Sompo Insurance Singapore Pte Ltd v. Royal & Sun Alliance Insurance Plc  SGGC 152
Singapore Marine Insurance Act 1994 (which is based on English Marine Insurance Act 1906) s. 79(1) stipulates (emphasis added):
Where the insurer pays for a total loss, either of the whole, or in the case of goods of any apportionable part, of the subject-matter insured, he thereupon becomes entitled to take over the interest of the assured in whatever may remain of the subject-matter so paid for, and he is thereby subrogated to all the rights and remedies of the assured in and in respect of that subject-matter as from the time of the casualty causing the loss.
The question in this case was: “does an insurer’s right of subrogation extend to the right to call upon a performance bond issued to the assured?”
The facts can be summarised as follows: In December 2013, the Government of Singapore entered into a contract with Geometra for the transport of military cargo. It was a condition under the contract that Geometra would provide an unconditional performance bond for 5 % of the contract price. This was satisfied by Sompo issuing a bond in favour of the Government.
The Singapore Government also purchased an insurance policy from RSA with regard to this shipment against the risk of loss or damage to cargo. When the cargo was damaged during transport the Government sought and obtained indemnity for the loss from RSA, which then commenced a subrogated recovery action under s. 79(1) of the Act and called on the performance bond issued by Sompo. To this end, RSA’s lawyers wrote to Sampo and made a demand on the bond “on behalf of the Government of Singapore”. Sampo refused the call and the matter was then litigated. In the District Court, RSA secured a judgment in its favour. Sampo appealed the decision to the High Court.
One of the arguments put forward by Sompo was that the bond had ultimately expired as it was not called upon by the Singapore Government. This point was easily disposed by the High Court on the ground that the letter of the RSA’s lawyers was in effect written “on behalf of Singapore Government” as they acquired the right to wear the shoes of the assured, in this case the Government, pursuant to their right of subrogation.
The main discussion was whether the insurer’s right of subrogation extended to the right to call on the performance bond. The High Court had no doubt that it did. Philip Jeyaretnam JC confirmed that the common law principle of subrogation grants an insurer the entitlement to every right the assured has to recover in respect of a loss including the right to call on a performance bond.
The judgment is not only in line with the wording and ethos behind s. 79(1), but is in accord with the case law on the subject especially Castellian v. Preston (1883) 11 QBD 380; London Assurance Corp. v. Williams (1892) 9 TLR 96 and more recently England v. Guardian Insurance Ltd  Lloyd’s Rep IR 409. Moreover, it would have been incongruous to hold that insurers are entitled to pursue subrogated recoveries against the person responsible for the loss but not use all rights and remedies that the assured would be able to pursue for recovery including calling on performance bonds. It is very likely that a similar judgment would have been delivered, had the case been litigated in England & Wales.
When obtaining insurance cover for his Rolex watch in May 2018, Mr Jones made a representation to the insurer (Zurich), through his insurance broker, that he had not made any other insurance claim in the previous five years. This was not accurate as Mr Jones had previously claimed for a lost diamond in 2016.
Mr Jones put forward an insurance claim for loss of his beloved Rolex watch (valued at £ 190,000), said to have come off his wrist while skiing. The insurer turned down the claim on the basis that Mr Jones made a misrepresentation on his claim history and it would not have written the policy, or would have written it on materially different terms, had the true state of affairs been disclosed (s. 2(2) of the Consumer Insurance (Disclosure and Representation) Act (CIDRA) 2012). In the alternative, the insurer argued that if it had known the true state of affairs, it would have charged a substantially higher premium and the claim should be reduced proportionately. The insurer did not plead that the misrepresentation was “deliberate or reckless”.
