Insurance Implications of “Phishing”!

Phishing Emails - How to Protect Your Customers When Using E-Signature |  OneSpan

The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry.  Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas  in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company[1].

BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%.[2] Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.

Facts of RealPage case:

RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.

The payment process involved the following:

  1. A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
  2. Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls[3] to Stripe’s server either through Stripe Dashboard or the On-Site application.
  3. Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
  4. Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.

The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage

The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.

Insurance Policies with National Union and Beazley

At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy.  Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant

Ownership of Property; Interests Covered:

The property covered under this policy is limited to property:

(1) That you own or lease; or

(2) That you hold for others whether or not you are legally liable for the

loss of such property.

Computer Fraud:

We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

a. To a person (other than a “messenger”) outside those “premises”; or

b. To a place outside those “premises”.

Funds Transfer Fraud:

We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.

Insurance Claims and Responses

RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.

Court Proceedings

The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack  and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.

RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.

RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.

Insurance implications

While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.

If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.

To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor.  In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.

Variations in policy wording – UK

  1. Cyber Crime[4]
  2. We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:

i)   assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you

ii)  your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are

a forgery.

  • In the event that any party other than an insured person enters into an agreement with a third party  entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.

The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.

This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.

For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:

Computer Fraud and Funds Transfer Fraud[5]

The Insurer shall indemnify the Insured for:

1. loss of or damage to Money, Securities or Property resulting directly from

Computer Fraud committed solely by a Third Party; or

2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a

Third Party.

Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype

or telephone instructions by a Third Party issued to a Financial Institution directing such

institution to transfer, pay or deliver Money or Securities from any account maintained by

an Insured at such institution, without the Insured’s knowledge or consent.[6]

Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.”[7] Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.

Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module[8]:

Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.

Fund transfer fraud does not include loss due to social engineering fraud.

Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.

Social Engineering Fraud[9] means the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:

  • an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
  •  a written or printed payment instruction obtained by fraudulent impersonation.

In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’.[10]  It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.


[1] Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)

[2] Department for Digital, Culture, Media & Sport, ‘Cybersecurity breaches survey 2020’ (March 2020) <https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020 > accessed 31 March 2021.

[3] The API calls sent from RealPage to Stripe provided information about the tenant’s account, the client’s destination account and the amount due to the client.

[4] Zurich Insurance plc, ‘Cyber Policy: Section B – Crime’ (2020) 29 < https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

[5] Beazley Inc, ‘Crime Insurance Policy: Insuring Clause 1F’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[6] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition EE’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[7] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition P’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[8] Beazley Inc, ‘Commercial Crime Insurance Module (Lloyds Syndicate) Clause F: Definitions’

<https://www.beazley.com/documents/Wordings/Commercial%20Crime%20Module%20%28Lloyd%27s%20syndicate%29.pdf > accessed 9 April 2021.

[9] Ibid.

[10] Zurich Insurance plc, ‘Cyber Policy: Conditons application to Section B – 7 Social Engineering Cover’ (2020) 31

< https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

P&I Fixed Premium Renewals. Coronavirus exclusion clause to apply.

So far, P&I Insurance has operated continued to afford liability cover without any specific exclusions for incidents arising out of COVID-19. However, fixed premium and Charterers’ P&I covers are reinsured outside the International Group’s Pooling Agreement and with effect from 20.2.2021 and will be subject to the Coronavirus Exclusion Clause (LMA 5395) and The Cyber Endorsement (LMA 5403) in the Rules for Mobile Offshore Units (MOUs).

The coronavirus exclusion for marine and energy provides:

“This clause shall be paramount and shall override anything contained in this insurance inconsistent therewith.

This insurance excludes coverage for:

1) any loss, damage, liability, cost, or expense directly arising from the transmission or alleged transmission of:

a) Coronavirus disease (COVID-19);

b) Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2); or

c) any mutation or variation of SARS-CoV-2;

or from any fear or threat of a), b) or c) above;

2) any liability, cost or expense to identify, clean up, detoxify, remove, monitor, or test for

a), b) or c) above;

3) any liability for or loss, cost or expense arising out of any loss of revenue, loss of hire,

business interruption, loss of market, delay or any indirect financial loss, howsoever

described, as a result of any of a), b) or c) above or the fear or the threat thereof.

All other terms, conditions and limitations of the insurance remain the same.”

