When Insurers Turn the Tables: The ACE v. Congruity & Trustwave Case and the Future of Cyber Insurance Subrogation

Breached Company

28 Sep 2025 — 12 min read

Executive Summary

In a groundbreaking lawsuit that could reshape the cybersecurity landscape, ACE American Insurance Company, a Chubb subsidiary, is pursuing $500,000 in subrogation claims against two technology service providers following a ransomware attack on their mutual client. This case represents a significant evolution in cyber insurance recovery strategies and highlights the increasing accountability being placed on technology vendors for security failures.

The Case That Could Change Everything

The lawsuit, filed in U.S. District Court for New Jersey in September 2025, centers on a ransomware attack that occurred in April 2024 against CoWorx Staffing Services, a New Jersey-based staffing company operating across all 50 states. After paying out $500,000 under its cyber insurance policy to CoWorx, ACE is now seeking to recover these damages from Congruity 360 LLC, a cloud services provider, and Trustwave, a cybersecurity monitoring firm.

What makes this case particularly significant is not just the amount at stake, but the legal theories being advanced and their potential to fundamentally alter the risk landscape for managed service providers (MSPs), cloud providers, and cybersecurity firms.

The Anatomy of a Breach: A Timeline of Failures

According to ACE's complaint, the breach unfolded through a series of critical security failures:

April 18, 2024: Initial Compromise

Threat actors gained access to Congruity's infrastructure using a compromised CoWorx user password. ACE alleges that multi-factor authentication (MFA) – a basic security control that Congruity was contractually obligated to implement – was never established or enforced. This single point of failure allowed attackers to breach the system with just a stolen password.

Privilege Escalation

Despite the compromised account lacking administrative privileges, the attackers successfully elevated their permissions and accessed the host server. ACE argues this demonstrates fundamental architectural flaws in how Congruity configured the network segregation between guest and host environments – a violation of basic security principles that should have prevented lateral movement.

https://cyberinsurancecalc.com/

April 22, 2024: The Missed Alert

Four days after the initial breach, Trustwave's monitoring software detected suspicious activity. However, the company classified the alert as "moderate" rather than "high" or "critical," failing to notify CoWorx immediately. This categorization error proved catastrophic, as it denied CoWorx the opportunity to investigate and potentially back up critical data before the encryption event.

April 27, 2024: Ransomware Deployment

Five days after Trustwave's detection, the threat actors encrypted CoWorx's virtual machines at the host level and deployed ransomware. Without adequate backups, CoWorx was forced to pay for decryption keys to recover their data.

The Legal Theories: Breaking New Ground

ACE's lawsuit advances several legal theories against both defendants:

Against Congruity:

Negligence and Gross Negligence: Failing to implement MFA despite contractual obligations
Breach of Contract: Not providing the security safeguards specified in their service agreement
Breach of Implied Warranty: Failing to deliver services with reasonable care and skill
Architectural Failures: Improperly configuring network segregation between guest and host environments

Against Trustwave:

Negligent Monitoring: Misclassifying a critical security event
Breach of Contract: Failing to provide adequate monitoring and alerting services
Failure to Mitigate: Not providing timely notification that could have limited damages

The Broader Context: A Market in Transition

This lawsuit emerges at a critical juncture in the cyber insurance market. According to recent industry data:

Munich Re expects the global cyber insurance market to reach USD 16.3bn in 2025
Nearly two-thirds of Woodruff Sawyer's clients realized cost savings in their cyber insurance programs last year due to increased market competition
Ransomware caused about 81% of claims involving recovery expense losses

The insurance industry is increasingly looking to subrogation as a way to manage escalating cyber losses. Through the process of subrogation, insurers have a powerful tool to recover losses by pursuing responsible third parties whose negligence or failure contributed to a cyber incident.

