Hunton Andrews Kurth writes:
When a cyber incident occurs and the insurer pays out the claim, they often face the frustrating reality that pursuing the actual criminals – the threat actors – for indemnification is virtually impossible. Thus, insurers are now turning to subrogation claims against the very cybersecurity vendors entrusted by policyholders to protect their systems. Indeed, insurers are increasingly examining whether outsourced cybersecurity providers may have breached their contractual obligations or failed to deliver adequate protection, leading to the loss. This shift means policyholders may find their cybersecurity vendors facing legal action from their own insurer, creating a new layer of risk in vendor relationships.
Last month, Ace American Insurance Company filed a subrogation action against its insured’s cybersecurity and technology vendors, alleging missteps by the technology companies. See Ace American Insurance Company v. Congruity 360, Trustwave Holdings, Case No. 2:25-cv-15657 (D.N.J. Sep. 15, 2025). Ace seeks to recover the $500,000 in damages it paid to its insured, CoWorx, under the cybersecurity policy issued by Ace. Ace alleges that its insured’s cyber incident occurred as a result of Congruity 360 and Trustwave’s negligence. Ace also asserts breach of contract against both defendants.
The complaint details several alleged bases for Ace’s subrogation action against the technology companies contracted by its insured. Against Congruity 360, Ace claims that the contract between CoWorx and Congruity 360 required Congruity 360 to set up multifactor authentication and secure network servers for CoWorx. Ace further alleges that Congruity 360 failed to do so, leading to installation of ransomware. The claims against Trustwave are similar.
Read more at The National Law Review.