Gard have recently announced that they will offer Members and clients in respect of the categories of covers listed below a special extension of cover. The extension of cover (hereinafter referred to as the ‘Special Covid-19 Extension’) shall comprise liabilities, losses, costs and expenses falling within the scope of terms of entry agreed but for the Coronavirus Exclusion Clause (LMA 5395) and subject to a sub-limit of USD 10 million per ship or vessel per event. This extension does not apply to the Cyber Endorsement.

Hague Convention 2005. After the transition period.

As expected the UK government has made a fresh declaration agreeing to be bound by the Hague Convention on Choice of Law 2005 in its own right from the end of the transition period at 11pm, UK time, on 31 December  2020. It states “With the intention of ensuring continuity of application of the 2005 Hague Convention, the United Kingdom has submitted the Instrument of Accession in accordance with Article 27(4) of the 2005 Hague Convention. Whilst acknowledging that the Instrument of Accession takes effect at 00:00 CET on 1 January 2021, the United Kingdom considers that the 2005 Hague Convention entered into force for the United Kingdom on 1 October 2015 and that the United Kingdom is a Contracting State without interruption from that date.”

It has also made a reservation under art 21 of the Convention that it will not apply the Convention to insurance contracts except as stated below.

(a) where the contract is a reinsurance contract;

(b) where the choice of court agreement is entered into after the dispute has arisen;

(c) where, without prejudice to Article 1 (2) of the Convention, the choice of court agreement is concluded between a policyholder and an insurer, both of whom are, at the time of the conclusion of the contract of insurance, domiciled or habitually resident in the same Contracting State, and that agreement has the effect of conferring jurisdiction on the courts of that State, even if the harmful event were to occur abroad, provided that such an agreement is not contrary to the law of that State;

(d) where the choice of court agreement relates to a contract of insurance which covers one or more of the following risks considered to be large risks:

(i) any loss or damage arising from perils which relate to their use for commercial purposes, of, or to:

          (a) seagoing ships, installations situated offshore or on the high seas or river, canal and lake vessels;

          (b) aircraft;

          (c) railway rolling stock;

(ii) any loss of or damage to goods in transit or baggage other than passengers’ baggage, irrespective of the form of transport;

(iii) any liability, other than for bodily injury to passengers or loss of or damage to their baggage, arising out of the use or operation of:

         (a) ships, installations or vessels as referred to in point (i)(a);

         (b) aircraft, in so far as the law of the Contracting State in which such aircraft are registered does not prohibit choice of court agreements regarding the insurance of such risks;

         (c) railway rolling stock;

(iv) any liability, other than for bodily injury to passengers or loss of or damage to their baggage, for loss or damage caused by goods in transit or baggage as referred to in point (ii);

(v) any financial loss connected with the use or operation of ships, installations, vessels, aircraft or railway rolling stock as referred to in point (i), in particular loss of freight or charter-hire;

(vi) any risk or interest connected with any of the risks referred to in points (i) to (v);

(vii) any credit risk or suretyship risk where the policy holder is engaged professionally in an industrial or commercial activity or in one of the liberal professions and the risk relates to such activity;

(viii) any other risks where the policy holder carries on a business of a size which exceeds the limits of at least two of the following criteria:

          (a) a balance-sheet total of EUR 6,2 million;

          (b) a net turnover of EUR 12,8 million;

          (c) an average number of 250 employees during the financial year.

2. The United Kingdom of Great Britain and Northern Ireland declares that it may, at a later stage in the light of the experience acquired in the application of the Convention, reassess the need to maintain its declaration under Article 21 of the Convention.”

Fair Presentation of the Risk and Waiver- Latest from Scotland on the Insurance Act 2015

Last year we commented on Young v. Royal and Sun Alliance plc [2019] CSOH 32 which was the first case to be decided under the Insurance Act (IA) 2015. The Scottish appeal court (Inner House, Court of Session) has recently upheld the first instance decision [2020] CSIH 25.