The MSP Liability Crisis

The implications of this case are particularly acute for managed service providers and technology vendors. The lawsuit highlights several critical risk factors:

Contractual Vulnerabilities

Many MSPs operate with poorly drafted Master Service Agreements (MSAs) that fail to clearly delineate responsibilities and liability limits. The suit alleges there was no contract between the two companies, only an oral agreement and a handshake in one recent case, demonstrating the dangerous informality that still exists in some vendor relationships.

The Insurance Gap

If a client experiences a breach and does not have adequate cyber insurance to cover the costs, the MSP may be exposed to liability as a business associate or service provider. This creates a cascading risk where MSPs can face claims even when their clients lack adequate coverage.

Reputation and Business Impact

Beyond direct liability, MSPs face significant business risks from security incidents at client sites. Customer churn, negative reviews, and loss of future business can create long-term financial impacts that extend far beyond any immediate legal claims.

Legal Precedents and Evolving Standards

The legal landscape for third-party liability in cyber incidents is rapidly evolving:

Direct Liability to End Users

Recent cases have established that vendors can face claims not just from their direct clients, but from end users affected by breaches. South Carolina law requires the familiar four elements to prove a negligence claim: a duty to the plaintiffs, a breach of that duty, damage to the plaintiff, and that the damage was proximately caused by breach of the duty. Courts are increasingly finding that technology vendors owe duties to third parties whose data they handle.

The Attribution Challenge

While The US legal system rarely holds third-party IT and cybersecurity providers liable for data breaches, experts suggest this could change. The ACE case represents a sophisticated attempt to establish clear causal links between specific vendor failures and resulting damages.

Industry Response and Risk Mitigation Strategies

The technology services industry is responding to these evolving risks through several strategies:

Enhanced Insurance Requirements

Most cyber claims are not denied on their merits but because the carrier never developed a subrogation or recovery plan before offering the coverage. Insurers are now requiring more detailed assessments of vendor relationships and third-party risks during underwriting.

Embedded Insurance Solutions

Progressive MSPs are beginning to embed cyber insurance into their service stack so that clients are automatically covered, eliminating disputes over liability. This approach ensures all parties have adequate coverage before an incident occurs.

US State Breach Notification Requirements Tracker

Comprehensive tool for researching breach notification laws, ransomware requirements, and privacy regulations across all 50 US states.

Breach Notification TrackerBreach Notification Tracker

Contractual Protections

Service providers are strengthening their agreements with:

Clear liability limitations and exclusions
Mandatory cyber insurance requirements for all parties
Well-defined security responsibilities and obligations
Indemnification clauses backed by adequate insurance

The Technical Lessons: Security Fundamentals Matter

The ACE case underscores that basic security controls remain critically important:

Multi-Factor Authentication

The absence of MFA was the initial point of failure that enabled the entire attack chain. Despite being a fundamental security control, its implementation remains inconsistent across the industry.

Network Segmentation

Proper isolation between different network zones could have prevented the privilege escalation that allowed attackers to move from guest to host systems.

Alert Classification and Response

The misclassification of security alerts highlights the importance of proper security operations center (SOC) procedures and the human element in cybersecurity.

The TransUnion Paradox: When End Users Can't Sue But Insurers Can

The ACE v. Congruity & Trustwave case takes on additional complexity when viewed through the lens of the Supreme Court's 2021 TransUnion LLC v. Ramirez decision and the evolving "no harm, no foul" doctrine in data breach litigation. This creates a fascinating paradox in the cybersecurity liability landscape.

The Standing Divide

Following TransUnion, individual victims of data breaches face an increasingly high bar to establish standing in federal court. The Supreme Court's ruling that "no concrete harm, no standing" means that merely having one's data exposed – without proof of actual misuse – is insufficient for Article III standing. In the TransUnion case, only 1,853 of 8,185 class members whose information was incorrectly flagged as matching terrorist watchlists had standing, and only because their reports were actually shared with third parties.

This creates an ironic situation: while individual employees of CoWorx whose personal data may have been compromised in the ransomware attack would likely struggle to establish standing for their own lawsuits (absent proof of identity theft or other concrete harm), ACE as the insurer faces no such hurdle. The insurer has already suffered concrete financial harm – the $500,000 payout – giving it clear standing to pursue subrogation.