His Honour Judge Peeling QC had no hesitation in holding that the assured failed to take reasonable care not to make a misrepresentation to the insurer when questioned about his claim history and he was also satisfied that the insurer could avoid the policy as it managed to demonstrate that it would not have entered into the insurance contract at all had it been aware of the previous claim made in 2016 for a lost diamond. In reaching this decision, the judge considered expert evidence from underwriters. Both experts agreed that some underwriters might accept this particular risk at higher premium and others would refuse to underwrite altogether, but different in emphasis as to how usual a refusal to underwrite would be. However, what ultimately swayed the judge was the fact that the underwriter (Mr Green) had expressed concern in his written notes about the jewellery element of the cover. He also stated in his evidence that “the answer to whether or not there had been ant previous claim was extremely significant to my assessment of the risk… it was already a case which was borderline declinature… it’s just not one which would fit our underwriting strategy.”. The judge accepted his evidence.
The judgment makes clear that the burden of proof on the insurer to establish that it would not have entered into an insurance contract is a high one but can certainly be satisfied especially in cases where underwriters could present to judge written notes confirming their hesitancy to take the risk in the first instance supported by reliable expert evidence. The relevant underwriter’s contemporaneous notes and records giving clues about his thought process at underwriting stage as well as copes of e-mails and documents provided by the assured and his broker were very helpful to advance the insurer’s case.
The case was considered under the CIDRA 2012 (as this was personal insurance) but it is certainly a good illustration as to how the judges might interpret certain parts of the Insurance Act (IA) 2015 since CIDRA 2012 and IA 2015 share similar provisions (i.e. both of these legal instruments allow an insurer to avoid the policy for misrepresentation if the insurer can demonstrate that the misrepresentation was “deliberate or reckless” or “the insurer would not have underwritten the policy on any terms had there been no misrepresentation”).
What if the insurer ends up charging less premium and non-disclosure of material facts is a contributory factor? Could it be said in that case that inducement is established as a matter of law? This was essentially the thrust of the insurer’s appeal in Zurich Insurance plc v. Niramax Group Ltd EWCA Civ 590 against the judgment of Mrs Justice Cockerill, J (which also was reported on this blog last year). Reminding readers the facts briefly: the assured ran a waste collection and waste recycling centre and obtained an insurance policy from the insurer in December 2014. In September 2015 a fixed shredding machine, known as Eggersmann plant, was added to the policy with an endorsement. On 4 December 2015, a fire broke out at the assured’s premises and the Eggersmann plant along with the other plant was destroyed. The assured made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. The insurer refused to pay stating that the assured’s non-compliance with risk requirements under the buildings policy with another insurer and the fact that special terms under that policy were imposed on the assured were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. Mrs Justice Cockerill agreed that these were material facts and needed to be disclosed. However, it was held that the insurer failed to demonstrate that, if the facts had been fully disclosed, the original Policy for the plant (effected in December 2014) would not have been renewed. On the other hand, the insurer was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. Otherwise, the original Policy stood and the insurer was bound to indemnify the assured for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.
On appeal, the assured was essentially arguing that they should have been allowed to avoid the original policy as well as the Eggersmann endorsement as they ended up charging less premium as a result of the assured’s non-disclosure with regard to special conditions imposed on them by another insurer due to non- compliance with risk requirements. Before evaluating the legal position on “inducement”, it is worth highlighting facts that led the insurer to charge premium less than it would have normally done. When rating risks, the particular insurer normally apply a “commoditised and streamlined” process that take into account three aspects, namely the amount of the cover, the nature of the trade, and the claims experience. A junior employee of the insurer when entering these variables, instead of categorising the risk as waste, with an automatic premium of 6 %, categorised it as contractor’s portable plant, with a premium of 2.25, to which a loading of 40 % was applied. The argument of the insurer is that if full disclosure had been made, the risk would have been referred to the head underwriter who would have noticed the mistake and accordingly priced the premium correctly. The non-disclosure therefore fulfills a “but for” test of causation in that it provided the opportunity for a mistake to be made in the calculation of premium that would not otherwise have been made.
Popplewell, LJ stressed in his judgment, at , that
“in order for non-disclosure to induce an underwriter to write the insurance on less onerous terms than would have been imposed if disclosure had been made, the non-disclosure must have been an efficient cause of the difference in terms. If that test of causation is not fulfilled, it is not sufficient merely to establish that the less onerous terms would have not been imposed but for the non-disclosure.”