Let us remind our readers the facts of the case briefly. The co-assureds (Mr Young and Kaim Park Investments Ltd, a company of which Mr Young was a director) brought a claim of £ 7.2 million for extensive fire damage to commercial premises insured. The insurer, Royal and Sun Alliance plc, rejected the claim on the basis that the assured failed to disclose material information in breach of the duty of fair presentation under the Insurance Act (IA) 2015. The policy had been entered through an insurance broker. The assured was requested by the insurance broker to fill in a proposal form which was prepared using the broker’s software. One part of the proposal form required the proposer to select from various options in a drop-down menu. The instruction read: “Select any of the following that apply to any proposer, director or partner of the Trade or Business or its Subsidiary Companies if they have ever, either personally or in any business capacity: …” The drop-down menu that followed this instruction included an option that any of the persons identified had been declared bankrupt or insolvent. Neither Mr Young nor Kaim Park Investments had been declared bankrupt or insolvent, however, Mr Young had previously been a director of four other companies which had entered into insolvency. The option which was selected on the proposal form was “None”. Accordingly, the proposal forwarded to the insurer showed the option selected, i.e. “None”, and the list of persons to which the declaration related. Once receiving the presentation, the insurer sent an e-mail to the brokers providing a quote for cover and a list of conditions. The conditions, inter alia, included: “Insured has never been declared bankrupt or insolvent.

Before the commercial judge, Lady Wolffe, the assured’s argument was that the insurer’s e-mail response amounted to a waiver by the insurer of its right to receive the undisclosed information regarding the four insolvent companies. Section 3(5)(e) of the IA stipulates that the assured is not required to disclose a circumstance “if it is something as to which the insurer waives information.”

It needs to be stressed that the introduction of the IA 2015 does not alter the legal position with regard to waiver established by case law pre-dating the 2015 Act. On that basis, with reference to Doheny v. New India Assurance Co [2005] 1 All ER (Comm) 382, the commercial judge indicated that waiver could be established in a case where the insurer had asked a “limiting question” such that the assured could reasonably infer that the insurer had no interest in knowing information falling outwith the scope of the question. The classic example is where the proposal form asks about convictions within the last 5 years and which can instruct waiver of information about convictions more than 5 years ago. This was not held to be the case here and accordingly it was held that there was no waiver on the part of the insurer with regard to the information not fully disclosed (i.e. the involvement of Mr Young in four insolvent companies).

_109147621_courtofsession_frame_92130

The assured appealed. The main argument brought forward by the assured was that by showing that it was interested in one aspect of Mr Young’s experience of insolvency, the insurer had impliedly demonstrated that it was not interested in others, and, therefore restricted Mr Young’s duty of disclosure. The Court of Session indicated that the commercial judge successfully identified relevant legal principles in that to found implied waiver of the insurer of this nature it is necessary to show that it made an inquiry directing the assured to provide certain information but no other information. This means that the appeal turned on the construction of a single email sent by the insurer to the brokers when providing a quote (during the pre-contractual stage). The Inner Court found that there was nothing in the email that amounted to an inquiry. Essentially, the insurers were responding to the broker’s request to provide a quotation based on the information provided. The response of the insurers in the relevant email was, therefore, an offer to insure on a variety of terms and conditions. It was not an inquiry and did not amount to limited concern of Mr Young’s past experience of insolvency that excluded the undisclosed information from which he was required to disclose for fair presentation of the risk. The insurer was accordingly entitled to avoid the policy.

It is hard to suggest that the case establishes any novel point with regard to “implied waiver” of the duty of disclosure on the part of the assured by the insurer. Although, this is a Scottish case, it is very much in line with the pre-Act English law authorities and essentially turns on the impression an insurer’s response to a disclosure might create on the mind of a reasonable assured. If it can be said that insurer’s answer amounts to an inquiry (judged from the perspective of a reasonable assured) there could be a possibility of arguing that the relevant assured could infer that the insurer had no interest in knowing information falling outside the scope of that inquiry. Otherwise, there will be no issue of waiver by asking “limiting questions”. The judgment is obviously not binding on English courts but one suspects that it is one that will be referred to not only because it is the first case under the IA 2015 but also as it relies on principles developed by English courts pre-dating the IA 2015 which obviously remain relevant at least in the context of establishing “waiver of disclosure” by the insurer.

Prestige 3.0 — the saga continues

The Spanish government and SS Mutual are clearly digging in for the long haul over the Prestige pollution debacle eighteen years ago. To recap, the vessel at the time of the casualty was entered with the club under a contract containing a pay to be paid provision and a London arbitration clause. Spain prosecuted the master and owners and, ignoring the arbitration provision, came in as partie civile and recovered a cool $1 bn directly from the club in the Spanish courts. The club meanwhile obtained an arbitration award in London saying that the claim against it had to be arbitrated not litigated, which it enforced under s.66 of the AA 1996 and then used in an attempt to stymie Spain’s bid to register and enforce its court judgment here under Brussels I (a bid now the subject of proceedings timed for this coming December).

