First cyber insurance case law in Germany

In a significant legal precedent, the Regional Court of Tübingen has rendered the first judicial decision concerning cyber insurance in Germany. This ruling, delivered on 26 May 2023, has already ignite extensive discussion within the insurance sector.

The court’s judgment (4 O 193/21) addressed prevalent areas coverage objections in cyber insurance claims, including pre-contractual disclosure duties, risk increase, and gross negligence leading to the insured event. The court ruled in favor of the insured, dismissing the coverage defenses presented by the insurer. Specifically, the court rejected the insurer’s argument that the insured caused the loss grossly negligent by failing to implement common IT measures to prevent cyber attacks. The court asserted that the insurer could have examined this specific IT security conditions during the pre-contractual risk assessment phase.

Background

In 2020, the insured (plaintiff of the claim) fell victim to a cyber attack. The insured’s IT infrastructure was severely compromised when ransomware infiltrated their system. An employee unknowingly initiated the ransomware attack by opening an email attachment disguised as an invoice on his service laptop. The service laptop was connected to the insured’s network via VPN tunnel, which provided the pathway to the insured’s IT system and brought down a large part of the servers. Following the cyber attack, the attackers demanded a ransom in Bitcoins and threatened to publish sensitive company data. The cyber attack resulted in significant operational loss. During the claims handling of the incident, it became apparent that the insured had not implemented relatively common IT security measures, had failed to install necessary updates, and had provided inaccurate answers to the insurer’s pre-contract risk assessment questions.

Coverage defence

The insurer declared rescission of the insurance contract on the grounds that the insured had breached its pre-contractual duty of disclosure by answering several risk questions incorrectly. The insurer claimed that the insured failed to install security updates which had been available for several of the insured’s servers for years, despite being aware of this fact. In addition, the insurer argued that the insured’s inadequate security measures against a cyber attack (eg. lack of two-factor authentication and adequate monitoring) resulted in an increase in risk (Sec. 23 et seq. of the German Insurance Contract Act 2008 “VVG”) and gross negligence on the part of the insured, which caused the insured event (Sec. 81 para. 2 VVG).

Judgment and legal analysis

The Regional Court of Tübingen determined that the insured had successfully demonstrated that any potential breach of the pre-contractual duty of disclosure neither caused the insured event nor affect the determination or scope of coverage (commonly referred as “counterproof of causality”). The court also dismissed the insurer’s objection of an increase in risk, as the contract explicitly stated that the insurer’s obligation to grant coverage would only cease if the increase in risk directly caused the insured event or affected the scope of the benefit obligation. According to the court’s ruling, Sec. 81 para. 2 VVG, which pertains to gross negligence in causing the insured event, does not apply in this case, and consequently, the claim is not subject to reduction. In the courts view, the provision should not apply if the relevant risk situation already existed at the time the contract was concluded and the relevant risk factor was or could have been considered in the insurer’s risk assessment. In other words, the court was concerned with whether the insurer could have theoretically asked about these specific risk circumstances. In the present case, since there was no change in the condition of the servers between the time the policy was concluded and the occurrence of the insured event, the insurer – according to the court – implicitly accepted the existing risk situation by not seeking further risk-related information. Therefore, the insurer could not impose any risks that were present from the beginning onto the insured, in accordance with Sec. 81 para. 2 VVG.

Implications and further perspectives 

Although this decision marks a significant milestone in German cyber insurance case law, it is yet to be seen if this ruling will withstand the test of time given the novelty of cyber insurance law. Its future influence hinges on whether other courts, and in particular appeal courts, will validate this line of jurisprudence. However, a legal discussion in Germany is certainly to be expected about the legal reasoning behind the correlation between gross negligence in causing the insured event and pre-contractual disclosure duties. In our view, this question is far from being settled.

One of the key practical implications of this judgment is that insurers should continuously and carefully review other coverage objections – in addition to the objection based on Section 81 VVG – during the claims handling process. One of the most important of these is the pre-contractual duty of disclosure. However, under German law, insurers have a one-month window, beginning with their certain knowledge of the breach of the duty of disclosure, to assert their rights in connection with the breach. Consequently, insurers should remain vigilant at all stages of the claims process and carefully scrutinize any new information provided by the insured during the claims handling process that may relate to pre-contractual disclosures. At the same time, insurers should take this as an opportunity to review their underwriting process for compliance with the German requirements of the Insurance Act 2008. Breaches of form, eg a lack of instruction of the policyholder about the consequences of an incorrect statement, generally lead to the fact that a rescission cannot be declared for this reason alone.

Nevertheless, it is likely that this ruling will establish the benchmark for conversations between policyholders and insurers for the time being. There are other cyber coverage actions pending with the courts at the moment so keep this space on your watch list!