To support this finding, he made reference to several legal authorities, including the judgment of the House of Lords in Pan Atlantic Insurance Ltd v. Pine Top Ltd  1 AC 501, but perhaps the words of Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group  EWCA 1642, at  emphasised in the clearest fashion the accurate legal position:
“In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of doing so.”
The Court of Appeal’s judgment in the present case, and the line of authority on the subject of inducement, is a good reminder that in most cases if an insurer cannot satisfy the effective cause test he will also be unable to satisfy the “but for test”. But the opposite is not always true. There could be cases, like the present one, where it is possible to satisfy the “but for test” but the non-disclosure or misrepresentation could still not be the effective cause leading the insurer to enter into the contract on the terms it did. Here, the reason for the insurer charging less premium for the risk underwritten in December 2014 was the error of the junior employee mistakenly categorising the risk. The insurer has, therefore, failed to prove that non-disclosure of the condition imposed by another insurer had any impact on the premium charged or the decision to insure the assured. Accordingly, the judgment of the trial judge on this point (lack of inducement to enable the insurer to avoid the original policy) was upheld.
The case was considered under the Marine Insurance Act 1906 (s. 18). The law in this area was reformed by the Insurance Act 2015 especially with regard to remedies available in case of breach of the duty to make a fair representation. There is no indication, however, that the law reform intended to alter the “inducement” requirement (and in fact the Law Commissions stated clearly in the relevant reports published that this was not the case). It can, therefore, be safely said that the decision would have been the same has the case been litigated under the Insurance Act 2015.
The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry. Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company.
BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%. Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.
Facts of RealPage case:
RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.
The payment process involved the following:
A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls to Stripe’s server either through Stripe Dashboard or the On-Site application.
Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.
The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage
The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.
Insurance Policies with National Union and Beazley
At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy. Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant
Ownership of Property; Interests Covered:
The property covered under this policy is limited to property:
(1) That you own or lease; or
(2) That you hold for others whether or not you are legally liable for the
loss of such property.
We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Funds Transfer Fraud:
We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.
Insurance Claims and Responses
RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.
The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.
RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.
RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.
While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.
If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.
To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor. In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.
We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:
i) assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you
ii) your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are
In the event that any party other than an insured person enters into an agreement with a third party entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.
The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer…’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.
This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.
For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:
1. loss of or damage to Money, Securities or Property resulting directly from
Computer Fraud committed solely by a Third Party; or
2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a
“Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype
or telephone instructions by a Third Party issued to a Financial Institution directing such
institution to transfer, pay or deliver Money or Securities from any account maintained by
an Insured at such institution, without the Insured’s knowledge or consent.
Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.” Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.
Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module:
Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.
Fund transfer fraud does not include loss due to social engineering fraud.
Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.
Social Engineering Fraudmeans the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:
an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
a written or printed payment instruction obtained by fraudulent impersonation.
In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’. It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.
 Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)
What happens if an assured fails to disclose to the insurer the fact that special conditions were imposed by another insurer as part of another insurance contract? Could that amount to an actionable non-disclosure under s. 18 of the Marine Insurance Act (MIA) 1906? This was the main issue in Niramax Group Ltd v. Zurich Insurance plc  EWHC 535 (Comm). The assured, Niramax, is a company carrying out the business of waste collection and waste cycling from various sites in north-east England. Niramax held a suite of insurance policies with the insurer, Zurich, which provided cover for a variety of risks relating to its plant and machinery. One of these policies was a contractor’s plant policy which provided all risks cover for a mobile plant owned by the assured (the Policy). Niramax also held buildings cover separately with a variety of other insurers. One of these insurers was Millennium Insurance. In the process of providing insurance cover for a building owned by Niramax in 2014, a risk survey report was prepared by Millennium which laid out seven risk requirements. One of these requirements was the installation of a fire suppression system at the main recycling facility of Niramax located at Hartlepool. Even though the assured was reminded by Millennium of the need to install the fire suppression system on several occasions, the system was never installed and as a result special conditions stipulated by the policy came into force on 22 October 2014 increasing the deductible to £ 250,000 and requiring Niramax to self-insure for thirty five percent of the balance of any loss.
