Preliminary ruling on cyber insurance

Regional Court of Tübingen comments on the preconditions for defence of gross negligence as the cause of the insured event (Section 81 (2) VVG (Versicherungsvertragsgesetz [German Insurance Contract Act]))

In May, the Regional Court (Landgericht [LG]) of Tübingen was the first court to issue a judgment on cyber insurance. The Regional Court’s decision is worth reading, not just because of its pioneering role in cyber insurance case law, but also because it contains statements on the objections to coverage frequently raised by insurers. In its judgment dated 26/05/2023 – file ref. 4 O 193/21 (https://www.landesrecht-bw.de/bsbw/document/JURE230050192) – the Regional Court reaches conclusions on the preconditions for a pre-contractual breach of the duty of disclosure, and the preconditions for the application of Section 81 (2) VVG (gross negligence as a cause of the insured event) in cyber insurance. We examine, in particular, the latter in more detail below as this judgment sets an important marker in the cyber insurance market. It will help to put the brakes on the current trend by some insurers to invoke a reduction of insurance payout in cyber claims due to gross negligence as a cause of the insured event. 

Statutory regulation on triggering of the insured event through intent or gross negligence 

Under Section 81 (1) VVG, the insurer is not obliged to pay out if the policyholder intentionally causes an insured event. Triggering of the insured event through gross negligence is governed under Section 81 (2) VVG, and entitles the insurer to reduce its payout in proportion to the severity of culpability (apportionment) on the part of the policyholder if gross negligence by the policyholder causes the insured event. 

LG Tübingen judgment

In the legal battle on the basis of which LG Tübingen’s judgment was issued, the policyholder and the cyber insurer disputed whether a cyber loss event incurred by the policyholder was covered under the insurance. During the cyber incident, unknown attackers introduced an encryption trojan (ransomware) into the policyholder’s IT system by means of a phishing email and used this to paralyse almost the entire IT infrastructure of the policyholder. Since not all the policyholder’s servers had the current security updates for the operating system installed, yet the policyholder had answered relevant pre-contractual questions from the insurer to the effect that all work computers were equipped with current software and available security updates were performed without undue delay, the insurer referred in the legal dispute to a breach of their pre-contractual duties of disclosure to justify refusal of their obligation to pay out. Furthermore, the insurer argued that the policyholder caused the insured event through gross negligence due to their missing or inadequate security measures to prevent a cyber attack.  

With regard to the preconditions for a breach of duty of disclosure by the policyholder when answering pre-contractual questions from the insurer, LG Tübingen comes to the conclusion that there is no causality between the (possibly) incorrect responses to the risk questions and the occurrence of the insured event, nor the extent of the loss incurred if it is established that an existing security weakness was exploited in the cyber attack, but that the weakness would nevertheless have existed regardless of whether the affected system had current updates installed. In the case to be decided, installing the missed updates would not have been able to either fend off the attack itself nor to influence the extent of the damage caused. Since, in the event of a fraudulent breach of pre-contractual duties of disclosure, the insurer’s performance is excluded even without causality between the (incorrect) response to the question by the policyholder and the claim, the court also commented on the preconditions for a fraudulent act, but concludes by rejecting it.

Fortunately, the court also comments on the preconditions for the application of Section 81 (2) VVG (gross negligence triggering the insured event) in cyber insurance. According to this comment, the scope of application of Section 81 (2) VVG does not apply if the relevant risk already existed at the time of contract conclusion and was, or could have, provided a basis for the insurer’s risk assessment. The court states that the insurer themselves are responsible for clarifying the existence of additional security measures by means of appropriate risk questions. If the insurer waives this, they thereby accept the policyholder with their existing risk situation. They cannot use Section 81 (2) VVG (in full or in part) to impose the burden of existing risks on the policyholder.

Impact of the judgment

This judgment from LG Tübingen is by no means the last word on the preconditions for Section 81 VVG in cyber insurance since the judgment merely establishes under which preconditions there is no place for the application of Section 81 (2) VVG. Many other questions therefore remain outstanding and will most likely also provide material for many discussions between insurers and policyholders in the future. However, it is fortunately very clear from this judgment that the hurdle insurers have to overcome in order to be able to claim that gross negligence has triggered the insured event is a not insignificant one. To fall within the scope of Section 81 VVG in the first place, the insurer is required to specifically ask about certain IT security measures in the company to obtain a detailed picture of the IT security status, and whether the risk situation has changed since the initial conclusion of the contract with the policyholder. 

It remains to be seen whether the insurer will accept the decision of the Regional Court, which in our opinion is detailed and comprehensibly argued, or if they will appeal against the court’s decision to the Higher Regional Court. In any case, the judgment is a preliminary pioneering decision for the cyber insurance market about which policyholders can be happy. 

Defence of gross negligence triggering an insured event in Finlex Claims practice

In Finlex’s claims department, we have recently been seeing more cases where insurers wish to use the defence of gross negligence – or even intent – causing an insured event, to either refuse their obligation to pay out, or to reduce the level of compensation. We were already very critical of this approach by insurers before LG Tübingen’s judgment. Cases, where insurers use blanket statements to refuse or reduce insurance coverage without taking into account the circumstances of an individual case or the rules that apply to the burden of proof, are particularly problematic for claims processing. According to the statutory distribution of the burden of proof, it is the insurer’s responsibility to provide evidence of the presence of the preconditions to justify the exclusion of risks under Sections 81 (1) and (2) VVG. Unfortunately, the required proof is often replaced by the insurers with their blanket allegations when processing claims. In our opinion, the very welcome judgment from LG Tübingen has come at exactly the right time to stop insurers from alleging that gross negligence triggered the insured event.

Finlex special cyber concepts 

With our Finlex cyber policies, policyholders are already well-protected against the defence of gross negligence causing an insured event. The Finlex cyber conditions generally state that the insurer cannot rely on their right to reduce benefits under Section 81 (2) VVG in the event of gross negligence causing the insured event. This means there is a barrier in place from the outset against any insurer’s defence such that lengthy and potentially costly discussions about the preconditions for an insurer’s right to reduce the relevant benefits are unnecessary.