In the present proceedings, London Steam-Ship Owners’ Mutual Insurance Association Ltd v Spain (M/T PRESTIGE) [2020] EWHC 1582 (Comm) the club sought essentially to reconvene the arbitration to obtain from the tribunal an ASI against Spain and/or damages for breach of the duty to arbitrate and/or abide by the previous award, covering such things as its costs in the previous s.66 proceedings. By way of machinery it sought to serve out under s 18 of the 1996 Act. Spain claimed sovereign immunity and said these further claims were not arbitrable.

The immunity claim nearly succeeded, but fell at the last fence. There was, Henshaw J said, no agreement to arbitrate under s.9 of the State Immunity Act 1978, which would have sidelined immunity: Spain might be bound not to raise the claim except in arbitration under the principle in The Yusuf Cepnioglu [2016] EWCA Civ 386, but this did not amount to an agreement to arbitrate. Nor was there, on the facts, any submission within s.2. However, he then decided that s.3, the provision about taking part in commercial activities, was applicable and allowed Spain to be proceeded against.

Having disposed of the sovereign immunity point, it remained to see whether the orders sought against Spain — an ASI or damages — were available in the arbitration. Henshaw J thought it well arguable that they were. Although Spain could not be sued for breach of contract, since it had never in so many words promised not to sue the club, it was arguable that neither Brussels I nor s.13 of the 1978 Act barred the ASI claim in the arbitration, and that if an ASI might be able to be had, then there must be at least a possibility of damages in equity under Lord Cairns’s Act.

No doubt there will be an appeal. But this decision gives new hope to P&I and other interests faced with opponents who choose, even within the EU, to treat London arbitration agreements as inconsequential pieces of paper to be ignored with comparative immunity.

“The Brillante Virtuoso Was Scuttled by Those Operating under the Instructions of the Owner” is the View of the Commercial Court

On 21 February 2019, a piece was published on this blog posing the question: “What really happened to the Brillante Virtuoso”? A meticulously drafted judgment of Teare, J ([2019] EWHC 2599 (Comm)) provides an answer to that burning question.

Now briefly the facts!  On 5 July 2011, on route to China with a cargo of fuel oil, the Brillante Virtuoso was boarded by pirates off Gulf of Aden. The pirates directed the vessel to Somalia but when the engine stopped and could not be re-started, they allegedly placed a detonator in the engine room causing huge damage to the vessel. The vessel was insured for $US 55 million with an additional $US 22 million increased cover with ten Lloyd’s underwriters. The underwriters refused to indemnify the assured (Suez Fortune Investments Ltd). The assured and its bank (Pireus Bank AE) as a co-assured under a composite policy brought a claim against the insurers.

Image result for the brillante virtuoso

In the first stage of the trial, the claimants were successful and Flaux, J, (as he then was) held that the vessel was a constructive total loss under s. 60(2)(i) of the Marine Insurance Act 1906 as she was damaged by an insured peril and the cost of repairs would exceed the insured value of the ship when repaired [2015] EWHC 42 (Comm).  In 2015, war risk underwriters alleged wilful misconduct. As the case proceeded the owner of the vessel, Mr Marios Iliopoulos, declined to provide electronic documents related to the case to his own counsel or to the counsel of underwriters, raising questions for the court. In 2016, the owner’s claim was struck out for a failure to comply with disclosure obligations and Flaux, J, was adamant that Mr Iliopoulos had invented a false story in an attempt to explain his failure to make disclosure. The claim was then pursued by the bank alone. The underwriters resisted the claim put forward by the bank alleging that the loss was caused deliberately by the assured and hence was not covered by the policy.  

The case does not alter established legal principles in any significant manner. The burden of proving wilful misconduct or scuttling, on balance of probabilities, lies upon the insurers and as stressed by Neill, LJ, in The Captain Panagos DP [1989] 1 Lloyd’s Reports 33 at p. 43, “an inference of the owner’s guilt can properly be drawn if the probabilities point clearly and irresistibly towards his complicity.” On that premise, Teare, J, was convinced that the cause of loss was on balance of probability was “wilful miscounduct” of the assured. He pointed out to several inconsistencies in the owners’ account of the attack. For example, the incident occurred within Yemeni waters off Aden, a location where Somali pirates had never attempted a boarding before (and have not since). In VDR recordings, the attackers identified themselves as “security,” suggesting that if they were pirates, they would have had to have known that the vessel was awaiting a security detail. They brought with them an incendiary device. The master allowed them to come aboard, even though they were masked and armed and the ship was awaiting an unarmed security team. When directed to steer towards Somalia, the master selected a very different course, but the attackers did not detect this or correct it!