In December 2014, Niramax renewed its policy with Zurich on the mobile plant. In 2015, Niramax acquired another mobile plant (Eggersmann plant) and in September 2015, Zurich was persuaded to amend the Policy to extend cover to the newly acquired plant until the renewal date of mid-December 2015. On 4 December 2015, a fire broke out at Niramax’s premises and the Eggersmann plant along with the other plant was destroyed. Niramax made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. Zurich refused to pay stating that it was entitled to avoid the Policy for material non-disclosure and/or misrepresentation. Niramax brought the current proceedings against Zurich.
It was held that the assured’s non-compliance with risk requirements under the buildings policy with Millennium and the imposition of special terms under that policy were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. However, the insurer (Zurich) failed to demonstrate that, if the facts had been fully disclosed, the Policy for the plant (effected in December 2014) would have been renewed. On the other hand, Zurich was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company (Niramax) by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer, Zurich, was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. The insurer was required to return the premium received for the endorsement. Otherwise, the original Policy stood and the insurer was bound to indemnify Niramax for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.
Two comments are in order. First, it is interesting to see that the trial judge (Mrs Justice Cockerril) found that the original policy stood (i.e. there was no inducement) even though it would have not been written on the same terms (i.e. with higher premium to reflect the correct multiplier) if full disclosure had been made by the assured. This certainly raises an interesting question going forward on the application of the test of inducement and seems to be at odds with the sentiments expressed by Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group  EWCA Civ 1642;  Lloyd’s Rep IR 131, at  (emphasis added): In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation, he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of his doing so.
Second, the contract was obviously concluded before the Insurance Act 2015 (IA) came into force but is highly unlikely that the application of the AA 2015 would have led to a different outcome. The materiality test applicable under the IA 2015 (under s. 7(3) of the IA 2015) is practically the same and there is still a need to prove inducement for actionable non-disclosure under the 2015 Act.
Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world. It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.
Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.
Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
Second, it would create what’s called a web shell to control the compromised server remotely.
Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.
What is not affected?
The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.
In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.
But what does this mean for insurers?
This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies.
In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.
There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.
Applicable cyber insurance clauses and possible response of insurers
Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:
for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;
The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.
We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:
Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.
ii. failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.
Third party providers
arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;
ii. The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.
Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.
Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.
which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;
Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China. Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.
Conclusion and the way forward
As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .
While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats. Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.
Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.
Reasonable steps to avoid Loss
The Insured shall protect its Computer system by:
a. having Virus protection software operating, correctly configured and regularly or automatically updated;
b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;
c. having a fire wall or similar configured device to control access to its Computer system;
d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;
e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;
f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;
g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;
h. having an operational system for logging and monitoring user activity on its Computer system;
i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available
So far, P&I Insurance has operated continued to afford liability cover without any specific exclusions for incidents arising out of COVID-19. However, fixed premium and Charterers’ P&I covers are reinsured outside the International Group’s Pooling Agreement and with effect from 20.2.2021 and will be subject to the Coronavirus Exclusion Clause (LMA 5395) and The Cyber Endorsement (LMA 5403) in the Rules for Mobile Offshore Units (MOUs).
The coronavirus exclusion for marine and energy provides:
“This clause shall be paramount and shall override anything contained in this insurance inconsistent therewith.
This insurance excludes coverage for:
1) any loss, damage, liability, cost, or expense directly arising from the transmission or alleged transmission of:
a) Coronavirus disease (COVID-19);
b) Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); or
c) any mutation or variation of SARS-CoV-2;
or from any fear or threat of a), b) or c) above;
2) any liability, cost or expense to identify, clean up, detoxify, remove, monitor, or test for
a), b) or c) above;
3) any liability for or loss, cost or expense arising out of any loss of revenue, loss of hire,
business interruption, loss of market, delay or any indirect financial loss, howsoever
described, as a result of any of a), b) or c) above or the fear or the threat thereof.
