physical damage), the landlords who are the insured have not suffered any loss of rent.
  2. The landlords’ construction was in accordance with policy wording, particularly ‘the Murder, Suicide or Disease extension’. The policy provides that the insurer will indemnify for the loss of rent, which has not occurred. The loss to the landlords must have been due to the interruption of the landlords’ businesses which in the circumstances have also not occurred.  If the premises were vacant and could not be leased due to COVID-19, that could have been reasoned differently but those were not the facts before the court.
  3.  Even if damage could be extended to nonphysical loss, the other requirement mentioned in i. and ii. above must be satisfied.
  4. The commercial purpose of the insurance taken out by the landlords is to insure against the operation of the rent cesser clause which would have been a loss to them. If the tenants wanted to be protected in these circumstances, they would need to negotiate a wider rent cesser clause or alternatively purchase a separate business interruption insurance policy.
  5. The Mark Rowlands v Bermi[16] and Frasca-Judd v Golovina[17]. line of authority[18] relied on by the tenants was not accepted as directly on point. They are not concerned about what is covered by the insurance but with whether the insurance as it exists can be extended to protect the interests and loss of the tenants. Rather than being concerned about the liability for rent, it is concerned about the liability for remediation costs.
  6. Any suggestion that a clause be implied into the insurance policy that rent would be covered in the absence of a rent cesser clause cannot be accepted as either obvious or necessary for business efficacy. The insurance policy is well drafted and contains clauses specifically detailing the allocation of risks. Furthermore, the insurance is chiefly to protect the landlords against loss and to imply such a clause would be in contract with rules of implication.

Interpretation of the Insurance Provisions

Another point raised by the tenants is the breach of the insurance contract by the landlords who sought insurance coverage against COVID-19 and COVID-19 Regulations but not the sums equivalent to rent that would be loss from the closure or inability to use their premises. Additionally, the tenants insist that since they pay the premium for the insurance, they have the right to benefit from the insurance through cover for the rent.[19] The leases define COVID-19 and other diseases and Basic Rent as an ‘Insured Risk’ as such the tenants reasoned that since they pay for the insurance, it makes sense that when there are resultant closures, the insurer will pay for the rent or its equivalent. The landlords disagreed. They are of the view that this issue is governed by the rent cesser clause which describes when rent is payable following an insured risks which will eventually determine when the insurance covers the rent.[20]

Master Dagnall agreed with the Landlords ‘that the inclusion of something as an insured risk does not mean the landlord must include a clause in the insurance for the insurer to pay three (3) years of rent if the insured risk occurs and cause the closure of or prevented the permitted use of the premises.’[21] The fact that the tenants indirectly pay for the insurance does not mean the insurance must be tailored to benefit the tenants as suggested by implying such a term. The court also dismissed the notion that the implied term was required to give the lease business efficacy. The lease works well without the implied term. It provides for insurance against rent where a rent cesser clause applies in some instances and not in others. The tenants could have insured themselves against this risk by purchasing a separate and more appropriate insurance policy.

Frustration

Some of the tenants (Sports Direct, Mecca and Cine – UK) argued that there was a temporary frustration of their lease during the periods of lockdown hence rent not being payable during those periods. The landlords countered by stating there has been no frustration since ‘temporary frustration’ does not exist in law.  Master Dagnall considered and applied National Carriers v Panalpina[22] and The Sea Angel[23]and held that the principle of frustration does apply to leases. Closure of the premises due to events outside the control of the parties is a supervening event, thus being capable of causing frustration of the lease but only on rare occasions. The relevant question is whether ‘the situation has become so radically different that the present situation is outside what was the reasonable contemplation of the parties so as it to render it unjust for the contract to continue?’[24]  

COVID-19 and COVID-19 Regulations could qualify as a supervening event but in light of SARS, they were foreseeable but unprecedented.[25] While it was not reasonably expected by commercial people that the lockdowns would last for more than eighteen (18) months, there was significant amount of time remaining in each lease (Cine -UK another 12.5 years to run or 2.5 years if the break clause were to be exercised and Mecca Bingo and Sports Direct another 11 years each)  in relation to the period of closure due to COVID-19 and COVID-19 Regulations. For this reason, there was no ‘radical difference’ nor was it unjust for the leases to continue bearing in mind their terms and the allocation of risks. There was no frustration of the leases. As for the tenant’s contention that the Sports Direct lease was temporarily frustrated, Master Dagnall rejected the tenant’s claims and agreed with the landlords that there is no such doctrine as temporary frustration in law. Frustration by definition and effect means the discharging and ending of the contract without the possibility to revive it hence it cannot be suspended.

