chevron-down Created with Sketch Beta.


Subrogation Actions Following Ransomware Claims

Lynda Bennett and Michael James Scales


  • With ransomware attacks on the rise, insurers are taking more entrenched positions on claims payment.
  • They also are developing alternative mechanisms to minimize losses through subrogation actions.
  • Policyholders need to take steps before and after claims take place in order to preserve their rights and maximize coverage.
Subrogation Actions Following Ransomware Claims
AndreyPopov via Getty Images

Ransomware attacks continue to challenge U.S. companies, and cybercriminals now routinely extort companies for multimillion-dollar payouts. A company that experiences an attack will likely seek coverage under its cyber insurance policy for any ransom it ultimately pays to the criminals and for the costs it incurs to restore its systems and retrieve its compromised data. The surge in ransomware attacks has resulted in insurers making frequent and substantial payments on these claims, to the point where the viability of the cyber insurance market is being stretched to its limits.

As a result, we are seeing new trends emerge in how insurers are responding to cyber claims:

(1) they are taking more entrenched positions on claims payment, and (2) they are developing alternative mechanisms to minimize losses through subrogation actions.

Policyholders need to be aware of these developments so that they can take steps before and after claims take place in order to preserve their rights and maximize coverage. Two recently filed lawsuits serve as useful case studies for the subrogation trend.

Ace American Insurance Company v. Accellion, Inc., No. 21-cv-9615, Northern District of California

Ace American Insurance Co. filed a subrogation action against Accellion, Inc., claiming the software company’s negligence in handling a security vulnerability in its online file-transfer service led to a ransomware attack on its customer (and Ace’s insured), a Boston law firm.

In its complaint, Ace alleged that Accellion became aware that its File Transfer Appliance service, on which the law firm stored confidential files, contained a security vulnerability but that Accellion failed to properly notify the law firm about the existence of the problem or a critical software update needed to fix it. Specifically, Ace alleged that Accellion failed to inform the law firm of Accellion’s internal client “notification” system used to inform its customer users of security vulnerabilities, and when it did eventually send a notification to the law firm, it sent it to two employees who no longer worked there and then failed to follow up to see whether anyone received the critical notification. Because the law firm never received the notification, Ace asserts, the law firm could not update its systems with the “fix” before hackers noticed the vulnerability and exploited it. The hackers stole confidential legal files and threatened to publicly disclose them unless the law firm paid millions of dollars. The law firm ultimately paid more than $2 million in ransom and thereafter filed a claim for the ransom and the costs it incurred to restore its files under its cyber policy issued by Ace. According to the complaint, when the law firm confronted Accellion about the security vulnerability, Accellion tried to shift the blame to the law firm, claiming the firm failed to update its contact information on Accellion’s emergency notification system. Ace claimed, however, that the law firm did all it could by notifying Accellion about its former employees’ departures and that it was Accellion’s responsibility to update its own notification systems.

Trustwave Holdings, Inc. v. Beazley Ins. Co., No. N18C-06-162, Delaware Superior Court

Ace’s subrogation action largely mirrors the strategy employed by Beazley Insurance Company and Lexington Insurance Company to recover losses they paid to their insured on claims resulting from the devastating Heartland Payment Systems data breach in 2009.

In January 2009, Heartland discovered a data breach in which hackers installed malicious code in the company’s payment processing systems and, over several months, stole nearly 100 million credit card numbers issued by 650 financial services firms. In the month preceding the breach, Heartland had engaged Trustwave, a cybersecurity risk consultant, to inspect its cybersecurity systems and adherence to applicable data security regulations. Trustwave analyzed Heartland’s systems and “certified” their compliance with those regulations, thereby signaling to customers and regulators that the systems were well protected against cyber threats.

After the breach, various government agencies, credit card companies, financial firms, and a class of consumers brought actions against Heartland, all of which were consolidated into a multidistrict litigation (MDL) in a Texas federal court. Heartland later settled all of these cases for more than $100 million, in addition to attorney fees. Heartland had purchased insurance policies from Beazley and Lexington that covered these losses, and both insurers paid the full extent of their policy limits ($30 million) to Heartland.

After paying Heartland’s claims, Beazley and Lexington turned their sights to Trustwave. The insurers demanded a $30 million payment, invoking an indemnification provision in the services agreement between Heartland and Trustwave in which Trustwave promised to indemnify Heartland for losses Heartland experienced due to third-party claims relating to Trustwave’s services. The insurers argued that Trustwave inadequately assessed Heartland’s security systems and should never have certified that Heartland’s systems complied with the applicable cyber security regulations. After receiving the insurers’ indemnification demand, Trustwave filed an action in a Delaware court seeking a declaration that it was not responsible for Heartland’s losses. The insurers thereafter filed counterclaims and Trustwave later filed a motion to dismiss.

In the court’s September 30, 2019, opinion on the motion, the court recognized these claims as “subrogation” claims and acknowledged that the insurers had the ability to step into the shoes of Heartland to pursue Trustwave. Trustwave argued that Heartland’s claims for negligence, breach of contract, and indemnification were barred under the applicable statutes of limitations because Trustwave’s allegedly inadequate consulting services were performed in 2008, resulting in a data breach in 2009, and Heartland (through the insurers) waited until 2018 to bring the subrogation action.