Accordingly, it was held that the supposed attack by pirates was a “fake attack”, and that in reality it was a charade orchestrated by the owner of the vessel, Mr Iliopoulos. It was also held that the vessel’s master and chief engineer were complicit in the scheme, alongside local Aden-based salvors, Poseidon Salvage, and current or former members of the Yemeni coast guard or navy.

An interesting point was raised by the bank in its submissions. On the assumption that the bank is insured under the policy as a composite co-assured, was it possible to argue that in the popular or business sense the owner of the vessel was a pirate, since they carried out the attack on a vessel (or instructed that the attack was to be carried out) with a motive of personal gain/to satisfy personal senses of vengeance/hatred? Teare, J was quick to dismiss this argument indicating that the violence to the vessel and the threat of violence to the crew would not qualify as piracy if carried out by the owners (or the conspirators) with the intention to defraud the insurers. This might seem an obvious point to some but is another clarification on the meaning of “piracy” for the purposes of marine insurance law. The bank’s attempt to argue that the loss was caused by “persons acting maliciously” also failed. Teare, J, quoting from the Supreme Court judgment in The B Atlantic [2018] UKSC 26 stressed that this peril involves an element of “spite or ill-will or the like in relation to the property insured or at least to other property or perhaps even a person” but he rightly indicated that those who were permitted to board the vessel did not act out of “spite or ill-will or the like” in relation to the vessel but did so on the request of the owner in order to assist him in his fraudulent plan to deceive the underwriters. Put differently, here the owner sought to damage his own property and the armed men sought to assist the owner, not to harm him.

The finding of the trial judge on the “wilful misconduct” point was adequate to decide the case in favour of the war risk underwriters insurers but it was briefly stated in the judgment that underwriters were also successful on a number of subsidiary and alternative defences such as the insured vessel being outside the geographical limits of policy (the so called “Aden agreement” point) at the time of the alleged loss and breach of a warranty that required compliance with advice and recommendations of an IMO Circular concerning planning and operational practices for ship operators and masters of ships transiting the Gulf of Aden and the Arabian Sea.

The case does not necessarily establish novel legal points but a 52 day trial and a very lengthy judgment is a good illustration of the work that needs to be carried out by lawyers and judges in cases where insurers raise “fraud” as a defence to a claim under the policy.     

Much Ado About Nothing! A Marine Insurance Case That Promised A Lot But Delivered Very Little

McKeever v. Northernreef Insurance CO SA (22 May 2019)(LM-2018-000044) 

The owner of a sailing yacht named CREOLA, Mrs McKeever, brought an action against Northernreef Insurance CO SA, a Uruguayan insurance company, under a yacht policy providing against the usual range of marine risks, including perils of the seas, piracy, malicious acts and theft.

On 19 March 2014, the insured yacht grounded on a reef in the Sulu Sea. The assured and her friend’s attempts to re-float her were unsuccessful and they had to abandon the yacht as the waves were becoming stronger. Having secured and padlocked the hatches, they were picked up by a fishing vessel which responded to their mayday signal. The next day, they returned to the yacht with the coastguard to find out that the windows had been broken and she had been looted. Various valuable items including electronic navigation aids had been stolen. The assured engaged a firm to guard the yacht and also a salvage company to move the yacht to a place of safety. The salvage company found flooding to a depth of six inches in the portside midsection. On 7 April 2014, the salvage company managed to re-float the yacht and tow her to the Penuwasa boatyard.

The assured’s numerous attempts to claim from the insurer failed. The current proceedings were issued against the insurer in the UK and served on its UK agent. The insurer failed to engage with any of the litigation process save for filing a defence and did not attend trial.

The assured’s claim included:

  1. Damage to the yacht;
  2. Indemnity for the items stolen;
  3. Recovery of the sums paid for guarding the yacht and sums paid for re-floating and towing the yacht (as sue and labour expenses)

Miss Julia Dias QC sitting as the Deputy High Court Judge awarded the assured the diminution in the market value of the yacht owing to the totality of the damage suffered, the value of the stolen items, and her sue and labour expenses.