Illegality

The tenants claim as well that they are relieved from their obligations to pay rent under the lease as its performance has become impossible based on its illegality. The landlords responded by agreeing that this is possible, however of no benefit to the tenants since it is not illegal for them to pay rent. It was held that the suspension of an obligation that is illegal does not excuse another obligation which is not interdependent or conditional upon the former. A suspension of the rent will only be allowed if a rent cesser clause can be invoked, however the tenants have failed to do so. Illegality of an obligation would not excuse the tenants from their obligation to pay rent.

Failure of Consideration

The final point raised by the tenants is that they are relieved from their obligation to pay rent due to partial failure of consideration arising from their inability to operate from and use the premises as permitted. Master Dagnall accepted that the tenants may successfully establish that they cannot trade from the premises as permitted by their lease however he refused to accept that would relieve the tenants of their obligation to pay rent. Moreover, ‘partial failure of consideration’ is not a separate principle; It is related to or dependent on a relevant principle of contract law, which the tenants have failed to establish.[26] The inability of the tenants to use the premises as permitted is not necessarily a ‘partial failure of consideration, instead it is an unexpected occurrence which means the leases are not as beneficial to the tenants as initially expected.[27] The landlords did not breach the contract and there was no provision for the rent to be suspended except for the limited circumstances provided for the application of the rent cesser clause. Based on the foregoing, the tenants were unable to rely on to COVID-19 or COVID-19 Regulations to counter claims against them for rent incurred during the period of interruption. The tenants must continue to pay the rent even for the period in which they could not use the premises as permitted because of COVID-19 and COVID-19 Regulations.

Comments

Bank of New York Mellon (International) Ltd v Cine-UK and other cases is among the recently decided cases addressing business interruption claims arising from COVID-19 and COVID-19 Regulations. It reveals to contractual parties, businesses, and insurers that an interruption to businesses caused or arising from COVID-19 and COVID-19 Regulations on its own may not be sufficient to successfully claim for business interruption and to compel the insurers to indemnify an assured for their loss. As demonstrated in this case, the legal obligations between a tenant and landlord will not change because of interruption to the business caused by COVID-19 and COVID-19 Regulations as this is not the fault of either party. It is important for tenants and landlords to recognise that the terms of the lease and insurance policies will determine the allocation of risks and that rent will only be suspended in accordance these terms and the scope of a rent cesser clause where expressly provided.  The same is true for the interpretation of insurance clauses. Though an insurance policy may contain a business interruption clause or extension clause on ‘diseases’ that is wide enough to include COVID-19, the scope of its application will be limited based on the surrounding words of the clause. Therefore, if as in this case, the business interruption clause requires there to be ‘damage or destruction’ and there is no physical damage to property at the insured premises, the assured will not recover for loss merely because COVID-19 disrupted their business and caused financial or other nonphysical loss.

The context and surrounding words within which the clauses are written are very important to aid with their construction and it should not be assumed that ‘damage’ will take a wider meaning to cover nonphysical loss simply because COVID-19 is widespread and has affected many businesses. The identical concerns apply to the treatment of an extension clause on ‘diseases’ which for example covers COVID-19, its application to a scenario will depend on the other words or requirements of the clause and what makes commercial sense. COVID-19 Regulations have also not prohibited landlords from requesting the rents from tenants who can afford to pay, in fact the parties are encouraged to arrive at ameliorative settlements and where possible continue to meet their obligations under the lease.  It will be difficult for a court to allow a rent cesser clause to implied into a lease written on a standard form if the test of obviousness and necessity are not satisfied. It is also difficult because standard clauses are usually well drafted, without errors, and deemed to have considered all possible circumstance.

