“EVER SMART” collision with “ALEXANDRA 1”: The Crossing and Narrow Channel Rules

MAIB Investigation Report: Collision Between Tanker and Containership Off  Jebel Ali – gCaptain

On 19 February 2021 the Supreme Court delivered a seminal judgment in the first appeal in a collision to come before the highest court since the mid 1970s and overturned the decisions of both Mr Justice Teare [2017] 1 Ll.R. 66 and of the Court of Appeal [2019] 1 Ll.R. 130.   

On 11 February 2015 the outbound Ever Smart, a large container ship, collided with the inbound Alexandra 1, a VLCC, within the pilot boarding area, just outside the dredged entrance/exit channel to the port of Jebel Ali. The appeal concerned two questions relating to the application of the “crossing rules” as set out in rules 15 – 17 of the International Regulations for Preventing Collisions at Sea 1972. The Supreme Court emphasised that the Collision Regulations must be capable of implementation by all vessels as defined in the Rules, irrespective of their technological capabilities [72].

The Questions on the Appeal

The first question for determination was whether the crossing rules are inapplicable or are to be disapplied where an outbound vessel (Ever Smart) is navigating within a narrow channel and has a vessel (Alexandra 1) on a crossing course approaching the narrow channel with the intention of and in preparation for entering it. This question concerned the inter-relationship between the crossing rules and the “narrow channel rules” (rule 9).

The second question was whether it is necessary for the putative give-way vessel to be on a steady course for the crossing rules to be engaged. The “putative give-way vessel” is the vessel which, if the crossing rules apply, would be required by rule 15 to keep out of the way of the other vessel. In practical terms it is the vessel which has the “putative stand-on vessel” on her starboard side.

Both Teare J. and the Court of Appeal answered both questions “yes” with the consequence that the crossing rules were either not engaged at all or, if engaged, were overridden by the narrow channel rules. Teare J. apportioned liability 80% (Ever Smart) and 20% (Alexandra 1) and this was upheld by the Court of Appeal.

The decision of the Supreme Court

The Supreme Court disagreed.  Before addressing the two questions the Supreme Court emphasised the international character of the Collision Regulations and their application to “mariners of all nationalities, of all types (professional and amateur), in a wide range of vessels and in worldwide waters”: see [37] – [45]. In this regard the Supreme Court referred to the well-known statement of Lord Wright in The Alcoa Rambler [1949] AC 236 (PC) at p 250 that “wherever possible” the crossing rules “ought to be applied and strictly enforced because they tend to secure safe navigation”. See also Atkin LJ in The Ulrikka (1922) 13 Ll.L.Rep 367 at 368. At [46] –  [74] the Supreme Court carried out a detailed analysis of the context and purpose of the crossing rules, addressing the meaning of “heading”, “course” and “bearing” and emphasising the existence of a risk of collision when two vessels are approaching each other on a more or less steady bearing: see rule 7(d)(i).

The Supreme Court also considered the effect of rule 2(a) and (b). Rule 2(a) had been heavily relied upon by the Alexandra 1 interests for the dis-application of the crossing rule but this argument was rejected as “misconceived”: [66]. In essence the Supreme Court held that:

a.    The crossing rules were of such importance in the context of collision avoidance that “they should not lightly be treated as inapplicable” [68].

b.    Any tension between the obligation of the stand-on vessel to keep her course and speed and to comply with another rule should “be resolved by treating the stand-on obligation as moulded for the purpose of permitting compliance with the other rule” [69]. Teare J. and the Court of Appeal had erred in treating the rules as inconsistent either generally (Teare J.) or on the particular facts (the Court of Appeal).

c.    Any ouster of one rule must be limited to the minimum strictly necessary to avoid danger and uncertainty: [70].

The Second Question

The Supreme Court first addressed the second question and held that neither the give-way vessel nor the stand-on vessel had to be on a steady course for the crossing rules to be engaged: [75] – [115].   In essence the Supreme Court held that two crossing vessels may be approaching each other and remain on a steady bearing, (with consequent risk of collision) without either vessel being on a steady course.  

“ …. if two vessels, both moving over the ground, are crossing so as to involve risk of collision, the engagement of the crossing rules is not dependent upon the give-way vessel being on a steady course. If it is reasonably apparent to those navigating the two vessels that they are approaching each other on a steady bearing (over time) which is other than head-on, then they are indeed both crossing, and crossing so as to involve a risk of collision, even if the give-way vessel is on an erratic course. In such a case, unless the overtaking rule applies, the crossing rules will apply.” [111]

Although it was in issue on the facts, the Supreme Court also considered that the stand-on vessel need not be on a steady course for the engagement of the crossing rules [112] – [114].

The Supreme Court concluded that, subject to the first question, the crossing rules were engaged even though “ALEXANDRA 1 was not on a steady course, or speed” [115].

