Incre­asing requi­re­ments for cyber insurance

Cur­rent situa­ti­on from the lawyer’s point of view

The IT secu­ri­ty situa­ti­on has been wor­sening for years and the dama­ge cau­sed by cyber­at­tacks is con­stant­ly incre­asing. This situa­ti­on poses gre­at risks for com­pa­nies. Pro­tec­tion through cyber insu­rance has the­r­e­fo­re beco­me indis­pensable for many com­pa­nies. With the increase in cyber thre­ats, howe­ver, the requi­re­ments for cyber insu­rance are also rising.

Incre­asing­ly strict cyber insu­rance requirements

Cyber insu­rance offers com­pa­nies the pos­si­bi­li­ty to insu­re them­sel­ves against cyber­at­tacks and resul­ting dama­ge. The pre­re­qui­si­te for taking out a cyber insu­rance poli­cy is usual­ly the per­for­mance of a secu­ri­ty check by the insurer based on a risk ques­ti­on­n­aire. Howe­ver, due to the increase in cyber­crime and the pro­fes­sio­nal approach of the atta­ckers, the requi­re­ments for cyber insu­rance, which are based on the secu­ri­ty level of the sys­tems to be pro­tec­ted, have increased signi­fi­cant­ly. The num­ber of cases that are clas­si­fied as uninsura­ble is incre­asing. The­r­e­fo­re, even the con­clu­si­on of a cyber insu­rance poli­cy can repre­sent a con­sidera­ble hurd­le for a company.

But even if the hurd­le of taking out a poli­cy has been over­co­me, the sett­le­ment of claims is not gua­ran­teed. Our expe­ri­ence shows that insu­r­ers are incre­asing­ly reluc­tant to pro­vi­de cover and that the sett­le­ment of claims repres­ents an enorm­ous effort. Typi­cal objec­tions, which are some­ti­mes rai­sed in a game of ques­ti­ons and ans­wers stret­ching over months, are that no valid insu­rance poli­cy has been con­cluded bet­ween the par­ties, that (pre-)contractual obli­ga­ti­ons and duties have been vio­la­ted or that insu­rance bene­fits are to be redu­ced due to sub­se­quent increa­ses in risk. The insu­r­ers usual­ly have a leng­thy list of pos­si­ble grounds for exclu­si­on, so that an ela­bo­ra­te exami­na­ti­on of the rele­vant con­trac­tu­al docu­ments and the cir­cum­s­tances of the spe­ci­fic indi­vi­du­al case is required.

First cases end up in court

The chan­ged situa­ti­on with cyber insu­rance also means that an incre­asing num­ber of dis­pu­tes has to be sett­led in court. Howe­ver, a recent ruling by the LG Tübin­gen (4 O 193/21) shows that the insu­r­ers’ objec­tions are not suc­cessful in every case. The court ruled that in the event of a suc­cessful phis­hing attack with sub­se­quent encryp­ti­on of the IT sys­tems, the insurer must com­pen­sa­te the dama­ge incur­red, even though the sys­tems were part­ly not equip­ped with cur­rent secu­ri­ty updates. The court held that the insurer could not valid­ly invo­ke that the­re was a frau­du­lent breach of the pre-contractual duty of dis­clo­sure with regard to the secu­ri­ty level of the sys­tems and a sub­se­quent increase of risk due to the fail­ure to install secu­ri­ty updates. The requi­red cau­sa­li­ty was lack­ing, as the poli­cy­hol­der was able to pro­ve that the cir­cum­s­tances pre­sen­ted had no influence on the occur­rence of the IT secu­ri­ty inci­dent (so-called counter-evidence of cau­sa­li­ty). The objec­tion of gross­ly negli­gent cau­sa­ti­on of the insu­red event was also unsuc­cessful, as the risk situa­ti­on regar­ding the secu­ri­ty updates alre­a­dy exis­ted at the time of con­clu­si­on of the poli­cy and should have been the basis of the insurer’s risk assess­ment. The­re was pre­cis­e­ly no duty on the part of the poli­cy­hol­der to impro­ve the risk situation.

Prac­ti­cal advice

The strict requi­re­ments of cyber insu­rance are incre­asing­ly chal­len­ging for com­pa­nies, both when taking out insu­rance and in the event of a cla­im. Howe­ver, com­pa­nies should not be deter­red by this, but should deal with the requi­re­ments and pos­si­ble objec­tions of the insu­r­ers in any indi­vi­du­al case. Our expe­ri­ence shows that espe­ci­al­ly in the case of a delay­ed or even decli­ned cla­im sett­le­ment, con­fron­ting the insurer with a legal assess­ment of the facts can turn the tide. Com­pa­nies should have a plan of action rea­dy for com­mu­ni­ca­ti­on with their insurer, which should in par­ti­cu­lar include the fol­lo­wing aspects:

  • Docu­men­ta­ti­on of the facts and actions taken
  • Legal assess­ment (espe­ci­al­ly in the case of ran­som payments)
  • Com­mu­ni­ca­ti­on and coor­di­na­ti­on with the insu­rance broker
  • Pre­pa­ra­ti­on of the neces­sa­ry com­pli­ance documents

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.