All other terms, conditions and limitations of the insurance remain the same.”
Gard have recently announced that they will offer Members and clients in respect of the categories of covers listed below a special extension of cover. The extension of cover (hereinafter referred to as the ‘Special Covid-19 Extension’) shall comprise liabilities, losses, costs and expenses falling within the scope of terms of entry agreed but for the Coronavirus Exclusion Clause (LMA 5395) and subject to a sub-limit of USD 10 million per ship or vessel per event. This extension does not apply to the Cyber Endorsement.
Financial Conduct Authority v. Arch Insurance (UK) and Others  UKSC 1
This was a test case brought by the Financial Conduct Authority (FCA) on behalf of holders of business interruption policies. During the spring national lock-down (in 2020), businesses which held such policies made claims from their insurers but most of these claims were denied on the premise that the wording used in such policies was not broad enough to provide indemnity to the policy holders. In particular, the focus turned on business interruption policies that provided cover for infectious and notifiable diseases (disease clauses) and prevention of access and public authority clauses and restrictions (prevention of access clauses). The FCA selected a representative sample of 21 types of policies issued by eight insurers for the test case. It is believed that the outcome of the case could be relevant for 370,000 businesses holding similar policies issued by 60 different insurers. The High Court delivered its judgment on 15 September  EWHC 2448 (Comm) mainly in favour of the assureds. Using leapfrog appeal procedure, the FCA and six insurers appealed to the Supreme Court composed of Lords Reed, Hodge, Briggs, Hamblen and Leggatt.
The judgment of the Supreme Court is very technical and lengthy (112 pages) but is no doubt a great victory for holders of such policies. The analysis below will focus on the key points made by the Supreme Court.
When a business interruption policy provides cover for losses emerging from “any occurrence of a Notifiable Disease within a radius of 25 miles of the premises” what does that exactly mean? Does it mean that cover is available for business interruption losses as long as it could be shown that they resulted from the occurrence of the disease within the radius? Or does the clause provide cover as long as there is one case of illness caused by the disease within that radius? Naturally, the former construction would restrict the limit of cover as in most cases it would be impossible to show that the losses resulted from the localised occurrence of the disease as opposed to the wider pandemic and government restrictions generally. The High Court went along with the latter construction which the Supreme Court was prepared to accept with a slightly different reasoning. The Supreme Court by making reference to the wording of the clause, especially the emphasis in the clause on “any occurrence of a Notifiable disease”, indicated that the wording of the clause is adequate to provide cover for the business interruption caused by any cases of illness resulting from Covid-19 that occur within 25 miles of the business premises.
Prevention of Access
It has been stressed that such clauses generally provide cover for business interruption losses resulting from public policy intervention preventing access to or use of the insured premises. A legal deliberation was necessary to determine the nature of public policy intervention required to trigger such clauses. The Supreme Court agreed with the High Court’s analysis on this point to the effect that “restrictions imposed” by a public authority should be understood as ordinarily meaning mandatory measures “imposed” by the authority pursuant to its statutory or other legal powers and the word “imposed” connotes compulsion and a public authority generally exercises compulsion through the use of such powers. On that premise, Prime Minister’s instructions in a public statement of 20 March 2020 to named businesses to close was capable of being a “restriction imposed” regardless of whether it was legally capable of being enforced as it was a clear, mandatory instruction given on behalf of the UK government.
In some hybrid policies a different wording is used such as “inability to use” or “prevention of access” or “interruption”. The Supreme Court was inclined to construe such wordings broadly. For example, in policies where the insurance provides cover when there is “inability to use” the premises, the Supreme Court was adamant that the requirement is satisfied either if the policyholder is unable to use the premises for a discrete part of its business activities or it is unable to use a discrete part of its premises for its business activities as in both of these situations there is a complete inability to use. This construction opens the door for businesses in hospitality sector which can do only take-away meals for the loss of their in-person business. Similarly, the Supreme Court rejected insurers’ argument that the hybrid policy that refer to “interruption” implies a “stop” or “break” to the business as distinct from an interference, holding that the ordinary meaning of “interruption” is capable of encompassing interference or disruption which does not bring about a complete cessation of business activities, and which may even be slight.