The First Question

The Supreme Court identified a number of relevant factual situations where the inter-relationship between the crossing and narrow channel rules needed to be considered.  The Supreme Court sought “to determine with clarity and as precisely as possible” [124] the circumstances in which the crossing and narrow channel rules would apply in the vicinity of the entrance to a channel

Three broad groups of cases were identified [134]:

“Group 1 are vessels which are approaching the entrance of the channel, heading across it, on a route between start and finishing points unconnected with the narrow channel. They are approaching the entrance of the channel, but not intending or preparing to enter it at all. Group 2 are vessels which are intending to enter, and on their final approach to the entrance, adjusting their course to arrive at their starboard side of it. ….. Group 3 are approaching vessels which are also intending and preparing to enter, but are waiting to enter rather than entering …. ”

The crossing rules would clearly apply in a Group 1 case. The crossing rules would not apply in relation to Group 2 “because the approaching vessel is both preparing and intending to enter it, and already shaping (ie adjusting her course and speed to do so), on her final approach”. The decisions in The Kaiser Wilhelm Der Grosse [1907] P 36 and 259, The Canberra Star [1962] 1 Lloyd’s Rep 24 and Kulemesin v HKSAR [2013] 16 HKCFA 195 fell within Group 2.  

However the present case fell with Group 3 because Alexandra 1 had not yet shaped to enter the narrow channel on her final approach. The Supreme Court held that the crossing rules should continue to apply to a “Group 3 waiting vessel, or any vessel approaching the channel intending to enter it, which has yet to shape her course to enter it on her starboard side of it” [138].  Further there were no reason why the outbound vessel could not comply both with the crossing and narrow channels: [139] – [140]. 

At [145] the Supreme Court concluded on the first question as follows:

“Where an outbound vessel in a narrow channel is crossing with an approaching vessel so as to involve a risk of collision, the crossing rules are not overridden by the narrow channel rules merely because the approaching vessel is intending and preparing to enter the narrow channel. The crossing rules are only overridden if and when the approaching vessel is shaping to enter, adjusting her course so as to reach the entrance on her starboard side of it, on her final approach.”

Apportionment will now be re-determined by Sir Nigel Teare on the basis that the crossing rules applied from about C-23 and that the Alexandra 1 was the give-way vessel.

Simon Rainey QC and Nigel Jacobs QC represented the successful Ever Smart Interests. They were instructed by Ince Gordon Dadds LLP (Christian Dwyer, Sophie Henniker-Major and James Drummond) in consultation with Stann Law Limited (Faz Peermohamed).

Halliburton v Chubb: Is Timing Everything?

Simon Rainey QC and Gaurav Sharma

On 27 November 2020, the Supreme Court handed down its highly anticipated judgment in Halliburton Company v Chubb Bermuda Insurance Ltd [2020] UKSC 48, unanimously dismissing Halliburton’s appeal.  In doing so, it found that, at the relevant time of assessment, a fair-minded observer would not have considered that the circumstances gave rise to reasonable doubts as to the impartiality of the chairman of the tribunal hearing the parties’ dispute arising out of the Deepwater Horizon incident in 2010.

Critics of the decision will undoubtedly focus on the consequences of the court’s view that the “relevant time” was the time of the hearing to remove chairman under section 24(1)(a) of the Arbitration Act 1996 (the Act), rather than the time of his acceptance of an appointment by Chubb in a separate arbitration – also relating to non-payment by Chubb under an insurance policy related to the Deepwater Horizon incident – around six months after his appointment in the arbitration between Halliburton and Chubb.

However, the decision brings finality to a key issue in the English law of arbitration, namely the existence of a legal duty to disclose an arbitrator’s participation in other arbitrations involving the same subject matter and a common party.  In addition, it delivers clarity in relation to certain other aspects of disclosure and arbitral practice more generally – notably including the interaction between the duty of disclosure on one hand and the obligation of confidentiality on the other, and the application of the English rules on disclosure just as equally to party-appointed arbitrators as to tribunal chairs.

The Disputes, The Arbitrations, The Appeals

The Deepwater Horizon was an offshore oil and gas drilling rig leased by BP and operated by Transocean at BP’s Macondo Prospect in the Gulf of Mexico.  Cementing and well monitoring services were provided by Halliburton.  On 20 April 2010, the rig experienced a major blowout in the course of the temporary abandonment and plugging of a well, resulting in the tragic loss of several rig workers’ lives, significant oil spills and environmental damage, and the sinking of the rig on 22 April 2010.

The US Government brought proceedings against BP, Transocean and Halliburton in relation to the damage caused by the incident.  A trial to determine liability before the Federal Court for the Eastern District of Louisiana resulted in a judgment on 4 September 2014 apportioning blame in percentage terms as between the three defendants.  Halliburton settled certain of the US Government’s claims against it in the amount of US$1.1 billion, but its liability insurer, Chubb, resisted its subsequent insurance claims on the basis that the settlement amount was not reasonable.  Accordingly, Halliburton commenced London arbitration proceedings against Chubb under its Bermuda Form policy, resulting in the High Court’s appointment on 12 June 2015 of Mr Kenneth Rokison QC as chair of the tribunal in default of agreement by the two party-appointed arbitrators.