A successful claim for frustration of a lease due to COVID-19 and COVID-19 Regulation is possible. However, what is of value is comparing the period of interruption with the outstanding period of the lease and then determine whether there has been such radical difference in the subject of the agreement that it would be unfair to continue the lease. Merely relying on the occurrence of COVID-19 and the length and extent of the lockdown are not adequate to satisfy this claim. Interestedly, Master Dagnall analysis throughout the judgment in relation to the issues raised were resolved by applying settled principles of law, thus we must be reminded that COVID-19 has not changed the fundamental principles of contractual interpretation, the law of frustration, law of implication and the obligations under a lease agreement. Nonetheless, the specific words of a clause, contract or insurance policy and their interpretation will be the key towards the success or failure of a claim involving COVID-19. More importantly, tenants and other business owners must ensure their business interruption policies and rent cesser clauses are drafted to make provision for loss due to nonphysical damage and loss of turnover.


[1] para 36.

[2] para 43.

[3] para 59.

[4] Volume 29 para 303.

[5] para 120.

[6] Ibid.

[7] para 120.

[8] [2021] EWHC 1013 (QB), para 126.

[9]ibid.

[10] para 127.

[11] para 140.

[12] para 148.

[13] Ibid.

[14] para 167.

[15] para 168.

[16] [1986] QB 211.

[17] [2016] 4 WLR 107.

[18] Essentially, the principle is that in a contractual relationship of landlord and tenant, where a landlord is indemnified by an insurer, the landlord cannot seek to also recover from the tenant in either contract or tort, otherwise that would effectively be double indemnity. The insurance taken out is to benefit both the tenant and the landlords.

[19] [2021] EWHC 1013 (QB), para 173.

[20] para 177.

[21] para 179.

[22] [1981] AC 675.

[23]  [2007] EWCA Civ 547.

[24] [2021] EWHC 1013 (QB), para 209.

[25] ibid.

[26] [2021] EWHC 1013 (QB), para 221.

[27] Ibid.

Nineteen years on — the Prestige saga, continued

Nearly twenty years after the VLCC Prestige broke up and sank off the Galician coast, spreading filth far and wide, Spain and France remain locked in battle with the vessel’s P&I club Steamship Mutual. Put briefly, they want to make Steamship pay out gazillions on the basis of judgments they have obtained locally on the basis of insurance direct action statutes. Steamship, by contrast, refers to the Prestige’s P&I entry, and says that both states are bound by “pay to be paid” clauses and in any case have to arbitrate their claims in London rather than suing in their own courts.

The background to the latest round, The Prestige (Nos 3 and 4) [2021] EWCA Civ 1589, is that Steamship, having got a declaratory arbitration award in its favour substantiating the duty to arbitrate, which it has transmuted into a judgment under s.66 of the Arbitration Act 1996, now wants to take the battle to the enemy. It wants (a) to commence another arbitration claiming damages for breach of the original arbitration agreement, reckoned by the damages and costs represented by the court proceedings in France and Spain; (b) damages for those states’ failure to abide by the declaratory award; and (c) damages for failure to abide by the s.66 judgment. Spain and France resist service out on the basis that they are entitled to state immunity, and that the claims based on the award and the judgment must in any case fail.

The High Court held, in two different proceedings (see here and here), that sovereign immunity did not apply; that claims (a) and (b) succeeded; and that claim (c) failed because of the effect of the insurance provisions in what is now Articles 10-16 of Brussels I Recast (this being, of course, a pre-Brexit affair). Both sides appealed, and the appeals were consolidated.

On sovereign immunity the Court of Appeal have now sustained the judgment of non-applicability and as a result allowed claim (a) to go ahead. They have equally upheld the first instance judgment against Steamship on claim (c): although in name a claim under a judgment this is, it says, still in substance a claim by an insurer against its insured which, under what is now Art.14 of Brussels I Recast, can only be brought in the domicile of the latter. On claim (b), however, it has held (contrary to an earlier suggestion in this blognostra culpa, we can’t be right every time) that while the jurisdiction rules of the Brussels regime do not stand in the way, the claim is bound to fail. The award being merely declaratory, there can be no duty to perform it because there is nothing to perform, and hence no liability for disregarding it.