The Greenstein Standard and Vendor Liability

The 2024 Ninth Circuit decision in Greenstein v. Noblr raised the bar even higher, holding that general breach notifications without confirmation that a specific individual's data was actually accessed are insufficient to establish standing. This means that even if CoWorx employees received breach notifications, they would need to prove:

Their specific data was actually accessed (not just potentially exposed)
Actual misuse occurred or imminent harm exists
A traceable connection between the breach and any fraudulent activity
Concrete damages beyond anxiety or time spent monitoring accounts

Yet while these individuals face nearly insurmountable hurdles to recovery, the vendors Congruity and Trustwave face potential liability through the insurer's subrogation claim – a claim based on the same underlying security failures that harmed the individuals.

The Mitigation Cost Conundrum

TransUnion and subsequent cases have created uncertainty around mitigation costs. Courts are divided on whether expenses for credit monitoring, identity theft protection, or time spent addressing potential fraud constitute concrete harm. The majority view requires actual misuse plus mitigation costs, not preventive measures alone.

However, in the insurance context, these same mitigation costs are often covered expenses under cyber policies. This means insurers like ACE pay for preventive measures that courts say don't establish individual standing, then can pursue vendors for reimbursement of these "non-concrete" harms.

Direct Vendor Liability vs. End-User Rights

Recent cases like the Blackbaud litigation have shown that while end users struggle with standing requirements, they occasionally succeed in establishing direct negligence claims against vendors. In that case, the court found that a SaaS provider owed duties to third parties whose data it handled, even without privity of contract.

The critical difference: these cases typically involve class actions where at least some plaintiffs can show concrete harm, allowing the case to proceed. Individual plaintiffs without proof of actual identity theft or financial loss remain largely shut out of the federal courts.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories

Comprehensive tool to explore which U.S. states classify different types of data as sensitive under privacy laws. Navigate compliance requirements across 19 states.

PII Compliance NavigatorDavid Stauss

The Policy Implications

This divergence creates several troubling policy implications:

Justice Gap: Those actually harmed by data breaches (individuals whose identities are at risk) have limited recourse, while entities with contractual relationships and insurance can pursue claims.
Misaligned Incentives: Vendors may focus on limiting liability to corporate clients and insurers rather than protecting end-user data, knowing individuals face high barriers to legal action.
Insurance as Gatekeeper: Cyber insurance becomes not just financial protection but the primary mechanism for enforcing security standards through subrogation, rather than direct accountability to affected individuals.
Dark Web Delays: The time lag between breaches and identity theft means many victims discover harm only after statutes of limitations expire, even as their data circulates on criminal markets.

Looking Forward: Implications for the Industry

This case, combined with the TransUnion doctrine, could establish several important precedents:

1. Heightened Vendor Accountability

If successful, ACE's lawsuit could encourage more aggressive subrogation efforts by insurers, fundamentally changing the risk calculus for technology service providers.

2. Evolution of Service Agreements

We can expect to see more sophisticated contracts that clearly allocate security responsibilities and include specific performance standards for security controls.

3. Insurance Market Changes

The cyber insurance market may see new products specifically designed to address vendor liability and subrogation risks, potentially including:

Enhanced E&O coverage for technology providers
Specialized policies for MSPs with built-in client coverage
More sophisticated risk-sharing arrangements

4. Regulatory Implications

This case could influence future regulations around third-party risk management and vendor liability, particularly in critical infrastructure sectors.

