A legal precedent has occurred in Germany in a case where a judge ruled that an insurance provider must pay out to a victim of a cyber attack despite the company saying the victim had breached the terms of the contract.
The Regional Court of Tübingen, in central Baden-Württemberg ruled that a series of objections raised by the insurance company, which included pre-contractual disclosure duties, risk increase, and gross negligence did not lead to the victim falling foul of a ransomware attack.
The court ruled in favour of the insured, dismissing the coverage defenses presented by the insurer.
The court rejected the insurer’s argument that the insured caused the loss from gross negligence by failing to implement common IT measures to prevent cyber attacks.
Defendants’ case
The defendant stated that the plaintiff had breached its pre-contractual duty of disclosure by answering several risk questions incorrectly.
The insurance company claimed that the insured failed to install security updates which had been available for several of the insured’s servers for years, despite being aware of this fact.
The insurance company also argued that the insured’s inadequate security measures against a cyber attack (including a lack of two-factor authentication and adequate monitoring) resulted in an increase in risk
They claimed gross negligence on the part of the insured, which caused the insured event.
Background to the case
In 2020, the plaintiff fell victim to a ransomware attack when an employee unknowingly opened an email attachment disguised as an invoice on his company laptop.
The laptop was connected to the plaintiffs network via a VPN, which provided the route into the plaintiffs IT system and brought down a large part of their infrastructure.
Following the attack, the company received a ransom demanding a payment in Bitcoins and threatened to publish sensitive company data.
The attack resulted in significant operational loss for the plaintiff
It was during the claims handling process of the incident, that it became apparent to the defendant that the plaintiff had not implemented the IT security measures mentioned above, and had provided inaccurate answers to the insurer’s pre-contract risk assessment questions.
Judgement
The Regional Court determined that the plaintiff had successfully demonstrated that any potential breach of the pre-contractual duty of disclosure neither caused the insured event nor affected the determination or scope of coverage (commonly referred as “counterproof of causality”).
The court also dismissed the insurer’s objection of an increase in risk, as the contract explicitly stated that the insurer’s obligation to grant coverage would only cease if the increase in risk directly caused the insured event or affected the scope of the benefit obligation.
According to the court’s ruling, Sec. 81 para. 2 VVG, which pertains to gross negligence in causing the insured event, does not apply in this case, and consequently, the claim is not subject to reduction.
The court was concerned with whether the insurance company could have theoretically asked about these specific risk circumstances.
In the case concerned, since there was no change in the condition of the servers between the time the policy was concluded and the occurrence of the cyber attack, the insurance company implicitly accepted the existing risk situation by not seeking further risk-related information.
Therefore, the insurer could not impose any risks that were present from the beginning onto the insured.
Implications
The court ruling marks a significant event in German cyber insurance case law, and that of the wider world. However it is yet to be seen if this ruling will withstand the test of time given the novelty of cyber insurance law.
One of the key implications of this judgment is that insurers should continuously review other coverage objections during the claims handling process. One of the most important of these is the pre-contractual duty of disclosure.
Under German law, insurers have a one-month window, beginning with their certain knowledge of the breach of the duty of disclosure, to assert their rights in connection with the breach.
Insurers should remain vigilant at all stages of a claims process and carefully scrutinise any information provided by the insured that may relate to pre-contractual disclosures.
One would expect that cyber insurance policies will become even more complex than they are already, and that companies will have to ensure all obligations are met regardless of whether a breach was directly related to a failure of process or not.