The arbitration will now therefore go ahead. Assuming it leads to an award in Steamship’s favour, Steamship will then no doubt seek New York Convention enforcement and/or get a s.66 judgment which they will oppose to any attempt by France and Spain to get judgment here, and doubtless also try to weaponise in order to get their Spanish and French costs back. (Meanwhile they may rather regret not having asked in the original arbitration proceedings for a positive order not to sue in France or Spain, rather than a mere declaration: but that’s another story.)

There’s little to add at this stage. But there is one useful further confirmation: s.9 of the State Immunity Act, removing state immunity in the case of a written agreement to arbitrate, applies not only to a direct contractual obligation to arbitrate, but also to an indirect duty to do so Yusuf-Cepnioglu-style. Useful to know.

Will France and Spain now come quietly, thus putting an end to this saga (which has already appeared in this blog here, here, here, here and here)? It’s possible, but We’re not betting. We have a sneaking suspicion that the events of November 2002 may well continue to help lawyers pay their children’s school fees for some little time yet.

Dock brief

In July last year we noted the holding of Teare J that Holyhead Marina came within the dock-owner’s right to limit liability under s.191 of the Merchant Shipping Act 1995. The issue arose because the Marina faced multiple claims from yacht owners following devastation wrought by Storm Emma in 2018.

We approved then, and are happy to say that the Court of Appeal does now. Today in Holyhead Marina v Farrer [2021] EWCA Civ 1585 it confirmed Teare J’s conclusion that while not a dock, the Marina was a landing place, jetty or stage (which are included in the definition of places entitled to limit), and that there was no reason whatever to limit the entitlement to purely commercial port facilities. ‘Nuff said. Marina owners can breathe a sigh of relief, while hull insurers no doubt will mull putting up rates yet again on yachts to mark the loss of another source of subrogation rights.

Extent of The Right of Subrogation in Insurance Law  

Sompo Insurance Singapore Pte Ltd v. Royal & Sun Alliance Insurance Plc [2021] SGGC 152

.

Singapore Marine Insurance Act 1994 (which is based on English Marine Insurance Act 1906) s. 79(1) stipulates (emphasis added):

Where the insurer pays for a total loss, either of the whole, or in the case of goods of any apportionable part, of the subject-matter insured, he thereupon becomes entitled to take over the interest of the assured in whatever may remain of the subject-matter so paid for, and he is thereby subrogated to all the rights and remedies of the assured in and in respect of that subject-matter as from the time of the casualty causing the loss.

The question in this case was: “does an insurer’s right of subrogation extend to the right to call upon a performance bond issued to the assured?”  

The facts can be summarised as follows: In December 2013, the Government of Singapore entered into a contract with Geometra for the transport of military cargo. It was a condition under the contract that Geometra would provide an unconditional performance bond for 5 % of the contract price. This was satisfied by Sompo issuing a bond in favour of the Government.

The Singapore Government also purchased an insurance policy from RSA with regard to this shipment against the risk of loss or damage to cargo. When the cargo was damaged during transport the Government sought and obtained indemnity for the loss from RSA, which then commenced a subrogated recovery action under s. 79(1) of the Act and called on the performance bond issued by Sompo. To this end, RSA’s lawyers wrote to Sampo and made a demand on the bond “on behalf of the Government of Singapore”. Sampo refused the call and the matter was then litigated. In the District Court, RSA secured a judgment in its favour. Sampo appealed the decision to the High Court.

One of the arguments put forward by Sompo was that the bond had ultimately expired as it was not called upon by the Singapore Government. This point was easily disposed by the High Court on the ground that the letter of the RSA’s lawyers was in effect written “on behalf of Singapore Government” as they acquired the right to wear the shoes of the assured, in this case the Government, pursuant to their right of subrogation.

The main discussion was whether the insurer’s right of subrogation extended to the right to call on the performance bond.  The High Court had no doubt that it did. Philip Jeyaretnam JC confirmed that the common law principle of subrogation grants an insurer the entitlement to every right the assured has to recover in respect of a loss including the right to call on a performance bond.    

