top of page
  • Writer's picturePaul Peter Nicolai

Ransomware Claim Subrogation

Updated: Jan 3, 2023

Ransomeware cases are on the rise, and so are insurance claims. Some insurers are responding to cyber claims by trying to minimize losses through third-party actions.

An initial question is the type of policy. Is this an occurrence or a claims-made policy? Occurrence policies provide coverage if the negligent act or omission occurs within the policy period, regardless of the date of discovery or the date the claim is made or asserted. They cover events even if they do not lead to lawsuits or claims until years after the actual policy period.

A claims-made policy provides coverage triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim occurred.

AA company that experiences a ransomware attack will likely seek coverage under its cyber insurance policy for any ransom it pays and the costs it incurs to restore its systems and retrieve its data. This has resulted in frequent and substantial payments to the point where the viability of the cyber insurance market is being stretched.

Policyholders need to be aware of these developments so they can take steps to preserve rights and maximize coverage. Two recent lawsuits serve as helpful case studies for the subrogation trend.

Ace American Insurance Company v. Accellion, Inc., No. 21-cv-9615, Northern District of California

An insurer filed a third-party action against a software supplier, saying the software company’s negligence in handling a security vulnerability in its online file-transfer service led to a ransomware attack on its customer.

The insurer said the software provider knew its File Transfer Appliance service contained a security vulnerability but failed to properly notify the customer about the problem's existence or a critical software update needed to fix it. Specifically, it said the provider failed to inform the customer of security vulnerabilities. When it eventually sent a notification, it sent it to two employees who no longer worked there and failed to follow up to see whether anyone received the critical notification.

Because the customer never received the notification, it could not update its systems with the fix before hackers noticed the vulnerability and exploited it. The hackers stole confidential files and threatened to disclose them unless paid millions of dollars publicly. The customer ultimately paid over $2 million in ransom and filed a claim for the ransom and the costs incurred to restore its files under its cyber policy.

In January 2009, a company discovered a data breach in which hackers installed malicious code in its payment processing systems and, over several months, stole nearly 100 million credit card numbers issued by 650 financial services firms. In the month preceding the breach, the company hired a cybersecurity risk consultant to inspect its cybersecurity systems and adherence to applicable data security regulations. The consultant analyzed the systems and certified their compliance with those regulations, signaling to customers and regulators that the systems were well protected against cyber threats.

After the breach, various government agencies, credit card companies, financial firms, and a class of consumers sued. The company later settled these cases for more than $100 million.

The company had purchased insurance policies that covered these losses, and both insurers paid the full extent of their policy limits.

After paying the claims, the insurers turned their sights to the consultant. They argue that the consultant inadequately assessed the security systems and should never have certified that the systems complied with the applicable cyber security regulations. The consultant sued, seeking a declaration that it was not responsible for the losses.

The court recognized these claims as subrogation claims and acknowledged that the insurers could step into the company's shoes to pursue the consultant. The consultant argued that the claims for negligence, breach of contract, and indemnification were barred under the applicable statutes of limitations because the allegedly inadequate consulting services were performed in 2008, resulting in a data breach in 2009, and the insurers waited until 2018 to bring the action.

The court agreed that the claims for breach of contract and negligence were time-barred. However, the court refused to make the same finding on the indemnification claims. The court found the statute of limitations did not begin to run until all the third-party claims had been resolved and damages were ascertainable. That had happened with the global settlement that occurred only about two years before the insurers’ indemnification demand, and the demand was therefore deemed timely asserted.

These cases reflect a new trend in litigation stemming from the cyber insurance market. Faced with substantial claims, insurers are seeking ways to offset their vast losses by recouping them after claim payments by pursuing the parties that are responsible for creating the opportunity for the security breach. Policyholders should expect that once an insurer pays a claim, it will not end. Policyholders must make records, investigation results, and personnel available as the insurer pursues other responsible parties.

That cooperation may not come without intangible cost to policyholders, especially if the entity whose actions caused the breach is a valued business partner.

If these actions become a viable tool for insurers to recoup losses, policyholders can expect insurers will take a much greater interest at the underwriting stage to understand services contracts. Policyholders will need to consider and negotiate many more insurance provisions in those contracts.

These cases also give helpful guidance to service providers. Service providers with interaction with confidential information of other companies should perform regular testing on the accuracy of their customer notification systems and evaluate contingency plans to account for updates to customer contact information.

Service providers that provide cyber risk consulting and certify customer compliance with cybersecurity regulations communicate to client customers and regulators that those systems are safe from a cyberattack.

Following a cyberattack, insurers responsible for paying the claim will be looking to hold third parties liable if their actions or failure to act allowed the attack to happen. Service providers should be diligent in notifying customers of security vulnerabilities and follow up with them to ensure customers receive notifications and act on them. Service providers need to be aware that third parties relying on their representations and representations about the sufficiency of security systems could later be used as evidence against them.

Since many disputes between various parties will follow a ransomware attack, policyholders should take preventive security measures before an attack and document those measures and all communications and steps taken afterward.

Claims based on indemnification provisions in service agreements can be brought long after the service provider performs the service that allegedly led to the security breach. This is because the statute of limitations on indemnification claims may very well be deemed to begin to run only after the liability resulting from the data breach is final and ascertainable. Service providers should carefully consider indemnification provision language and include a sunset provision.

These cases highlight the importance of taking cybersecurity seriously and investing in it in the long run. Doing so will help businesses identify potential threats and vulnerabilities in their systems and the service providers' systems with which they do business. Policyholders can expect insurers to require robust cyber protection for all entities that intersect with the confidential data insured under the policy before coverage is granted.

Recent Posts

See All

Supreme Court Limits Shareholder Suits

The U.S. Supreme Court unanimously ruled that a corporation's failure to disclose certain information about its future business risks, without more, cannot be the basis of a private securities fraud c


bottom of page