Insurers argued that traditional causation test applied in insurance law should not be adopted as the appropriate test in the context of construing relevant provisions of business interruption policies. Instead, it was argued, that is should be necessary to show, at a minimum, that the loss would not have been sustained “but for” the occurrence of the insured peril. In their view, it was necessary for the business to show that the insured peril had operated to cause the loss; otherwise due to the widespread nature of the pandemic it would be very easy for holders of such policies to show business interruption losses even if the insured risk had not occurred. The obvious objective for developing this contention was to limit the scope of cover provided by such policies as otherwise (if the traditional causation rules were to apply in this context) businesses operating in locations which have no or few cases of the illness could still recover under the policy even though the loss in those instances is caused by disruption occurring outside the radius (or nationally).
In developing their argument, insurers relied heavily on the decision in Orient-Express Hotels Ltd v Assicurazioni General SpA  EWHC 1186 (Comm);  Lloyd’s Rep IR 531. In that case, the claim was for business interruption losses caused by Hurricanes Katrina and Rita. The insured premises in question were a hotel in New Orleans. There was no dispute that the insured property suffered physical damage as a result of the hurricanes. When it came to the business interruption losses, however, insurers in Orient-Express case successfully argued that there was no cover because, even if the hotel had not been damaged, the devastation to the area around the hotel caused by the hurricanes was such that the business interruption losses would have been suffered in any event. Accordingly, the necessary causal test for the business interruption losses could not be met because the insured peril was the damage alone, and the event which caused the insured physical damage (the hurricanes) could be set up as a competing cause of the business interruption. The High Court chose to distinguish Orient Express from the current litigation on matters of construction. The Supreme Court went further and decided that Orient-Express was wrongly decided and should be overruled. Analysing the facts of Orient-Express case the Supreme Court reached the conclusion that business interruption loss arose there because both as a result of damage to the hotel and also damage to the surrounding area as a result of hurricanes. Therefore, there two concurrent causes were in operation, each of which was by itself sufficient to cause the relevant business interruption but neither of which satisfied the “but for” test because of the existence of the other. In such a case when both the insured peril and the uninsured peril which operates concurrently with it arise from the same underlying fortuity (i.e. the hurricanes), then provided that damage proximately caused by the uninsured peril (i.e. damage to the rest of the city) is not excluded, loss resulting from both causes operating concurrently is covered.
Accordingly, the Supreme Court rejected insurers’ argument, holding that the “but for” test was not determinative in ascertaining whether the test for causation has been satisfied under the insuring clauses analysed as part of the test case. The traditional principles of causation should, therefore, be applied. The Supreme Court on this point concluded at 
“there isnothing in principle or in the concept of causation which precludes an insured peril that in combination with many other similar uninsured events brings about a loss with a sufficient degree of inevitability from being regarded as a cause – indeed as a proximate cause – of the loss, even if the occurrence of the insured peril is neither necessary nor sufficient to bring about the loss by itself.”
Applying the traditional proximity test, essentially enables business to recover under such policies simply by proving a link between the local occurrences and the national reaction even if the “but for test” is not satisfied.
Some Further Remarks
The judgment is legally binding on the eight insurers that agree to be parties to the test case but it provides guidance for the interpretation of similar policy wordings and claims. However, it should not be ignored that there are still many policy wordings not tested or considered by this decision. There is no doubt that the decision is welcomed by businesses that have been adversely affected from the global pandemic and have failed to rely on their business interruption policies. Was this a case simply concerning construction of certain insurance contracts or other considerations (i.e. impact of the pandemic on social and economic life) played a significant role? The answer is probably the latter even though insurers throughout the litigation maintained that “one simply should not be allowed to rewrite an insurance contact to expand the scope of the indemnity”. But isn’t this the nature of test cases, i.e. judges are usually required to pass moral, ethical judgments on an issue that has significant implications on a part of the society? The global pandemic had significant implications on our lives and economy and at times like this it is inevitable that a judgment needs to be made as to where the economic loss resulting from the pandemic should fall. This is what the UK Supreme Court did here!