5. The State Court Alternative

As federal courts apply TransUnion's restrictive standing requirements, plaintiffs' attorneys are increasingly turning to state courts, where standing requirements may be more lenient. Some states have their own data breach notification laws with private rights of action that don't require the same showing of concrete harm. This could lead to:

Forum Shopping: Strategic filing in states with more favorable standing doctrines
Parallel Tracks: Federal subrogation actions proceeding alongside state court class actions
Legislative Response: Pressure for federal privacy legislation that clarifies standing and creates statutory damages

6. The Insurance Coverage Evolution

The intersection of TransUnion's standing requirements and increasing subrogation efforts is reshaping cyber insurance products:

Coverage Clarifications: Policies explicitly addressing subrogation rights and vendor liability
Premium Adjustments: Higher costs for vendors without robust security controls
New Products: Specialized coverage for subrogation defense and vendor liability
Contractual Requirements: Insurers mandating specific vendor management provisions

Conclusion: A Watershed Moment in a Fractured Landscape

The ACE v. Congruity & Trustwave case represents more than just an insurer seeking to recover damages – it signals a fundamental shift in how the technology industry must approach cybersecurity responsibility, occurring against the backdrop of a legal system that increasingly denies individual victims their day in court.

The cruel irony of the current legal landscape cannot be ignored: while the Supreme Court's TransUnion decision effectively bars most data breach victims from federal court absent proof of concrete harm, insurers like ACE face no such barriers in pursuing the very vendors whose negligence exposed that data. This creates a two-tiered justice system where corporate entities with insurance can enforce accountability, while individual victims whose Social Security numbers, financial data, and personal information circulate on dark web marketplaces are told their injuries are too "speculative" for federal court.

For technology service providers, the message is clear but complex: implementing robust security controls is no longer just a best practice – it's a business imperative that directly impacts legal and financial exposure. Yet this accountability comes primarily through insurance subrogation rather than direct responsibility to those whose data they fail to protect.

The "no harm, no foul" doctrine that shields companies from individual lawsuits won't protect them from insurers seeking subrogation. As one legal scholar noted, this creates a system where "the violation did not personally harm the plaintiff" but the insurer who pays for that violation can pursue full recovery. The very same MFA failure or monitoring lapse that courts say doesn't create standing for individuals can trigger million-dollar subrogation claims.

The Path Forward

As this case proceeds through the courts, its outcome could establish precedents that reshape the cybersecurity and insurance landscapes for years to come. Whether ACE prevails or not, the mere filing of this lawsuit has already sent ripples through the industry, prompting vendors, clients, and insurers alike to reconsider their approach to cyber risk management.

The convergence of restrictive standing doctrine and aggressive subrogation creates a new reality:

For Vendors: Security failures may not trigger individual lawsuits, but insurer subrogation poses existential financial risks
For Organizations: Cyber insurance becomes essential not just for recovery, but as the primary enforcement mechanism for vendor accountability
For Individuals: Federal courts remain largely closed, pushing victims toward state courts, regulatory complaints, or simply absorption of losses
For Insurers: Subrogation becomes a critical tool for loss recovery and market discipline

The era of shared responsibility for cybersecurity is giving way to one of selective accountability, where enforcement depends less on harm to individuals and more on contractual relationships and insurance coverage. In this new paradigm, the question is not whether technology vendors will face liability for security failures, but rather who has standing to hold them accountable.

Until Congress acts to clarify standing requirements or create statutory damages for data breach victims, we're left with a system where those most harmed have the least recourse, while those with the resources to insure against harm become the de facto enforcers of cybersecurity standards. The ACE case may succeed in holding vendors accountable, but it also highlights the fundamental inequity in our current approach to data breach liability.

As the Illinois Biometric Information Privacy Act and state-level privacy laws gain traction, and as Europe's GDPR continues to influence global standards, the pressure for federal action grows. Perhaps the ultimate legacy of cases like ACE v. Congruity & Trustwave will be demonstrating that leaving cybersecurity enforcement to insurance subrogation, while denying standing to actual victims, is neither just nor sustainable in our increasingly connected world.

Biometric Tracker - Privacy & Security Analysis

Track and understand biometric data collection methods across various categories including facial recognition, voice biometrics, DNA verification, and more.

Privacy & Security Analysis

This article is based on publicly available court filings and industry reports. The allegations contained in the lawsuit have not been proven in court, and the defendants may present different interpretations of the events and their legal obligations.