Mr Rokison subsequently accepted an appointment by Chubb in December 2015 in its separate arbitration with Transocean arising out of the same incident following Transocean’s settlement of claims with the US Government; and an appointment in a third arbitration arising out of the same incident between Transocean and another insurer in August 2016.

At the time, Mr Rokison made no disclosure in the arbitration between Halliburton and Chubb of his appointment in the other two references.  In November 2016, Halliburton became aware of these appointments and applied to the court pursuant to section 24(1)(a) of the Act to remove him as chair of the tribunal on the grounds of perceived bias. The High Court dismissed the application following a hearing on 12 January 2017 and Halliburton appealed against this decision.  The Court of Appeal dismissed Halliburton’s appeal, resulting in Halliburton’s appeal to the Supreme Court.

The Legal Duty To Disclose Multiple Appointments With A Common Party

The issues before the Supreme Court were (i) whether and to what extent an arbitrator may accept appointments in multiple references concerning the same or overlapping subject matter with only one common party without thereby giving rise to an appearance of bias, and (ii) whether and to what extent the arbitrator may do so without disclosure.

Giving the leading judgment, Lord Hodge made clear that in cases of apparent bias such as the present, the court was not concerned “to ‘make windows into men’s souls’ in search of an animus against a party or any other actual bias, whether conscious or unconscious.”  Instead, its task was to examine “how things appear objectively”.  [Para. 52]

The analysis was done in the context of section 24(1)(a) of the Act which allows for the removal of an arbitrator where “circumstances exist that give rise to justifiable doubts” as to the arbitrator’s impartiality.  The court considered that this could be the case “if the arbitrator at and from the date of his or her appointment had such knowledge of undisclosed circumstances as would, unless the parties waived the obligation, render him or her liable to be removed under section 24 of the 1996 Act”.  Agreeing with the Court of Appeal, the Supreme Court affirmed that this gave rise to a legal duty to make a disclosure of such matters which would otherwise cause the arbitrator to be in breach of their “statutory obligation of fairness”.  In other words, “an arbitrator who knowingly fails to act in a way which fairness requires to the potential detriment of a party is guilty of partiality”.  [Para. 78]

The court accepted the submissions of the ICC, LCIA and CIArb who favoured the recognition of such a legal duty in international arbitration proceedings; and those of the GAFTA and the LMAA to the effect that parties who chose to arbitrate their commodities and shipping disputes under those specialist rules understood that the smaller pool of specialist arbitrators involved might well act in multiple arbitrations arising out of the same subject matter, without needing to disclose that fact.  Lady Arden reinforced the importance of having clear evidence of a practice of dispensing with parties’ consent for arbitrators to appear in multiple arbitrations: while the English courts might trust arbitrators to decide cases on the basis of the evidence before them and set aside any inequality of arms and material asymmetry of information, this was something that “may not translate easily for the many parties to arbitrations who are familiar with different legal systems”. [Para 164]

Right Place, Wrong Time

The question therefore arose whether participants in Bermuda Form arbitrations would typically expect disclosure of an arbitrator’s involvement in related arbitrations.  The court found no evidence of parties acceding to a general practice of non-disclosure, which was also consistent with the fact that Mr Rokison had made disclosures to the parties in the other two arbitrations that arose out of the present subject matter of his role in the arbitration between Halliburton and Chubb.  Accordingly, the court found that Mr Rokison’s appointment in the second and third arbitrations should have been disclosed to Halliburton, and his failure to do so was a breach of legal duty which meant that a fair-minded and informed observer may well have concluded that there was a real possibility of bias.  [Para 147]

Ultimately this was of little consequence, however, as the court ruled that the relevant time for the determination of possible bias was not when he was appointed in the second reference (December 2015) – but the date of the hearing of the application to remove him as an arbitrator (January 2017).

This, said the court, was because of section 24(1)(a) of the Act’s use of the present tense requiring an examination of whether circumstances “exist” when the issue of an arbitrator’s removal arises for determination by the court.  By the time of the removal hearing concerning Mr Rokison, Halliburton had discovered his appointment in the other arbitrations and questioned him about that in correspondence, resulting in him providing an explanation for his failure to disclose – based on an oversight and belief that there would not be material overlap between the different sets of proceedings.  Halliburton accepted this explanation as being truthful, and the court was not persuaded that a fair-minded and informed observer assessing the situation at the date of the removal hearing – having the benefit of Mr Rokison’s explanation for his failure to disclose – would infer that there was a real possibility of bias on Mr Rokison’s part.  [Para 149]

So, Arbitrators Have A Statutory Duty to Disclose.  But What If They Don’t?

