What happens if an assured fails to disclose to the insurer the fact that special conditions were imposed by another insurer as part of another insurance contract? Could that amount to an actionable non-disclosure under s. 18 of the Marine Insurance Act (MIA) 1906? This was the main issue in Niramax Group Ltd v. Zurich Insurance plc  EWHC 535 (Comm). The assured, Niramax, is a company carrying out the business of waste collection and waste cycling from various sites in north-east England. Niramax held a suite of insurance policies with the insurer, Zurich, which provided cover for a variety of risks relating to its plant and machinery. One of these policies was a contractor’s plant policy which provided all risks cover for a mobile plant owned by the assured (the Policy). Niramax also held buildings cover separately with a variety of other insurers. One of these insurers was Millennium Insurance. In the process of providing insurance cover for a building owned by Niramax in 2014, a risk survey report was prepared by Millennium which laid out seven risk requirements. One of these requirements was the installation of a fire suppression system at the main recycling facility of Niramax located at Hartlepool. Even though the assured was reminded by Millennium of the need to install the fire suppression system on several occasions, the system was never installed and as a result special conditions stipulated by the policy came into force on 22 October 2014 increasing the deductible to £ 250,000 and requiring Niramax to self-insure for thirty five percent of the balance of any loss.
In December 2014, Niramax renewed its policy with Zurich on the mobile plant. In 2015, Niramax acquired another mobile plant (Eggersmann plant) and in September 2015, Zurich was persuaded to amend the Policy to extend cover to the newly acquired plant until the renewal date of mid-December 2015. On 4 December 2015, a fire broke out at Niramax’s premises and the Eggersmann plant along with the other plant was destroyed. Niramax made a claim, which, at trial was valued at around £ 4.5 million, under the Policy. The majority of the claim related to the loss of the Eggersmann plant, which was valued around £ 4.3 million. Zurich refused to pay stating that it was entitled to avoid the Policy for material non-disclosure and/or misrepresentation. Niramax brought the current proceedings against Zurich.
It was held that the assured’s non-compliance with risk requirements under the buildings policy with Millennium and the imposition of special terms under that policy were materials facts which needed to be disclosed under s. 18(1) of the MIA 1906. However, the insurer (Zurich) failed to demonstrate that, if the facts had been fully disclosed, the Policy for the plant (effected in December 2014) would have been renewed. On the other hand, Zurich was able to demonstrate that, if the facts had been fully disclosed (especially imposition of special circumstances for the assured company (Niramax) by another insurer), the extension of cover for the Eggersmann plant would have been refused. Accordingly, it was held that the insurer, Zurich, was entitled to avoid the cover for the endorsement under the Policy and no indemnity was due for the loss of the Eggermanns plant. The insurer was required to return the premium received for the endorsement. Otherwise, the original Policy stood and the insurer was bound to indemnify Niramax for the items of mobile plant which were covered by the original Policy (as renewed in December 2014) and damaged in the fire.
Two comments are in order. First, it is interesting to see that the trial judge (Mrs Justice Cockerril) found that the original policy stood (i.e. there was no inducement) even though it would have not been written on the same terms (i.e. with higher premium to reflect the correct multiplier) if full disclosure had been made by the assured. This certainly raises an interesting question going forward on the application of the test of inducement and seems to be at odds with the sentiments expressed by Clarke, LJ, in Assicurazioni Generali SpA v. Arab Insurance Group  EWCA Civ 1642;  Lloyd’s Rep IR 131, at  (emphasis added): In order to prove inducement the insurer or reinsurer must show that the non-disclosure or misrepresentation was an effective cause of his entering into the contract on the terms on which he did. He must therefore show at least that, but for the relevant non-disclosure or misrepresentation, he would not have entered into the contract on those terms. On the other hand, he does not have to show that it was the sole effective cause of his doing so.
Second, the contract was obviously concluded before the Insurance Act 2015 (IA) came into force but is highly unlikely that the application of the AA 2015 would have led to a different outcome. The materiality test applicable under the IA 2015 (under s. 7(3) of the IA 2015) is practically the same and there is still a need to prove inducement for actionable non-disclosure under the 2015 Act.
Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world. It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.
Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.
Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
Second, it would create what’s called a web shell to control the compromised server remotely.
Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.
What is not affected?
The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.
In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.
But what does this mean for insurers?
This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies.
In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.
There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.
Applicable cyber insurance clauses and possible response of insurers
Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:
for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;
The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.
We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:
Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.
ii. failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.
Third party providers
arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;
ii. The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.
Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.
Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.
which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;
Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China. Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.
Conclusion and the way forward
As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .
While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats. Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.
Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.
Reasonable steps to avoid Loss
The Insured shall protect its Computer system by:
a. having Virus protection software operating, correctly configured and regularly or automatically updated;
b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;
c. having a fire wall or similar configured device to control access to its Computer system;
d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;
e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;
f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;
g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;
h. having an operational system for logging and monitoring user activity on its Computer system;
i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available
Bluebon Ltd (in liquidation) v Ageas (UK) Limited, Aviva Insurance Ltd and another  EWHC 3301 (Comm)
The assured, owners of the Star Garter Hotel at West Lothian, having purchased the property in December 2007, obtained an insurance policy from insurers, Ageas and Aviva, which incepted on 3 December 2009 for a period of 12 months. The insured property suffered loss by fire on 15 October 2010 and a claim was made. The insurers denied liability on the premise that the Electrical Installation Inspection Warranty was breached. The relevant term in the policy was worded as follows:
“It is warranted that the electrical installation be inspected and tested every five years by a contractor approved by the National Inspection Council for Electrical Installation (NICEIC) and that any defects be remedied forthwith in accordance with the Regulations of the Institute of Electrical Engineers.”
On the premise that the last electrical inspection at the Hotel had taken place in September 2003, the insurers argued that the policy was either void or suspended from the outset. In the case, the trial judge, Bryan, J, was required to determine:
The proper construction of the Warranty – was the five-year period to be calculated from the date of the last electrical inspection, or from Policy inception?
Was the Warranty a True Warranty, a Suspensive Warranty, or a Risk Specific Condition Precedent, and what was the consequence of a breach?
The proper construction of the warranty
The assured argued that the five year period should be calculated from the date the policy has been incepted. Taking into account the commercial purpose of the warranty, i.e. ensuring that the risk of fire is minimised (whilst also protecting the health and safety of the insured and the occupiers of the hotel), the judge rejected this contention. This objective can only be achieved if the electrical installation is inspected at regular intervals, e.g. every five years, and any defects identified are remedied. The judge also suggested that the contention of the assured, i.e. the installation inspected every 5 years from the inception of the policy, would make no commercial sense and not work in the context of a one year policy, like this one.
This outcome makes sense and the judgment is in line with recent authorities on the matter such as AC Ward & Son Ltd v. Catlin (Five) Ltd  EWHC 3122 (Comm) and GE Frankona Reinsurance Ltd v. CMM Trust No 1400 (The Newfoundland Explorer)  EWHC 429 (Admlty), analysed by the author in his contribution to the 4th Volume of The Modern Law of Marine Insurance (2016, Informa Law) “New Parameters in Construing Insurance Contracts”
Legal classification of the clause
The insurers argued that the clause in question was a true warranty and accordingly in this case breach had the effect of rendering the policy void from inception as the warranty related to a period before the attachment of the risk. Alternatively, they argued that the clause was a “suspensive provision” and as the inspection had not been carried out in 2008, the cover was suspended from the outset, i.e. the insurer never came on the risk. Conversely, the assured argued that the clause was a “Risk-Specific Condition Precedent”- i.e. a term which required compliance in respect of risks relating to the electrical installation. Therefore, in case of breach the assured could not recover for liabilities that emerge from risks associated with the electrical installation but cover should be available for liabilities that emerge from other risks.