Grounding Damage

The trial judge was convinced that the initial damage of the hull was caused by “perils of the seas” as the grounding itself was fortuitous. The defendant insurer’s counter arguments that i) the maintenance warranty was breached; ii) the yacht was unseaworthy owing to out-dated charts; and iii) the grounding was caused by the assured’s negligence, had no prospect of success as no evidence was presented by the insurer to maintain these points. There was also no doubt that damage caused by the ingress of water was also recoverable as a loss caused by perils of the seas. In this context, discussion was carried out whether damage caused by ingress of water could be attributable to “piracy” or “theft” or “malicious acts” of third parties given that the looters broke the windows and left hatches open enabling the entry of seawater. The observations of the judge on these points are interesting. On the point of piracy, she indicated that piracy in English law can be defined as “forcible robbery at sea” (The Andreas Lemos [1983] 1 QB 647, at 796-7). She then, relying on s. 8(1) of the Theft Act 1968 reached the conclusion that robbery requires there to be a threat of violence or use of force directed at some person and it was, accordingly, not adequate that violence was directed at the property. This conclusion is not free from criticism. Most would find it strange that assistance is sought from a national legislation, e.g. the Theft Act 1968, in ascertaining the meaning of a marine peril which invariably occurs at high seas, i.e. outside the jurisdiction of any national state. More fundamentally, however, in relevant authorities (especially Republic of Bolivia v. Indemnity Mutual Marine Assurance Co [1909] 1 KB 785, at 796-7) emphasis has been made to the fact that piracy was in essence indiscriminate plunder for personal benefit carried out at sea and with force. There is nothing in that case stressing that violence must be directed to people and violence directed at property would not suffice for the purposes of defining the boundaries of piracy. 

The judge acknowledged that violence directed at property was adequate to bring an action under the peril of the “theft”, she held that while the water ingress can be regarded as having resulted in a general sense from the theft, its proximate cause was the forcible entry rather than the theft of the machinery and it is only the latter which is insured under the policy. This is a curious reasoning, to say the least, considering that the efficient cause of the loss here seems to be breaking of the windows to facilitate theft of various items on board the yacht.

It was relatively easy to rule out “malicious acts” as a cause of the loss on the premise that the looters here were motivated by self-interest (i.e. their actions were motivated for the purpose of facilitating theft).

Indemnity for items stolen

The insurers themselves had conceded that indemnity for the items stolen was recoverable under the peril of the “theft” as there was clear evidence of violence against the property.

Sue and Labour Expenses

The trial judge had no doubt that expenses incurred, i.e. engaging a firm to protect the insured yacht and engaging the salvage company to remove her from the reef and tow to Penuwasa boat yard were properly and reasonably incurred for the purpose of taking reasonable measures to avert or minimise a loss

Conclusion

The case leaves so many points unanswered. The conclusion about the essential elements of “piracy” in the context of a marine insurance policy is debatable. Also, the judge’s findings on issue of identifying “proximate cause” of the loss are questionable. The case also presented an opportunity to deliberate to what extent a clause excluding claims from negligence of an assured is valid in the context of a policy that is taken by an individual. No doubt, these issues would have been evaluated further had the insurer appeared before the Court. As it stands, the judgment does not add much to the development of marine insurance law. 

Supreme Court Clarifies the Law on CTL Calculation in Marine Insurance

The Swedish Club v Connect Shipping (The MV Renos) [2019] UKSC 29

Under s. 60(2)(ii) of the Marine Insurance Act (MIA) 1906, there is constructive total loss (CTL) when the insured ship is damaged by a peril it’s insured against and the cost of repairing said damage would exceed the insured value of the ship when repaired. In estimating the cost of repairs for the purposes of this provision, it has been held by Knowles, J, [2016] EWHC 1580 (Comm) that i) the costs incurred prior to the date of notice of abandonment and ii) the costs of salvage operations performed before the notice of abandonment, including sums payable under the SCOPIC clause, should be taken into account.

The underwriters’ appeal to the Court of Appeal on these points was rejected unanimously [2018] EWCA Civ 230 (per Hamblen, LJ, with whom Simon, LJ and Sir Geoffrey Vos C agreed). In a previous case note, the author was critical of the Court of Appeal’s reasoning, especially with regard to the second point, i.e. taking into account SCOPIC expenses incurred before the notice of abandonment in estimating the cost of repairs.