The judgment is not only in line with the wording and ethos behind s. 79(1), but is in accord with the case law on the subject especially Castellian v. Preston (1883) 11 QBD 380; London Assurance Corp. v. Williams (1892) 9 TLR 96 and more recently England v. Guardian Insurance Ltd [2000] Lloyd’s Rep IR 409. Moreover, it would have been incongruous to hold that insurers are entitled to pursue subrogated recoveries against the person responsible for the loss but not use all rights and remedies that the assured would be able to pursue for recovery including calling on performance bonds. It is very likely that a similar judgment would have been delivered, had the case been litigated in England & Wales.

Misrepresentation in Procuring Insurance- Avoidance or Not?  

Jones v. Zurich Insurance [2021] EWHC 1320 (Comm)

When obtaining insurance cover for his Rolex watch in May 2018, Mr Jones made a representation to the insurer (Zurich), through his insurance broker, that he had not made any other insurance claim in the previous five years. This was not accurate as Mr Jones had previously claimed for a lost diamond in 2016.

Mr Jones put forward an insurance claim for loss of his beloved Rolex watch (valued at £ 190,000), said to have come off his wrist while skiing. The insurer turned down the claim on the basis that Mr Jones made a misrepresentation on his claim history and it would not have written the policy, or would have written it on materially different terms, had the true state of affairs been disclosed (s. 2(2) of the Consumer Insurance (Disclosure and Representation) Act (CIDRA) 2012). In the alternative, the insurer argued that if it had known the true state of affairs, it would have charged a substantially higher premium and the claim should be reduced proportionately. The insurer did not plead that the misrepresentation was “deliberate or reckless”.

His Honour Judge Peeling QC had no hesitation in holding that the assured failed to take reasonable care not to make a misrepresentation to the insurer when questioned about his claim history and he was also satisfied that the insurer could avoid the policy as it managed to demonstrate that it would not have entered into the insurance contract at all had it been aware of the previous claim made in 2016 for a lost diamond. In reaching this decision, the judge considered expert evidence from underwriters. Both experts agreed that some underwriters might accept this particular risk at higher premium and others would refuse to underwrite altogether, but different in emphasis as to how usual a refusal to underwrite would be. However, what ultimately swayed the judge was the fact that the underwriter (Mr Green) had expressed concern in his written notes about the jewellery element of the cover. He also stated in his evidence that “the answer to whether or not there had been ant previous claim was extremely significant to my assessment of the risk… it was already a case which was borderline declinature… it’s just not one which would fit our underwriting strategy.”. The judge accepted his evidence.

The judgment makes clear that the burden of proof on the insurer to establish that it would not have entered into an insurance contract is a high one but can certainly be satisfied especially in cases where underwriters could present to judge written notes confirming their hesitancy to take the risk in the first instance supported by reliable expert evidence. The relevant underwriter’s contemporaneous notes and records giving clues about his thought process at underwriting stage as well as copes of e-mails and documents provided by the assured and his broker were very helpful to advance the insurer’s case.       

The case was considered under the CIDRA 2012 (as this was personal insurance) but it is certainly a good illustration as to how the judges might interpret certain parts of the Insurance Act (IA) 2015 since CIDRA 2012 and IA 2015 share similar provisions (i.e. both of these legal instruments allow an insurer to avoid the policy for misrepresentation if the insurer can demonstrate that the misrepresentation was “deliberate or reckless” or “the insurer would not have underwritten the policy on any terms had there been no misrepresentation”).    

“Inducement” Requirement for Non-Disclosure and/or Misrepresentation Further Clarified

What if the insurer ends up charging less premium and non-disclosure of material facts is a contributory factor? Could it be said in that case that inducement is established as a matter of law? This was essentially the thrust of the insurer’s appeal in Zurich Insurance plc v. Niramax Group Ltd [2021] EWCA Civ 590 against the judgment of Mrs Justice Cockerill, J (which also was reported on this blog last year). Reminding readers the facts briefly: the assured ran a waste collection and waste recycling centre and obtained an insurance policy from the insurer in December 2014. In September 2015 a fixed shredding machine, known as Eggersmann plant, was added to the policy with an endorsement. On 4 December 2015, a fire broke out at the assured’s premises and the Eggersmann plant along with the other plant was destroyed. The assured made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. The insurer refused to pay stating that the assured’s non-compliance with risk requirements under the buildings policy with another insurer and the fact that special terms under that policy were imposed on the assured were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. Mrs Justice Cockerill agreed that these were material facts and needed to be disclosed. However, it was held that the insurer failed to demonstrate that, if the facts had been fully disclosed, the original Policy for the plant (effected in December 2014) would not have been renewed. On the other hand, the insurer was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant.  Otherwise, the original Policy stood and the insurer was bound to indemnify the assured for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.