In their judgments, both Lord Hodge and Lady Arden recognised the risk of affirming the existence of the legal duty to make a disclosure which might not lead to an arbitrator’s disqualification or removal if not complied with.  Lady Arden acknowledged that “There is a concern that the duty of disclosure carries no sanction if an application is made to the court about a non-disclosure by the arbitrator and fails.”  But in her view, this missed the point, which was that “it would still be a breach of the terms of appointment with such consequences, if any, as the law of contract prescribes.  In addition, a person may commit a breach of contract but incur no liability as a result, and the situation postulated falls into that category.”  [Para 169]

Lord Hodge explained how in circumstances of a breach of the legal duty to disclose, an “arbitrator might, depending on the circumstances, face an order to meet some or all of the costs of the unsuccessful challenger or to bear the costs of his or her own defence.” [Para 111]
In other words, the failure would amount to a breach of a strictly legal obligation with the usual consequences associated with such a breach – though it would have no bearing on the situation obtaining at the date of a removal hearing and the assessment to be carried out then. 

Conclusion

The Supreme Court’s decision may cause disquiet in some quarters, especially amongst those who expect a failure to make a material disclosure to have more significant consequences – notably disqualifying an arbitrator from acting, or continuing to act, altogether.  The fact that the disclosable information in this case came to light by chance will only reinforce the sense of arbitrariness that some observers may have in the idea of assessing the issue at some point in time after the disclosure should have been made, but was not.  This in turn risks perpetuating any concerns participants in international arbitration proceedings may have as to the willingness and ability of English law to police the conduct of those who decide their disputes and their failure to make material disclosures affecting the fairness of proceedings.

More generally, one cannot help but wonder whether the court’s decision might result in some arbitrators showing less concern for their duty to make disclosures of relevant information in English-seated arbitrations in future.  This would be a shame, especially in light of the highly confidential nature of commercial arbitration and the difficulty of obtaining credible information as to the reliability and trustworthiness of arbitrators in advance of appointment as things stand.

However, it is not a given, and we must hope that it will not be the case.  Further, we should welcome the fact that the court’s decision brings clarity as to the nature of an arbitrator’s legal duty of disclosure, and how and when the examination of apparent bias will fall to be conducted.

Equally, we should be thankful for the court’s clarification as to the interaction between the duty to disclose involvement in multiple proceedings and any duties of confidentiality owed by that arbitrator to the various parties involved across the disputes.  Lady Arden explained that “the implied term as to confidentiality is independent of the implied term that the arbitrator should comply with his impartiality duty. It is truly a self-standing term”.  [Para 175.]  A customary high-level disclosure made on an anonymised basis will usually suffice to provide a party with the necessary information to enable it to assess whether or not it wishes to object to an arbitrator’s appointment.  However, if further information that is confidential is reasonably required by a party to make that assessment and would require another party’s consent in order to be divulged, then “if consent is not forthcoming, the arbitrator will have to decline the proposed appointment”.  [Para. 188]  It is not hard to appreciate the reasonableness of Lady Arden’s logic: arbitrators are, for better or worse, private judges who undertake paid appointments on a commercial and contractual basis.  If a request for consent to provide detailed information is made in the context of “the voluntary decision of the arbitrator to pursue a further appointment” (para. 180) and refused, then that is tough luck for the arbitrator in question who will simply “have to decline the proposed appointment”.  (Para. 188).

Finally, we should congratulate the Supreme Court for spelling out in terms that party-appointed arbitrators are subject to precisely the same obligations, and precisely the same standards, as tribunal chairs when it comes to impartiality and considerations of fairness.  This point was made in passing in reference to Halliburton’s appointment of Mr William Park as its arbitrator in three references against different insurers in insurance claims arising out of the Deepwater Horizon disaster, without any disclosure; juxtaposed with Mr Park’s statement of “profound disquiet about the arbitration’s fairness” made when the award was rendered in the Halliburton v Chubb arbitration, based on Mr Rokison’s non-disclosure of other appointments (Para. 26).  The court was, understandably, unimpressed by the suggestion that a party-appointed arbitrator should be afforded greater leniency in respect of his or her choice of disclosures compared with a chair, since “that is not a distinction which English law would recognise as a basis for a party-appointee avoiding the obligation of disclosure.  The disagreement among people involved in international arbitration as to the role of the party-appointed arbitrator is a circumstance which points to the disclosure of such multiple nominations; it does not provide a ground for nondisclosure”.  (Para 144).  This view echoes the position taken by the courts of other major arbitral centres around the world in relation to the strict disclosure obligations of party-appointed arbitrators (see for example the 25 February 2020 decision International Commercial Chamber of the Paris Court of Appeal in Dommo v Barra y Enauta).  Moreover, it is hugely reassuring to hear the court reaffirm what all participants in international arbitration proceedings hope and expect to be the case in respect of each and every one of the arbitrators mandated with the resolution of their legal dispute.

Insurance Implications of “Phishing”!

Phishing Emails - How to Protect Your Customers When Using E-Signature |  OneSpan

The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry.  Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas  in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company[1].

BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%.[2] Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.

Facts of RealPage case:

RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.

The payment process involved the following:

  1. A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
  2. Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls[3] to Stripe’s server either through Stripe Dashboard or the On-Site application.
  3. Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
  4. Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.

The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage

The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.

Insurance Policies with National Union and Beazley

At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy.  Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant

Ownership of Property; Interests Covered:

The property covered under this policy is limited to property:

(1) That you own or lease; or

(2) That you hold for others whether or not you are legally liable for the

loss of such property.