The Supreme Court (composed of Lords Sumption, Reed, Hodge, Kitchin and Lloyd Jones) allowed the appeal on this ground holding that SCOPIC charges cannot be considered as part of the “cost of repairing the damage” under s. 60(2)(ii) of the MIA 1906 (or the “cost of recovery and/or repair” under clause 19.2 of the Institute Hull Clauses). The Supreme Court stressed that the primary purpose of SCOPIC expenditure is to protect owners’ potential liability for environmental pollution not to enable the ship to be repaired. Hence, such expenditure is not connected with the damage to the hull or its hypothetical reinstatement and the mere fact that a prudent uninsured owner would have contracted with the same contractors for both prevention of environmental pollution and protection of the property does not make them indivisible. The author believes that the Supreme Court’s decision on this issue is intuitive and makes sense.   

On the issue of whether expenses incurred prior to the notice of abandonment should count towards the calculation of a CTL under s. 60(2)(ii) of the MIA 1906, the Supreme Court rejecting the submission of the underwriters, affirmed the findings of the lower courts. The Supreme Court approached the matter with reference to basic principles of insurance law indicating that several older judgements on the matter (in particular Hall v. Hayman (1912) 17 Comm Cases 81 and The Medina Princess [1965] 1 Lloyd’s Rep 361) lacked reasoning and legal argument. Taking into account the objective character of the factual enquiry of whether a vessel is a CTL and the fact that in marine insurance context the loss is suffered at the time of the casualty, the Supreme Court was adamant that the reference to “damage” in s. 60(2)(ii) was in fact reference to the entire damage arising from the casualty from the moment that it happened. Therefore, it cannot make any difference when costs are incurred, i.e. pre or post notice of abandonment. On that premise, the Supreme Court evaluated whether this principle might be affected by the legal requirement for a notice of abandonment but reached the conclusion that it is not.                   

At the commencement of litigation, it was agreed by the parties that, to be declared a CTL under s. 60 of the MIA 1906, the repair costs needed to be in excess of US$ 8 million. The matter in the light of the Supreme Court judgment will be remitted to the trial judge to determine whether the vessel had been a CTL and what financial consequences would follow from that. 

Waiver of Further Disclosure- The First Case Under the Insurance Act 2015

The Insurance Act (IA) 2015, which came into force on 12 August 2016, applies in England and Wales, Scotland and Northern Ireland (s. 23 of the IA 2015). It fell to the Court of Session (Outer House) in Scotland to deliver the first judgment under the Act in Young v. Royal and Sun Alliance plc [2019] CSOH 32.

The co-assureds (Mr Young and Kaim Park Investments Ltd, a company of which Mr Young was a director) brought a claim of £ 7.2 million for extensive fire damage to commercial premises insured. The insurer, Royal and Sun Alliance plc, rejected the claim on the basis that the assured failed to disclose material information (a commercial assured is under a duty of fair presentation under the IA 2015).

The policy had been entered through an insurance broker. The assured was requested by the insurance broker to fill in a proposal form which was prepared using the broker’s software. One part of the proposal form required the proposer to select from various options in a drop-down menu. The instruction read: “Select any of the following that apply to any proposer, director or partner of the Trade or Business or its Subsidiary Companies if they have ever, either personally or in any business capacity: …” The drop-down menu that followed this instruction included an option that any of the persons identified had been declared bankrupt or insolvent. Neither Mr Young nor Kaim Park Investments had been declared bankrupt or insolvent, however, Mr Young had previously been a director of four other companies which had entered into insolvency. The option which was selected on the proposal form was “None”. Accordingly, the proposal forwarded to the insurer showed the option selected, i.e. “None”, and the list of persons to which the declaration related. Once receiving the presentation, the insurer sent an e-mail to the brokers providing a quote for cover and a list of conditions. The conditions, inter alia, included: “Insured has never been declared bankrupt or insolvent.

In the present case, the assured’s argument was that the insurer’s e-mail response amounted to a waiver by the insurer of its right to receive the undisclosed information regarding the four insolvent companies.

The 2015 Act introduces no fundamental change on the law on waiver (a point which both parties agreed). By virtue of s. 3(5) (e) of the Act, the assured is not required to disclose a circumstance “if it is something as to which the insurer waives information.”

The judge, Lady Wolffe, reviewing the case law under the Marine Insurance Act (MIA) 1906 reiterated that waiver in this context can typically arise in one of two ways:

  • Where the insured had submitted information that would prompt a reasonably careful insurer to make further enquiries but the insurer had failed to do so (WISE (Underwriting Agency) Ltd v Grupo Nacional Provincial SA [2004] 2 All ER (Comm) 613); and
  • Where the insurer had asked a “limiting question” such that the insured could reasonably infer that the insurer had no interest in knowing information falling outwith the scope of the question (Doheny v New India Assurance Co [2005] 1 All ER (Comm) 382). The classic example is where the proposal form asks about convictions within the last 5 years and which can instruct waiver of information about convictions more than 5 years ago.