As expected the UK government has made a fresh declaration agreeing to be bound by the Hague Convention on Choice of Law 2005 in its own right from the end of the transition period at 11pm, UK time, on 31 December 2020. It states “With the intention of ensuring continuity of application of the 2005 Hague Convention, the United Kingdom has submitted the Instrument of Accession in accordance with Article 27(4) of the 2005 Hague Convention. Whilst acknowledging that the Instrument of Accession takes effect at 00:00 CET on 1 January 2021, the United Kingdom considers that the 2005 Hague Convention entered into force for the United Kingdom on 1 October 2015 and that the United Kingdom is a Contracting State without interruption from that date.”
It has also made a reservation under art 21 of the Convention that it will not apply the Convention to insurance contracts except as stated below.
(a) where the contract is a reinsurance contract;
(b) where the choice of court agreement is entered into after the dispute has arisen;
(c) where, without prejudice to Article 1 (2) of the Convention, the choice of court agreement is concluded between a policyholder and an insurer, both of whom are, at the time of the conclusion of the contract of insurance, domiciled or habitually resident in the same Contracting State, and that agreement has the effect of conferring jurisdiction on the courts of that State, even if the harmful event were to occur abroad, provided that such an agreement is not contrary to the law of that State;
(d) where the choice of court agreement relates to a contract of insurance which covers one or more of the following risks considered to be large risks:
(i) any loss or damage arising from perils which relate to their use for commercial purposes, of, or to:
(a) seagoing ships, installations situated offshore or on the high seas or river, canal and lake vessels;
(c) railway rolling stock;
(ii) any loss of or damage to goods in transit or baggage other than passengers’ baggage, irrespective of the form of transport;
(iii) any liability, other than for bodily injury to passengers or loss of or damage to their baggage, arising out of the use or operation of:
(a) ships, installations or vessels as referred to in point (i)(a);
(b) aircraft, in so far as the law of the Contracting State in which such aircraft are registered does not prohibit choice of court agreements regarding the insurance of such risks;
(c) railway rolling stock;
(iv) any liability, other than for bodily injury to passengers or loss of or damage to their baggage, for loss or damage caused by goods in transit or baggage as referred to in point (ii);
(v) any financial loss connected with the use or operation of ships, installations, vessels, aircraft or railway rolling stock as referred to in point (i), in particular loss of freight or charter-hire;
(vi) any risk or interest connected with any of the risks referred to in points (i) to (v);
(vii) any credit risk or suretyship risk where the policy holder is engaged professionally in an industrial or commercial activity or in one of the liberal professions and the risk relates to such activity;
(viii) any other risks where the policy holder carries on a business of a size which exceeds the limits of at least two of the following criteria:
(a) a balance-sheet total of EUR 6,2 million;
(b) a net turnover of EUR 12,8 million;
(c) an average number of 250 employees during the financial year.
2. The United Kingdom of Great Britain and Northern Ireland declares that it may, at a later stage in the light of the experience acquired in the application of the Convention, reassess the need to maintain its declaration under Article 21 of the Convention.”
Last year we commented on Young v. Royal and Sun Alliance plc  CSOH 32 which was the first case to be decided under the Insurance Act (IA) 2015. The Scottish appeal court (Inner House, Court of Session) has recently upheld the first instance decision  CSIH 25.