The assured’s contention was a novel one and essentially based on the premise that a clause could make compliance with a specific aspect of the risk condition precedent to liability. That is certainly possible but clear and apposite language is required to achieve such an outcome. That does not seem to be the case here and the trial judge finding in favour of the insurers expressed the view that the clause was a “suspensory provision”. In reaching this conclusion, he worked on the assumption that the clause was designed to ensure that the assured undertakes such an inspection immediately if there had been no such inspection in the last five years. In other words, he assumed that the intention of the clause was to encourage the assured to get the inspection done as soon as possible by suspending the cover until it is completed. The author is not certain that this was the original intention of the insurers. The insurers in all probability desired to assess the risk accurately at the outset by ensuring that they were insuring a property that had gone through electrical surveys at regular intervals. To the author, it was clear that the clause went to the root of the contract and bore materially on the risk of fire and damages would not have been an adequate remedy (these are all the attributes of a true warranty as highlighted by Rix, LJ in HIH Casualty & General Insurance v New Hampshire Insurance Co  EWCA Civ 735, at ). In fact the judge himself appreciated that the term carried all these attributes! It is, therefore, arguable that this was a true warranty.
In the end, the judge’s classification of the clause as a “suspensory provision” had no impact on the outcome. In the present case, the cover was suspended from the outset as the electrical survey had not been concluded 5 years after the previous one by the time the policy had been incepted.
The outcome is in line with the recent trend in the judiciary, i.e. to avoid classifying terms as warranties due to the harshness of the remedy they attract in case of their breach. (see, for example, Sugar Hut Group v. Great Lakes Reinsurance (UK) Plc  EWHC 2636 (Comm)) Of course, had the case been considered under the Insurance Act 2015 a different outcome could have been possible. Under s. 11 of the 2015 Act, the assured could possibly argue that this was a term designed to reduce the risk of a particular type (i.e. fire that is caused by electrical default) and the assured should be able to recover for the loss if he can show that its breach did not increase the risk of the loss which occurred in the circumstances in which it occurred.
It is worth noting that s. 11 is not available in cases where the term in question is designed to define the risk in a general way. The author does not think that the clause in question is of that nature but nevertheless one should be alert to the fact that this kind of disputes could arise under the new Act as s. 11 introduces a type of causation test from the backdoor (even though the Law Commissions were desperate to avoid such an outcome!). (for a more analytical evaluation on s. 11 and the effect of changes on law see- B. Soyer, “Risk Control Clauses in Insurance Law: Law Reform and the Future” (2016) Cambridge Law Journal 109)
The Institute of International Shipping and Trade Law (IISTL), a research centre within the College of Law and Criminology, continues to expand its operations. On 26 June, it collaborated with marine advocacy group Oceana to organise an afternoon seminar in London on the insurance and regulatory aspects of irregular fishing (known in the trade as fishing that is illegal, unreported and uncontrolled (IUU)). The main purpose of the event was to disseminate as widely as possible the results of a study carried out by three members of the Institute (Barış Soyer, George Leloudas and Dora Nikaki) in collaboration with researchers from University of British Columbia (Canada). In summary, the study found that it had been disconcertingly easy for vessels involved in IUU fishing to get liability insurance in the market. The study recommended an urgent review of underwriting processes and consideration of regulatory changes to put insurers under a legal duty to deny cover to vessels known to be connected with IIU activities.
The event, which attracted an impressive 60 delegates, provided an excellent opportunity for those throughout the sector to engage in the debate. Presentations from Lasse Gustavsson (Senior Vice President of Oceana Europe) , Kjetil Saeter (Norwegian Business Daily), David Vajnai (Vice President Marsh Global Marine Practice), Baris Soyer and Gerorge Leloudas (IISLT) and Dana Miller (a marine scientist with Oceana Europe) were followed by a lively debate led by insurers, brokers and policy-makers. The afternoon ended with a reception generously sponsored by the Waterloo Foundation, which was also the funder of the project. An academic article, which is co-written by Professor B. Soyer, Associate Professor G. Leoudas and Dr D. Miller, detailing main findings of the project is to appear in Transnational Environmental Law later this year.