Computer Fraud:

We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:

a. To a person (other than a “messenger”) outside those “premises”; or

b. To a place outside those “premises”.

Funds Transfer Fraud:

We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.

Insurance Claims and Responses

RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.

Court Proceedings

The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack  and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.

RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.

RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.

Insurance implications

While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.

If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.

To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor.  In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.

Variations in policy wording – UK

  1. Cyber Crime[4]
  2. We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:

i)   assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you

ii)  your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are

a forgery.

  • In the event that any party other than an insured person enters into an agreement with a third party  entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.

The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.

This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.

For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:

Computer Fraud and Funds Transfer Fraud[5]

The Insurer shall indemnify the Insured for:

1. loss of or damage to Money, Securities or Property resulting directly from

Computer Fraud committed solely by a Third Party; or

2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a

Third Party.

Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype

or telephone instructions by a Third Party issued to a Financial Institution directing such

institution to transfer, pay or deliver Money or Securities from any account maintained by

an Insured at such institution, without the Insured’s knowledge or consent.[6]

Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.”[7] Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.

Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module[8]:

Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.

Fund transfer fraud does not include loss due to social engineering fraud.

Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.

Social Engineering Fraud[9] means the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:

  • an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
  •  a written or printed payment instruction obtained by fraudulent impersonation.

In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’.[10]  It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.


[1] Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)

[2] Department for Digital, Culture, Media & Sport, ‘Cybersecurity breaches survey 2020’ (March 2020) <https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020 > accessed 31 March 2021.

[3] The API calls sent from RealPage to Stripe provided information about the tenant’s account, the client’s destination account and the amount due to the client.

[4] Zurich Insurance plc, ‘Cyber Policy: Section B – Crime’ (2020) 29 < https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

[5] Beazley Inc, ‘Crime Insurance Policy: Insuring Clause 1F’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[6] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition EE’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[7] Beazley Inc, ‘Crime Insurance Policy: Clause II Definition P’ (BICCR00020411)<https://www.beazley.com/documents/Management%20Liability/Crime/Crime%20Policy.pdf> accessed 9 April 2021.

[8] Beazley Inc, ‘Commercial Crime Insurance Module (Lloyds Syndicate) Clause F: Definitions’

<https://www.beazley.com/documents/Wordings/Commercial%20Crime%20Module%20%28Lloyd%27s%20syndicate%29.pdf > accessed 9 April 2021.

[9] Ibid.

[10] Zurich Insurance plc, ‘Cyber Policy: Conditons application to Section B – 7 Social Engineering Cover’ (2020) 31

< https://www.zurich.co.uk/business/business-insurance/specialty-lines/financial-lines/cyber  > accessed 8 April 2021.

Deadfreight. Charterer’s nominated berth frustrates owner’s option as to quantity to load.

In London Arbitration 7/21 a vessel was chartered to carry coal. The owners were given the option to load between 27,000 and 33,000 mt of cargo, and the charterers were bound to provide a safe port/berth at the specified terminal. The owners exercised their option to load 33,000 mt

Prior to the fixture being concluded the owners had emailed the charterers’ agents at the loading port and had been advised that the maximum draft at the terminal was in excess of 13 m. The agents indicated that the vessel would berth at a specified berth where the vessel would have had no problem in loading 33,000 mt.

Charterers ordered vessel to load at a different berth where there was a lower maximum sailing draft and failed to change the berth nomination. There was a shortfall of 1,590 mt of cargo.

The tribunal held that the owners were entitled to exercise their option as to cargo quantity unfettered, and the charterers were bound to load whatever amount the owners opted for up to 33,000 mt. If, by their choice of berth, the charterers prevented the vessel from loading that quantity, they put themselves in breach of that obligation. By ordering the vessel to a berth where the draft was so limited as to stop the vessel loading 33,000 mt, the charterers frustrated the exercise of the owners’ option. Charterers were liable to owners in damages for the shortfall in cargo loaded

Off-hire and arrests unconnected with the vessel detained.

On 15 December 2018, while under time charter to Navision the “Mookda Naree” was arrested at Conakry in respect of a claim against sub-sub charterers Cerealis, and remained under arrest for nearly a month. The claim related to an alleged shortage claim against them by SMG in respect of cargo discharged at Conakry from a previous, unrelated vessel. The head charter and the sub-charter were time charters on the Asbatime form with additional clauses. In both cases, additional clause 47 put the ship off hire inter alia upon her being detained or arrested by any legal process, until the time of her release, “unless such … detention or arrest [was] occasioned by any act, omission or default of the Charterers and/or sub-Charterers and/or their servants or their Agents.” Additional clause 86 of the head charter, not included in the sub-charter, provided as follows:

“Trading Exclusions

When trading to West African ports Charterers to provide adequate security guards during port stays in these countries to protect the vessel her crew and cargo.

When trading to West African ports Charterers to accept responsibility for cargo claims from third parties in these countries (except those arising from unseaworthiness of vessel) including putting up security, if necessary, to prevent arrest/detention of the vessel or to release the vessel from arrest or detention and vessel to remain on hire.