Let us remind our readers the facts of the case briefly. The co-assureds (Mr Young and Kaim Park Investments Ltd, a company of which Mr Young was a director) brought a claim of £ 7.2 million for extensive fire damage to commercial premises insured. The insurer, Royal and Sun Alliance plc, rejected the claim on the basis that the assured failed to disclose material information in breach of the duty of fair presentation under the Insurance Act (IA) 2015. The policy had been entered through an insurance broker. The assured was requested by the insurance broker to fill in a proposal form which was prepared using the broker’s software. One part of the proposal form required the proposer to select from various options in a drop-down menu. The instruction read: “Select any of the following that apply to any proposer, director or partner of the Trade or Business or its Subsidiary Companies if they have ever, either personally or in any business capacity: …” The drop-down menu that followed this instruction included an option that any of the persons identified had been declared bankrupt or insolvent. Neither Mr Young nor Kaim Park Investments had been declared bankrupt or insolvent, however, Mr Young had previously been a director of four other companies which had entered into insolvency. The option which was selected on the proposal form was “None”. Accordingly, the proposal forwarded to the insurer showed the option selected, i.e. “None”, and the list of persons to which the declaration related. Once receiving the presentation, the insurer sent an e-mail to the brokers providing a quote for cover and a list of conditions. The conditions, inter alia, included: “Insured has never been declared bankrupt or insolvent.”
Before the commercial judge, Lady Wolffe, the assured’s argument was that the insurer’s e-mail response amounted to a waiver by the insurer of its right to receive the undisclosed information regarding the four insolvent companies. Section 3(5)(e) of the IA stipulates that the assured is not required to disclose a circumstance “if it is something as to which the insurer waives information.”
It needs to be stressed that the introduction of the IA 2015 does not alter the legal position with regard to waiver established by case law pre-dating the 2015 Act. On that basis, with reference to Doheny v. New India Assurance Co  1 All ER (Comm) 382, the commercial judge indicated that waiver could be established in a case where the insurer had asked a “limiting question” such that the assured could reasonably infer that the insurer had no interest in knowing information falling outwith the scope of the question. The classic example is where the proposal form asks about convictions within the last 5 years and which can instruct waiver of information about convictions more than 5 years ago. This was not held to be the case here and accordingly it was held that there was no waiver on the part of the insurer with regard to the information not fully disclosed (i.e. the involvement of Mr Young in four insolvent companies).
The assured appealed. The main argument brought forward by the assured was that by showing that it was interested in one aspect of Mr Young’s experience of insolvency, the insurer had impliedly demonstrated that it was not interested in others, and, therefore restricted Mr Young’s duty of disclosure. The Court of Session indicated that the commercial judge successfully identified relevant legal principles in that to found implied waiver of the insurer of this nature it is necessary to show that it made an inquiry directing the assured to provide certain information but no other information. This means that the appeal turned on the construction of a single email sent by the insurer to the brokers when providing a quote (during the pre-contractual stage). The Inner Court found that there was nothing in the email that amounted to an inquiry. Essentially, the insurers were responding to the broker’s request to provide a quotation based on the information provided. The response of the insurers in the relevant email was, therefore, an offer to insure on a variety of terms and conditions. It was not an inquiry and did not amount to limited concern of Mr Young’s past experience of insolvency that excluded the undisclosed information from which he was required to disclose for fair presentation of the risk. The insurer was accordingly entitled to avoid the policy.
It is hard to suggest that the case establishes any novel point with regard to “implied waiver” of the duty of disclosure on the part of the assured by the insurer. Although, this is a Scottish case, it is very much in line with the pre-Act English law authorities and essentially turns on the impression an insurer’s response to a disclosure might create on the mind of a reasonable assured. If it can be said that insurer’s answer amounts to an inquiry (judged from the perspective of a reasonable assured) there could be a possibility of arguing that the relevant assured could infer that the insurer had no interest in knowing information falling outside the scope of that inquiry. Otherwise, there will be no issue of waiver by asking “limiting questions”. The judgment is obviously not binding on English courts but one suspects that it is one that will be referred to not only because it is the first case under the IA 2015 but also as it relies on principles developed by English courts pre-dating the IA 2015 which obviously remain relevant at least in the context of establishing “waiver of disclosure” by the insurer.