The requirements of § 81 para. 2 VVG (grossly negligent causation of the insurance case) in Cyber insurance

(Erichsen/Seiz, r+s 2024, S. 97)

Unfortunately, Cyber attacks on businesses are no longer uncommon, but rather part of everyday business. In 2023 alone, Finlex’s claims department recorded more than 120 new Cyber claims. Fortunately, thanks to the prompt response of policyholders and the effective assistance of the Incident Response Emergency Hotline, a large proportion of these cases end with minimal damage, keeping losses low. However, if Cyber attackers succeed in infiltrating a company’s network, spreading within the network and encrypting data, the financial consequences for the company can be immense.
Therefore, it is all the more important for affected companies in these cases to have a Cyber insurer by their side. The insurer covers the necessary costs for incident analysis and resolution, restoration of IT systems, and reimburses any resulting business interruption losses. “In the Cyber area, the claims settlement rate is fortunately very high. In more than 70% of our claims cases, the incurred damage is either easily settled by the insurer or the first aid provided by the emergency hotline can lead to a quick and cost-effective resolution of the Cyber incident without exceeding the policy deductible,” explains Elke Seiz, Claims Counsel at Finlex. It is therefore generally the exception rather than the rule for insurers to deny coverage in the event of a claim and to become involved in coverage disputes.

The objection of grossly negligent causation of the insurance event in claims practice

In cases where Cyber insurers question coverage, the argument of breach of pre-contractual disclosure obligations pursuant to § 19 et seq. of the German Insurance Contract Act (VVG) is the most commonly raised objection by insurers. This occurs particularly when forensic findings during the investigation of the Cyber incident reveal that certain IT security standards in the company were either lacking or insufficient. In these cases, insurers may also invoke § 81 VVG and raise the objection of grossly negligent – if not deliberate – causation of the insurance event.
Elke Seiz explains: “There are some insurers in the Cyber insurance market who almost routinely raise the objection of grossly negligent causation of the insured event when there are security vulnerabilities in the insured company’s IT system, and use this argument to deny coverage or significantly reduce the insurance payout. Unfortunately, it is often overlooked that strict requirements must be met for the insurer to effectively invoke the grossly negligent causation exclusion. If the objection is raised without the insurer having thoroughly examined the high requirements of the exclusion, the situation for the policyholder is more than unsatisfactory. We therefore hope that insurers will not automatically rely on grossly negligent causation of the insured event, but will instead question in detail whether the conditions of § 81 para. 2 VVG are actually met.”

Finlex legal opinion in the journal Recht und Schaden

Is it actually possible to rely on the defence of grossly negligent causation of the insured event in the context of Cyber insurance? If so, what are the requirements? And who bears the burden of proof that these requirements are met?

Dr. Sven Erichsen, Non-Executive Director at Finlex, and Elke Seiz, Claims Counsel at Finlex, have addressed these and other questions in detail in the current article in the legal journal r+s titled “Requirements of § 81 para. 2 VVG (grossly negligent causation of the insurance event) in Cyber insurance.

Read the entire article (only available in German) here.
(With permission from the publisher C.H.BECK)

On the safe side with the Finlex special concept

“The questions surrounding § 81 Para. 2 VVG only become relevant if the policy conditions do not already contain a provision in which the insurer expressly waives the right to invoke the defence of grossly negligent causation of the insured event. Our Finlex Cyber special concepts usually contain such a provision, so that Finlex’s cooperating brokers and policyholders need not fear discussions with insurers about grossly negligent causation of the insured event in the event of a claim,” reassures Dr. Sven Erichsen. This shows once again how important it is to have a well-established set of terms and conditions underlying the insurance contract. This can prevent unpleasant surprises and unnecessary discussions in the event of a claim.
If you have any questions or would like more information on this topic, our claims experts and brokers are at your disposal.

The following images are released for reprinting subject to editorial, non-commercial use.

Elke Seiz | (Press photo)
Photo credit: Finlex GmbH