It was decided by Lady Wolffe that only the second of these forms of waiver could be relevant in the present case. Therefore, the key issue was whether it could be inferred from the e-mail of the insurer to the broker stating that the “assured has never been declared bankrupt or insolvent” that the insurer waived information regarding the involvement of Mr Young in other companies which had entered insolvency.

Reviewing the case law on the point, Lady Wolffe stressed that in determining whether the insurer’s email response amounted to waiver, the key consideration was whether a reasonable person in the position of the assured would be justified in thinking that the insurer had restricted its right to receive all material information. It needs to be borne in mind that when presenting the risk to the insurer, the broker utilized its own form rather than the insurer’s proposal form. The relevant part of the proposal form required the proposer to select from various options in a drop-down menu. The instruction read: “Select any of the following that apply to any proposer, director or partner of the Trade or Business or its Subsidiary Companies if they have ever, either personally or in any business capacity: …” The choices that followed this instruction included an option that any of the persons identified had been declared bankrupt or insolvent, but when assessing the risk, the insurer had only seen the selected option of “None” in the presentation. They had not seen the full list of options which the assured had selected from (which the judge referred to as matters concerning “Moral Hazards”). Therefore, the insurer’s email response intended to clarify that unknown matter. The insurer had done this by listing in the email the various hazards that required to be included. As a result, it was held that the reference in the email response to “the Insured” was not intended to limit the scope of the information being provided but had simply been used as shorthand for the group of persons identified in the presentation. Accordingly, there was no waiver on the part of the insurer with regard to the information not fully disclosed (i.e. the involvement of Mr Young in four insolvent companies).

Even though the case is the first one considered under the Insurance Act 2015, it does not shed any light on any of the novel concepts introduced by the Act. The decision was concerned with the preliminary question of waivers and was decided in light of authorities on the subject which have already existed for some time. Essentially, the fact that the broker’s own proposal form was used meant that the scope of information provided had been controlled by the assured and that it was impossible to be found as a waiver.

The Saga Continues- What Really Happened to the Brillante Virtuoso?

The Brillante Virtuoso was sailing from Ukraine to China with a cargo of fuel oil when she was boarded by pirates off Gulf of Aden on 5 July 2011. The pirates directed the vessel to Somalia but when the engine stopped and could not be re-started, they allegedly placed a detonator in the engine room causing a huge damage to the vessel. The vessel was insured for $US 55 million with an additional $US 22 million increased cover with ten Lloyd’s underwriters. The underwriters refused to indemnify the assured (Suez Fortune Investments Ltd). The assured and its bank (Pireus Bank AE) brought a claim against the insurers. In the first stage of the trial, the claimants were successful and Flaux, J, (as he then was) held that the vessel was a constructive total loss under s. 60(2)(i) of the Marine Insurance Act 1906 as she was damaged by an insured peril and the cost of repairs would exceed the insured value of the ship when repaired [2015] EWHC 42 (Comm). The insurers argued unsuccessfully that in taking into account the repair value of the damage, the cost of repairs at China should be taken into account. The claimants, on the other hand, argued that the repairs were completed in Dubai and the cost incurred at Dubai should be taken into account even though the cost of repairs in Dubai was 17.5 % more than the cost of repairs in China. Flaux, J, held that that the appropriate location for repairs will depend on the individual circumstances of the case. In this case, he was of the view that Dubai was the most appropriate place for repairs taking into account i) risks that will be associated with further towage to China; ii) cost of insurance for the tow; iii) loss of income for additional period of time; and iv) reputation of yards (not only with regard to the quality of workmanship but also accuracy of cost estimates and the risk of delay).                        

The Brillante Virtuoso after the incident!

The second stage of the trial which will determine the issues of liability of the insurers commenced on 18 February 2019. Parties have different views of what happened to the Brillante Virtuoso in July 2011. The owners argue that the attack was carried out by the pirates who were or used to be members of the Yemeni navy or coast guard. The insurers, on the other hand, put forward the view that the attack was staged by the owners of the ship so this is a case of “wilful misconduct” of the assured. The insurers also rely on other defences, such as breach of various warranties in the policy. It is expected that this will be a lengthy trial but hopefully we shall finally find out what really happened to The Brillante Virtuoso.