The court agreed that the insurers’ claims grounded in breach of contract and negligence were time-barred. However, the court refused to make the same finding on the insurers’ indemnification claims. With respect to those claims, the court found that the statute of limitations did not begin to run until all the third-party claims against Heartland (i.e., all of the lawsuits consolidated in the Texas MDL) had been resolved and damages were ascertainable. That had happened with the global settlement that occurred only about two years prior to the insurers’ indemnification demand against Trustwave, and the demand was therefore deemed timely asserted.

Key Takeaways

First, at the highest level, these cases reflect a new trend in litigation stemming from the cyber insurance market. Faced with the reality that insurance claims following ransomware attacks are substantial and prevalent and must be paid, insurers are seeking ways to offset their huge losses. As these cases show, insurers are trying to recoup their losses after claim payments through subrogation, by pursuing the parties that are responsible for creating the opportunity for the security breach. If these subrogation actions “stick,” policyholders should expect that once an insurer pays a cyber claim, that will not be the end of the policyholder’s involvement in responding to the breach. Rather, policyholders will be obligated under the terms of their policies to make their records, investigation results, and personnel available to the insurer as it pursues other potentially responsible parties. And that cooperation may not come without intangible cost to policyholders, especially if the entity whose actions caused the breach is a valued business partner. There are strategies that can be employed by policyholders to carefully navigate this sticky situation, and coverage counsel should be involved in that process.

Second, if these subrogation actions become a viable tool for insurers to recoup losses, policyholders can expect that insurers will take much greater interest at the underwriting stage of cyber policies to understand the terms and conditions of the policyholders’ services contracts. To that end, policyholders will need to give much more intentional consideration to, and engage in negotiation of, insurance provisions in those services contracts. Oftentimes, corporate lawyers drafting those provisions do not understand the nuances of insurance, including the importance of a “waiver of subrogation” clause that routinely is included in such provisions. As the above cases show, the insurers’ ability to seek subrogation has become increasingly important and valuable to insurers. For that reason, policyholders face a significant risk if they have not aligned the insurance provisions in their services contracts with their cyber policies or settlement agreements with insurers and other third parties. In some instances, a policyholder may unwittingly forfeit coverage by violating the cooperation clause of its cyber policy if it broadly waives subrogation rights in a “standard” insurance provision in its services contract.

Third, these cases offer useful guidance to service providers. As the Accellion case shows, service providers that have any interaction with the confidential information of other companies will be well advised to perform regular testing on the accuracy of their customer notification systems and evaluate their contingency plan to account for updates to customer contact information. And as the Trustwave case shows, service providers that provide cyber risk consulting and “certify” their customers’ compliance with cybersecurity regulations are necessarily making representations to the client’s customers and regulators that those systems are safe from a cyberattack. As both cases show, following a cyberattack, insurers responsible for paying the resulting insurance claim will be looking to hold third parties liable if their actions or failure to act allowed the attack to happen in the first place. Service providers should be diligent in their efforts to notify customers of security vulnerabilities and should follow up with them to ensure customers actually receive notifications of those vulnerabilities and act upon them. Service providers should also be aware that third parties are relying on their representations and that these representations about the sufficiency of the customer’s security systems could later be used as evidence against them in a direct or subrogation action.

Fourth, given that a multitude of disputes between various parties will follow a ransomware attack, policyholders will be well advised to take precautionary security measures before an attack and then document those measures and all communications and steps taken afterward. In the Accellion case, after the law firm confronted Accellion following the attack, Accellion allegedly tried to shift the blame back onto the law firm, arguing that the law firm failed to update its notification system. Policyholders should expect the inevitable blame game and take all measures to avoid giving others any reason to pin responsibility on them. Policyholders should be transparent in their efforts and communicate those efforts to the insurer. This is consistent with the fundamental principle that policyholders should provide timely notice to their insurers, carefully investigate and document their claims, and consider all angles of an actual or potential liability before providing a release to any party associated with the loss.

Fifth, as the Trustwave case shows, subrogation claims based on indemnification provisions in services agreements can be brought long after the service provider performs the service that allegedly led to the security breach. This is because the statute of limitations on indemnification claims may very well be deemed to begin to run only after the liability resulting from the data breach is final and ascertainable. Service providers should pay careful attention to the language they include in their indemnification provisions in services agreements and understand that subrogation actions of this nature can be brought many years after the service is performed unless there is a sunset provision associated with the indemnification obligation set forth in the contract.

Sixth, large-scale security breaches could lead to class actions brought pursuant to various privacy laws, which is what happened in both of the cases discussed above. Any resulting class action could lead to a global settlement in which the customers are entitled to compensation and other rights established by the terms of a class settlement agreement. If a company submits a claim under its insurance policy for any loss it experienced as a result of the security breach and the insurer pays the company for that loss pursuant to the claim payment, it is possible that the rights giving rise to that payment are captured by the class settlement agreement. Therefore, a cyber insurer’s subrogation action could potentially seek reimbursement for that payment from the class settlement fund on behalf of the customer.

Finally, these cases highlight the fundamental importance of taking cybersecurity seriously and investing in it in the long run. Doing so will help businesses identify potential threats and vulnerabilities, not only in their own systems but also, as the cases show, in the systems of service providers with which the companies do business. Policyholders can expect insurers to start requiring robust cyber protection for all entities that intersect with the confidential data that will be insured under the policy before coverage will be granted.

In sum, policyholders should expect that insurers will be more aggressive when handling cyber claims in the coming year, not only by forcing policyholders to work harder to access their coverage in the first instance but also by looking to recoup losses from third parties that are responsible for causing the security breach, after the claim has been paid. Policyholders need to engage in active risk management before and after a loss occurs in order to ensure maximum recovery under their cyber policies.