A company that claimed $31,790 after its directors were forced to address a ransomware attack on a supplier will not be paid following an insurance dispute ruling.

The claimant said the directors worked about 289 hours combined to mitigate the issue with the supplier and prevent significant financial impact on their business and its trade.

It said the work was performed in addition to normal business operations and the amount sought reflected a rate of $110 per hour.

The insured’s cyber event protection policy was divided into four sections, with one part responding to “impact on business costs” caused by supplier outage, including “an increase in expenses that were incurred to avoid a reduction in revenue”.

The complainant argued the time expended by the directors should be considered “an increased cost to avoid a reduction in revenue”.

Lloyd’s Australia disagreed and denied the claim, saying the event had not resulted in additional costs or revenue loss for the entity.

The Australian Financial Complaints Authority accepts the policy will “only respond if the complainant can show a reduction in revenue or an increased cost incurred”. It says the company did not show this.

The ruling says no extra cost was caused, such as if the directors had charged it for the additional time, and it challenges the complainant’s assessment that the term “increased cost incurred” could be interpreted to include unpaid hours worked by the directors to address the issue.

“I acknowledge the directors’ effort likely saved the business, and possibly the insurer, from a financial loss,” the complaints authority adjudicator said. “However, the insurer is not required to indemnify the complainant under a potential loss saved.”

The decision also dismisses the insured’s bid for non-financial losses caused by the claim denial, saying Lloyd’s Australia acted consistently with the policy.  

Click here for the ruling.