On appeal, the assured was essentially arguing that they should have been allowed to avoid the original policy as well as the Eggersmann endorsement as they ended up charging less premium as a result of the assured’s non-disclosure with regard to special conditions imposed on them by another insurer due to non- compliance with risk requirements. Before evaluating the legal position on “inducement”, it is worth highlighting facts that led the insurer to charge premium less than it would have normally done. When rating risks, the particular insurer normally apply a “commoditised and streamlined” process that take into account three aspects, namely the amount of the cover, the nature of the trade, and the claims experience. A junior employee of the insurer when entering these variables, instead of categorising the risk as waste, with an automatic premium of 6 %, categorised it as contractor’s portable plant, with a premium of 2.25, to which a loading of 40 % was applied. The argument of the insurer is that if full disclosure had been made, the risk would have been referred to the head underwriter who would have noticed the mistake and accordingly priced the premium correctly. The non-disclosure therefore fulfills a “but for” test of causation in that it provided the opportunity for a mistake to be made in the calculation of premium that would not otherwise have been made.

Popplewell, LJ stressed in his judgment, at [30], that

“in order for non-disclosure to induce an underwriter to write the insurance on less onerous terms than would have been imposed if disclosure had been made, the non-disclosure must have been an efficient cause of the difference in terms. If that test of causation is not fulfilled, it is not sufficient merely to establish that the less onerous terms would have not been imposed but for the non-disclosure.”                            


To support this finding, he made reference to several legal authorities, including the judgment of the House of Lords in Pan Atlantic Insurance Ltd v. Pine Top Ltd [1995] 1 AC 501, but perhaps the words of Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group [2002] EWCA 1642, at [62] emphasised in the clearest fashion the accurate legal position:

“In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of doing so.”

 The Court of Appeal’s judgment in the present case, and the line of authority on the subject of inducement, is a good reminder that in most cases if an insurer cannot satisfy the effective cause test he will also be unable to satisfy the “but for test”. But the opposite is not always true. There could be cases, like the present one, where it is possible to satisfy the “but for test” but the non-disclosure or misrepresentation could still not be the effective cause leading the insurer to enter into the contract on the terms it did. Here, the reason for the insurer charging less premium for the risk underwritten in December 2014 was the error of the junior employee mistakenly categorising the risk. The insurer has, therefore, failed to prove that non-disclosure of the condition imposed by another insurer had any impact on the premium charged or the decision to insure the assured. Accordingly, the judgment of the trial judge on this point (lack of inducement to enable the insurer to avoid the original policy) was upheld.

The case was considered under the Marine Insurance Act 1906 (s. 18). The law in this area was reformed by the Insurance Act 2015 especially with regard to remedies available in case of breach of the duty to make a fair representation. There is no indication, however, that the law reform intended to alter the “inducement” requirement (and in fact the Law Commissions stated clearly in the relevant reports published that this was not the case). It can, therefore, be safely said that the decision would have been the same has the case been litigated under the Insurance Act 2015.       

Insurance Implications of “Phishing”!

Phishing Emails - How to Protect Your Customers When Using E-Signature |  OneSpan

The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry.  Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas  in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company[1].

BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%.[2] Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.

Facts of RealPage case:

RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.

The payment process involved the following:

  1. A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
  2. Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls[3] to Stripe’s server either through Stripe Dashboard or the On-Site application.
  3. Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
  4. Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.

The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage

The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.

Insurance Policies with National Union and Beazley

At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy.  Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant

Ownership of Property; Interests Covered:

The property covered under this policy is limited to property:

(1) That you own or lease; or

(2) That you hold for others whether or not you are legally liable for the

loss of such property.

Computer Fraud:

We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

a. To a person (other than a “messenger”) outside those “premises”; or

b. To a place outside those “premises”.

Funds Transfer Fraud:

We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.

Insurance Claims and Responses

RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.