…”

By cl.43 the Inter-Club Agreement was incorporated into the head charter.

Owners claimed that the vessel never went off-hire and that Navision was liable in damages for breach of cl.86. It was common ground that in the context of both time charters, Cerealis was a “sub-Charterer” within the clause 47 proviso.

The tribunal heard separate references by the sub charterer against the time charterer, and by the time charterer against the owners. They held that the clause 47 proviso applied, so that the vessel was not off hire after 12:00 hrs on 17 December 2018, because by that time her detention under arrest thereafter was occasioned by Cerealis’ failure promptly to deal with or secure SMG’s claim so as to procure her release.

In the head charter reference, the arbitrators held that the second paragraph of cl.86 applied, and was not limited to claims concerning cargo carried under the head charter. Therefore, the vessel was off -hire for the entire period under arrest.

On appeals by sub-charterers and time charteres against the awards, Andrew Baker J held, [2021] EWHC 558 (Comm) 10.3.21, that the tribunal had correctly concluded that the detention of “Mookda Naree” after 12:00 hrs on 17 December 2018 was occasioned by Cerealis’ failure to act. It ought reasonably to have acted to deal promptly with the claim being made against it by SMG, that being an “act or omission or default of … sub-Charterers” within the meaning of the proviso to clause 47 of both charters. As regards s.86 under the head charter which concerned the award of hire up to 12,00 on 17 December 2018 it was clear that clause 86 was intended to create a different regime to that generally applicable by reason of clause 47. The vessel never went off-hire during the period of the arrest.

The arbitrators had erred in their construction of clause 86 and should have said that SMG’s claim, though it related to a cargo that had been carried to a West African port, was not a cargo claim within clause 86 of the charter between the Owner and Navision because it did not concern “Mookda Naree’s” West African trading pursuant to that charter but a different ship altogether. It was therefore not a claim allocated to be Navision’s full responsibility by clause 86, any more than it would have been a claim to be dealt with under the Inter-Club Agreement pursuant to clause 43 in the absence of clause 86. Navision’s appeal against the award in the head charter reference succeeded to the extent that because the arbitrators misconstrued clause 86 they wrongly held that the ship never went off hire, whereas they should have held that when arrested she went off hire under clause 47 until the proviso bit from 12:00 hrs on 17 December 2018. They had also wrongly held that Navision had a liability for damages to be assessed for breach of clause 86.

Non-Disclosure, Materiality and Inducement in Commercial Insurance Context (Again)!

What happens if an assured fails to disclose to the insurer the fact that special conditions were imposed by another insurer as part of another insurance contract? Could that amount to an actionable non-disclosure under s. 18 of the Marine Insurance Act (MIA) 1906? This was the main issue in Niramax Group Ltd v. Zurich Insurance plc [2020] EWHC 535 (Comm). The assured, Niramax, is a company carrying out the business of waste collection and waste cycling from various sites in north-east England. Niramax held a suite of insurance policies with the insurer, Zurich, which provided cover for a variety of risks relating to its plant and machinery. One of these policies was a contractor’s plant policy which provided all risks cover for a mobile plant owned by the assured (the Policy). Niramax also held buildings cover separately with a variety of other insurers. One of these insurers was Millennium Insurance. In the process of providing insurance cover for a building owned by Niramax in 2014, a risk survey report was prepared by Millennium which laid out seven risk requirements. One of these requirements was the installation of a fire suppression system at the main recycling facility of Niramax located at Hartlepool. Even though the assured was reminded by Millennium of the need to install the fire suppression system on several occasions, the system was never installed and as a result special conditions stipulated by the policy came into force on 22 October 2014 increasing the deductible to £ 250,000 and requiring Niramax to self-insure for thirty five percent of the balance of any loss.

In December 2014, Niramax renewed its policy with Zurich on the mobile plant. In 2015, Niramax acquired another mobile plant (Eggersmann plant) and in September 2015, Zurich was persuaded to amend the Policy to extend cover to the newly acquired plant until the renewal date of mid-December 2015. On 4 December 2015, a fire broke out at Niramax’s premises and the Eggersmann plant along with the other plant was destroyed.
Niramax made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. Zurich refused to pay stating that it was entitled to avoid the Policy for material non-disclosure and/or misrepresentation. Niramax brought the current proceedings against Zurich.

It was held that the assured’s non-compliance with risk requirements under the buildings policy with Millennium and the imposition of special terms under that policy were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. However, the insurer (Zurich) failed to demonstrate that, if the facts had been fully disclosed, the Policy for the plant (effected in December 2014) would have been renewed. On the other hand, Zurich was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company (Niramax) by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer, Zurich, was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. The insurer was required to return the premium received for the endorsement. Otherwise, the original Policy stood and the insurer was bound to indemnify Niramax for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.