Dr Leloudas talking about the regulatory aspects of the issue
One of the most appalling rules of English insurance law finally bites the dust next year. The Enterprise Act 2016 received the Royal Assent earlier this month. From 4 May next year it inserts a new section (s.13A) in the Insurance Act 2015 finally allowing damages for late payment of insurance claims.
Put simply, in 2008 there was a nasty railroad smash in California involving Connex. Connex’s insurer XL paid up to the victims. They then alleged that AXA, a French insurer, had insured the same risk and claimed contribution from it in London on the basis of double insurance. AXA applied to strike on the basis that, being French-based, it had the right to be sued in France under Brussels I Recast, Art.4. XL countered on the basis that this was a claim “relating to a contract” under Art.7(1), or one “relating to tort, delict or quasi-delict” under Art.7(2); in which case AXA could be sued in the place of performance or the place where the harmful act occurred as the case might be.
HHJ Waksman QC obliged by striking out.
This was not a claim relating to a contract, since although there were a couple of insurance contracts in the background, a claim relating to a contract involved a contractual duty of some sort obliging the defendant to render performance to the claimant: this wasn’t the case here. If anything, one insurer’s liability to contribute to the other’s payment is a claim in unjust enrichment. True, an EU Advocate-General had said exactly the opposite a couple of months earlier in Ergo Insurance v P & C Insurance Cases C-359 and 475/14 (see http://curia.europa.eu/juris/document/document.jsf?text=&docid=168543&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=281090), opining that this was a contract claim, with the place of performance being that of the underlying insurance policies. But the judge did not mince his words: he said that Adv-G Sharpston (incidentally an English ex-academic long since inveigled away by the good life in Brussels) did not understand the matter and was simply wrong.
Nor was this anything “relating to tort, delict or quasi-delict”. Taking the narrow view of this as requiring at least some degree of liability for wrongs (see Reichert v Dresdner Bank  I.LPr. 404), it didn’t embrace contribution: no wrong was committed by one insurer not paying while another insurer did.
This all matters, if only because contribution claims can’t normally be subjected to a jurisdiction agreement. Put shortly it seriously raises the bar for those seeking contribution if their lawyers may potentially have to jurisdiction-hop anywhere in the EU to obtain their money. But the betting is strong that this isn’t the last word. Watch this space.
It has just been announced that Professor Soyer’s recent book “Marine Insurance Fraud” has won the 2015 BILA Book Prize. This prize, for the best book on insurance law, is awarded annually by the British Insurance Law Association Charitable Trust, a body existing to promote research on the interrelationship between law and insurance.
BILA 2015 Prize for Professor Barış Soyer’s book “Marine Insurance Fraud”
The announcement was made at BILA’s Annual General Meeting on 16 October 2015. Alison Green, Chair of the BILA Charitable Trustees, congratulated Professor Soyer, not only for having written a highly relevant, interesting and accessible book, but also for being the only author to win the Prize twice (having first won the Prize in 2002 for his first monograph on warranties in marine insurance).
His most recent prizewinning monograph, published last year, gives a comprehensive and coherent legal analysis of the impact of fraud on the position of various parties to a marine insurance contract. At the time of publication it was seen as a winner. In the foreword, Sir Bernard Rix (formerly a Lord Justice of Appeal) stated: “Professor Soyer has written a book on an important and fascinating theme which not only states the law in a clear and concise way, but also analyses it critically, insightfully and helpfully. I am confident that it will be used profitably by a wide range of readers.”
Professor Barış Soyer is the Director of the Institute of International Shipping and Trade Law, a research institute based in the College of Law at Swansea University. He has taught marine insurance and other aspects of commercial law at Swansea for some 15 years.
Hard on the heels of legislation in the Insurance Act 2015 about fraudulent claims by the insured, readers may like to know that insurers can now take comfort from s.57 of the Criminal Justice and Courts Act 2015 concerning third party dishonesty. Essentially where there is substantial dishonesty in or about an injury claim the entire claim falls to be dismissed, subject to a “substantial injustice” exception.