Court Proceedings

The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack  and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.

RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.

RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.

Insurance implications

While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.

If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.

To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor.  In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.

Variations in policy wording – UK

  1. Cyber Crime[4]
  2. We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:

i)   assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you

ii)  your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are

a forgery.

  • In the event that any party other than an insured person enters into an agreement with a third party  entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.

The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.

This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.

For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:

Computer Fraud and Funds Transfer Fraud[5]

The Insurer shall indemnify the Insured for:

1. loss of or damage to Money, Securities or Property resulting directly from

Computer Fraud committed solely by a Third Party; or

2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a

Third Party.

Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype

or telephone instructions by a Third Party issued to a Financial Institution directing such

institution to transfer, pay or deliver Money or Securities from any account maintained by

an Insured at such institution, without the Insured’s knowledge or consent.[6]

Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.”[7] Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.

Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module[8]:

Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.

Fund transfer fraud does not include loss due to social engineering fraud.

Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.

Social Engineering Fraud[9] means the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:

  • an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
  •  a written or printed payment instruction obtained by fraudulent impersonation.

In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’.[10]  It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.


[1] Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)

[2] Department for Digital, Culture, Media & Sport, ‘Cybersecurity breaches survey 2020’ (March 2020) <https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020 > accessed 31 March 2021.

[3] The API calls sent from RealPage to Stripe provided information about the tenant’s account, the client’s destination account and the amount due to the client.

[4] Zurich Insurance plc, ‘Cyber Policy: Section B – Crime’ (2020) 29 < https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

[5] Beazley Inc, ‘Crime Insurance Policy: Insuring Clause 1F’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[6] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition EE’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[7] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition P’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[8] Beazley Inc, ‘Commercial Crime Insurance Module (Lloyds Syndicate) Clause F: Definitions’

<https://www.beazley.com/documents/Wordings/Commercial%20Crime%20Module%20%28Lloyd%27s%20syndicate%29.pdf > accessed 9 April 2021.

[9] Ibid.

[10] Zurich Insurance plc, ‘Cyber Policy: Conditons application to Section B – 7 Social Engineering Cover’ (2020) 31

< https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

Non-Disclosure, Materiality and Inducement in Commercial Insurance Context (Again)!

What happens if an assured fails to disclose to the insurer the fact that special conditions were imposed by another insurer as part of another insurance contract? Could that amount to an actionable non-disclosure under s. 18 of the Marine Insurance Act (MIA) 1906? This was the main issue in Niramax Group Ltd v. Zurich Insurance plc [2020] EWHC 535 (Comm). The assured, Niramax, is a company carrying out the business of waste collection and waste cycling from various sites in north-east England. Niramax held a suite of insurance policies with the insurer, Zurich, which provided cover for a variety of risks relating to its plant and machinery. One of these policies was a contractor’s plant policy which provided all risks cover for a mobile plant owned by the assured (the Policy). Niramax also held buildings cover separately with a variety of other insurers. One of these insurers was Millennium Insurance. In the process of providing insurance cover for a building owned by Niramax in 2014, a risk survey report was prepared by Millennium which laid out seven risk requirements. One of these requirements was the installation of a fire suppression system at the main recycling facility of Niramax located at Hartlepool. Even though the assured was reminded by Millennium of the need to install the fire suppression system on several occasions, the system was never installed and as a result special conditions stipulated by the policy came into force on 22 October 2014 increasing the deductible to £ 250,000 and requiring Niramax to self-insure for thirty five percent of the balance of any loss.

In December 2014, Niramax renewed its policy with Zurich on the mobile plant. In 2015, Niramax acquired another mobile plant (Eggersmann plant) and in September 2015, Zurich was persuaded to amend the Policy to extend cover to the newly acquired plant until the renewal date of mid-December 2015. On 4 December 2015, a fire broke out at Niramax’s premises and the Eggersmann plant along with the other plant was destroyed.
Niramax made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. Zurich refused to pay stating that it was entitled to avoid the Policy for material non-disclosure and/or misrepresentation. Niramax brought the current proceedings against Zurich.