Two comments are in order. First, it is interesting to see that the trial judge (Mrs Justice Cockerril) found that the original policy stood (i.e. there was no inducement) even though it would have not been written on the same terms (i.e. with higher premium to reflect the correct multiplier) if full disclosure had been made by the assured. This certainly raises an interesting question going forward on the application of the test of inducement and seems to be at odds with the sentiments expressed by Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group [2002] EWCA Civ 1642; [2003] Lloyd’s Rep IR 131, at [62] (emphasis added):
In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation, he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of his doing so.

Second, the contract was obviously concluded before the Insurance Act 2015 (IA) came into force but is highly unlikely that the application of the AA 2015 would have led to a different outcome. The materiality test applicable under the IA 2015 (under s. 7(3) of the IA 2015) is practically the same and there is still a need to prove inducement for actionable non-disclosure under the 2015 Act.

Microsoft Exchange Email Hacks!

numbers projected on face
Photo by Mati Mango on Pexels.com

Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world.  It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.  

What happened?

Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.

Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.

Second, it would create what’s called a web shell to control the compromised server remotely.

Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]

What is not affected?

The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.

International Response

In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.

But what does this mean for insurers?

This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].

In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.

There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.

Applicable cyber insurance clauses and possible response of insurers

Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:

  1. First Party Loss

costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breachsystem failuredependent security breachdependent system failure or extortion threat;

  • Betterment

for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;

The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.

  • Infrastructure failure

We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:

  1. Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.

OR

ii.     failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.

OR

  • Third party providers
  1. arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;

OR

ii.   The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.

Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.

Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.

  • Government intrusion
  1. which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;

Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China.  Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.

Conclusion and the way forward

As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .

While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats.  Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.

Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.

Reasonable steps to avoid Loss

The Insured shall protect its Computer system by:

a. having Virus protection software operating, correctly configured and regularly or automatically updated;

b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;

c. having a fire wall or similar configured device to control access to its Computer system;

d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;

e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;

f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;

g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;

h. having an operational system for logging and monitoring user activity on its Computer system;

i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available


[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.

[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.

No strikeout for Bangladeshi ship scrapping claim: but don’t hold your breath

As we mentioned on this blog last August, these days you have to be careful who you sell an old ship to. In Begum v Maran [2021] EWCA Civ 326 MUK, the English managers of a Liberian ship fit only for scrap, helped arrange her sale to a buyer who paid fairly handsomely. That buyer proceeded (entirely foreseeably) to have her scrapped by a thoroughly dodgy outfit called Zuma in a dangerous and environmentally irresponsible way on a Bangladeshi beach. A worker engaged in stripping the hulk fell to his death. Prospects of recovery from Zuma being low, if for no other reason because of a local one-year statute of limitations during the running of which nothing had been done, his widow sued MUK as of right in England because of its domicile here, alleging negligence. Jay J decided that it was arguable that MUK had owed the man a duty of care, and that the local limitations law might be circumvented, and refused a strikeout. MUK appealed.

The Court of Appeal yesterday allowed the case to go ahead, though only very grudgingly and on a more limited basis than Jay J. The Court was particularly sceptical on the limitation point. Under Rome II, applicable to the claim as it predated Brexit (and still applicable to post-Brexit claims in its domesticated form), the law governing the claim – including on the subject of limitation – was Bangladeshi. This immediately defeated the claimant unless she could escape it. The judge had regarded as possibly plausible a contention that Art.7 of Rome II allowed her to invoke English law because her husband’s death had resulted from environmental damage caused by an event here – namely, MTM’s arrangements for sale of the ship. But this was dismissed on appeal as unarguable: rightly so, since this simply wasn’t an environmental case in the first place. But the court did see it as arguable – just – that the limitation period was so short that an English court might disapply it on public policy grounds under Art.26 of Rome II, and ordered a preliminary issue on the point.

On the substantive points, the widow argued either that MUK had owed her husband a duty of care on the principle of Donoghue v Stevenson [1932] AC 562, or that MUK’s sale of the vessel when it should have known that it was likely to be dangerously demolished had created an immediate danger to her husband’s life and thus engendered a duty in respect of the bad practices of his employers Zuma.

Giving the lead judgment, Coulson J was very sceptical on the first point. This wasn’t, he said, a case of a disposal of a dangerous thing, but rather the furnishing of an opportunity for a third party to be negligent in respect of a thing not inherently perilous. Whether this could give rise to a duty his Lordship thought very doubtful indeed – but still not quite implausible enough to justify an immediate strikeout. Our view is that the doubts were fully justified. We normally expect employers to look after their employees; to put a duty on third parties to police the behaviour of contractors they engaged in that respect is to say the least drastic. Should I really have to scrutinise or supervise the employment practices of the builder I employ to extend my house in case one of his workers is hurt? It seems doubtful.

On the second point, the difficulty (a considerable one) was the general rule that people were not generally made responsible for the wrongs of others, however foreseeable. But, said Coulson J, there were possible exceptions where the danger in question had been created by a defendant. And while it seemed unlikely that this would apply here, the law was not absolutely clear and the prospect of persuading a sceptical judge to recognise a duty of care wasn’t dismal enough to deny the widow the chance to argue the toss. Her prospects might be slim, but she was entitled to chance her arm.

