Current situation from the lawyer’s point of view
The IT security situation has been worsening for years and the damage caused by cyberattacks is constantly increasing. This situation poses great risks for companies. Protection through cyber insurance has therefore become indispensable for many companies. With the increase in cyber threats, however, the requirements for cyber insurance are also rising.
Increasingly strict cyber insurance requirements
Cyber insurance offers companies the possibility to insure themselves against cyberattacks and resulting damage. The prerequisite for taking out a cyber insurance policy is usually the performance of a security check by the insurer based on a risk questionnaire. However, due to the increase in cybercrime and the professional approach of the attackers, the requirements for cyber insurance, which are based on the security level of the systems to be protected, have increased significantly. The number of cases that are classified as uninsurable is increasing. Therefore, even the conclusion of a cyber insurance policy can represent a considerable hurdle for a company.
But even if the hurdle of taking out a policy has been overcome, the settlement of claims is not guaranteed. Our experience shows that insurers are increasingly reluctant to provide cover and that the settlement of claims represents an enormous effort. Typical objections, which are sometimes raised in a game of questions and answers stretching over months, are that no valid insurance policy has been concluded between the parties, that (pre-)contractual obligations and duties have been violated or that insurance benefits are to be reduced due to subsequent increases in risk. The insurers usually have a lengthy list of possible grounds for exclusion, so that an elaborate examination of the relevant contractual documents and the circumstances of the specific individual case is required.
First cases end up in court
The changed situation with cyber insurance also means that an increasing number of disputes has to be settled in court. However, a recent ruling by the LG Tübingen (4 O 193/21) shows that the insurers’ objections are not successful in every case. The court ruled that in the event of a successful phishing attack with subsequent encryption of the IT systems, the insurer must compensate the damage incurred, even though the systems were partly not equipped with current security updates. The court held that the insurer could not validly invoke that there was a fraudulent breach of the pre-contractual duty of disclosure with regard to the security level of the systems and a subsequent increase of risk due to the failure to install security updates. The required causality was lacking, as the policyholder was able to prove that the circumstances presented had no influence on the occurrence of the IT security incident (so-called counter-evidence of causality). The objection of grossly negligent causation of the insured event was also unsuccessful, as the risk situation regarding the security updates already existed at the time of conclusion of the policy and should have been the basis of the insurer’s risk assessment. There was precisely no duty on the part of the policyholder to improve the risk situation.
The strict requirements of cyber insurance are increasingly challenging for companies, both when taking out insurance and in the event of a claim. However, companies should not be deterred by this, but should deal with the requirements and possible objections of the insurers in any individual case. Our experience shows that especially in the case of a delayed or even declined claim settlement, confronting the insurer with a legal assessment of the facts can turn the tide. Companies should have a plan of action ready for communication with their insurer, which should in particular include the following aspects:
- Documentation of the facts and actions taken
- Legal assessment (especially in the case of ransom payments)
- Communication and coordination with the insurance broker
- Preparation of the necessary compliance documents