It was held that the assured’s non-compliance with risk requirements under the buildings policy with Millennium and the imposition of special terms under that policy were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. However, the insurer (Zurich) failed to demonstrate that, if the facts had been fully disclosed, the Policy for the plant (effected in December 2014) would have been renewed. On the other hand, Zurich was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company (Niramax) by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer, Zurich, was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. The insurer was required to return the premium received for the endorsement. Otherwise, the original Policy stood and the insurer was bound to indemnify Niramax for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.

Two comments are in order. First, it is interesting to see that the trial judge (Mrs Justice Cockerril) found that the original policy stood (i.e. there was no inducement) even though it would have not been written on the same terms (i.e. with higher premium to reflect the correct multiplier) if full disclosure had been made by the assured. This certainly raises an interesting question going forward on the application of the test of inducement and seems to be at odds with the sentiments expressed by Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group [2002] EWCA Civ 1642; [2003] Lloyd’s Rep IR 131, at [62] (emphasis added):
In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation, he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of his doing so.

Second, the contract was obviously concluded before the Insurance Act 2015 (IA) came into force but is highly unlikely that the application of the AA 2015 would have led to a different outcome. The materiality test applicable under the IA 2015 (under s. 7(3) of the IA 2015) is practically the same and there is still a need to prove inducement for actionable non-disclosure under the 2015 Act.

Microsoft Exchange Email Hacks!

numbers projected on face
Photo by Mati Mango on Pexels.com

Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world.  It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.  

What happened?

Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.

Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.

Second, it would create what’s called a web shell to control the compromised server remotely.

Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]

What is not affected?

The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.

International Response

In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.

But what does this mean for insurers?

This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].

In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.

There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.

Applicable cyber insurance clauses and possible response of insurers

Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:

  1. First Party Loss

costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breachsystem failuredependent security breachdependent system failure or extortion threat;

  • Betterment

for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;

The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.

  • Infrastructure failure

We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:

  1. Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.

OR

ii.     failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.

OR

  • Third party providers
  1. arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;

OR

ii.   The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.

Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.

Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.

  • Government intrusion
  1. which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;

Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China.  Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.

Conclusion and the way forward

As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .

While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats.  Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.

Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.

Reasonable steps to avoid Loss

The Insured shall protect its Computer system by:

a. having Virus protection software operating, correctly configured and regularly or automatically updated;

b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;

c. having a fire wall or similar configured device to control access to its Computer system;

d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;

e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;

f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;

g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;

h. having an operational system for logging and monitoring user activity on its Computer system;

i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available


[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.

[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.

P&I Fixed Premium Renewals. Coronavirus exclusion clause to apply.

So far, P&I Insurance has operated continued to afford liability cover without any specific exclusions for incidents arising out of COVID-19. However, fixed premium and Charterers’ P&I covers are reinsured outside the International Group’s Pooling Agreement and with effect from 20.2.2021 and will be subject to the Coronavirus Exclusion Clause (LMA 5395) and The Cyber Endorsement (LMA 5403) in the Rules for Mobile Offshore Units (MOUs).

The coronavirus exclusion for marine and energy provides:

“This clause shall be paramount and shall override anything contained in this insurance inconsistent therewith.

This insurance excludes coverage for:

1) any loss, damage, liability, cost, or expense directly arising from the transmission or alleged transmission of:

a) Coronavirus disease (COVID-19);

b) Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); or

c) any mutation or variation of SARS-CoV-2;

or from any fear or threat of a), b) or c) above;

2) any liability, cost or expense to identify, clean up, detoxify, remove, monitor, or test for

a), b) or c) above;

3) any liability for or loss, cost or expense arising out of any loss of revenue, loss of hire,

business interruption, loss of market, delay or any indirect financial loss, howsoever

described, as a result of any of a), b) or c) above or the fear or the threat thereof.

All other terms, conditions and limitations of the insurance remain the same.”

Gard have recently announced that they will offer Members and clients in respect of the categories of covers listed below a special extension of cover. The extension of cover (hereinafter referred to as the ‘Special Covid-19 Extension’) shall comprise liabilities, losses, costs and expenses falling within the scope of terms of entry agreed but for the Coronavirus Exclusion Clause (LMA 5395) and subject to a sub-limit of USD 10 million per ship or vessel per event. This extension does not apply to the Cyber Endorsement.