This case will possibly be hailed in the liberal media as an advance in the campaign to make big business in Britain take responsibility for the activities of its dodgier partners abroad. But commercial lawyers know better than to engage in chicken-counting. Remember, the claimant here only avoided a strikeout by the skin of her teeth. Her chances of recovering much over and above a nuisance value or reputation-saving settlement remain, it seems fair to say, pretty slim.

Oh, and one more thing. The ability to sue a UK-domiciled company here as of right disappeared with Brussels I Recast in a puff of celebratory Brexit firework smoke at 2300 hours on 31 December last. It follows that, barring swift adherence by the UK to the Lugano convention (increasingly unlikely by all the indications), any future claimant basing their complaint on events in a far-off land with no ostensible connection to England will now also face the prospect of a forum non conveniens application. This may well have an appreciable chance of success. There is, after all, no immediately apparent reason why the English courts should act as the policemen of work practices worldwide, hoewever much sympathy we may feel for a claimant personally.

In short, the boardrooms of corporate Britain, and even more those of their liability insurers, may well see some sighs of relief, if not discreet socially-distant celebrations, in the next few days.

The preservation of commercially sensitive information during litigation

(Image by 726056 by pixabay)

Issues of confidentiality often arise in litigation under procurement challenges, as illustrated in the recent case of Bechtel v High Speed Two (HS2) [2021] EWHC 458.

In this case Mr Justice Fraser noted, “[I]n my judgment, the level of profit in percentage terms that a tenderer included in its bid in this procurement competition is properly described as commercially confidential, and is also something that any tenderer, whether a claimant in proceedings or otherwise, would wish to keep confidential for justifiable reasons.”[35]

In terms of how to retain the confidentiality of such information during litigation, it is contrary to open justice and transparency to have trials conducted (even partially) in secret for all but those legal representatives who sit within a court’s prescribed ‘confidentiality ring’.

At the same time judgements need to be readily comprehensible and include reference to all relevant material and reasoning of the the judge, so having a separate confidential appendix or schedule in a judgement should only occur when there is no viable alternative.

In the circumstances of the present case Mr Justice Fraser concluded there was no viable alternative available to him, for without such a confidential appendix to his judgement (available only to those within the ‘confidentiality ring’), he “would run the real risk of destroying justified confidentiality in commercial issues.”[34]

Updated BIMCO versions of TOWCON, TOWHIRE and BARGEHIRE forms. Work in progress on new Force Majeure clause.

BIMCO have released new versions of their TOWCON, TOWHIRE and BARGEHIRE forms. New to TOWCON 2021 are a provision for mid-voyage bunkering on longer tows, and a mechanism for calculating compensation due to slow steaming or deviation. BARGEHIRE 2021 now contains clearer wording relating to off-hire surveys, repairs and redelivery. These have often been a source of dispute in the past.

BIMCO has also announced details of progress on its new Force Majeure clause. It takes the approach that neither party may terminate the contract while the vessel is carrying cargo. It notes that termination by owners with cargo on board will entail their continuing responsibility for the cargo as bailees, with no rights of recourse against charterers for discharge costs.

The new bolt-on to the clause sets out a number of liberties if force majeure prevents the completion of loading, or the departure from the load port, or discharge, for more than 21 days from when force majeure notice was declared. Extra costs incurred thereby should be allocated in accordance with the contract, in particular terms as to allocation of responsibility for loading or discharge, such as FIOST terms.

Any extra costs incurred in exercising any of the liberties should be allocated in accordance with the contract. This will require examining how the responsibility for loading and discharge has been allocated in the underlying contract, for example, if it is on FIOST (Free In Out Stowed and Trimmed) terms.

The BIMCO sub committee also considered how the draft clause would relate to other BIMCO clauses in the same contract such as the war, piracy and infectious or contagious diseases clauses. These allow owners to reject proceeding to a risk area, and if they do, to provide a cost allocation mechanism. By contrast the purpose of the Force Majeure clause is to protect a party from liability in damages in case of force majeure, and as a last resort to allow termination, something complementary to the other BIMCO clauses, and not in conflict with them.

The sub-committee noted that it is for the parties to decide whether a Force Majeure clause belongs in a period time charter, and the triggers for the clause have been set deliberately high. Firstly, the party claiming force majeure must prove the existence of the force majeure event; that the event was beyond its control; that it could not have been foreseen; and that its effects were unavoidable. Secondly, the right to terminate will only be available if performance becomes impossible, illegal or radically different, or substantially affects the whole contract during an agreed number of days.

This second aspect is similar to the doctrine of frustration but BIMCO state that “However, there is an important difference – if a party can bring itself within that termination provision, it will be able to terminate immediately, from day one. Under frustration, the contract would only be considered frustrated and terminated after a very long time compared to the overall contract period. There are two termination provisions in the clause and the other one provides a longstop right to terminate after an agreed amount of time has passed. The number of days will have to be negotiated depending on the contract in question.”

The BIMCO Force Majeure Clause and the additional bolt-on provision will be presented for adoption in May this year.