When Your Insurer Becomes Your Adversary: The Rising Threat of Subrogation Lawsuits Against Cybersecurity Vendors

Breached Company

Breached Company

9 min read
When Your Insurer Becomes Your Adversary: The Rising Threat of Subrogation Lawsuits Against Cybersecurity Vendors
Photo by Vlad Deep / Unsplash

A New Battlefield in Cyber Insurance

When a cybersecurity incident strikes, companies typically expect their cyber insurance to cushion the financial blow. But a troubling new trend is emerging that's sending shockwaves through the cybersecurity services industry: insurers are increasingly turning their legal sights on the very vendors and managed security service providers (MSSPs) that policyholders hired to protect them.

In September 2025, Ace American Insurance Company filed a lawsuit that crystalized this shift. The insurer sued two cybersecurity vendors—Congruity 360 and Trustwave Holdings—seeking to recover $500,000 it paid to its insured client, CoWorx, following a ransomware attack. The case represents a watershed moment, highlighting how cyber insurers are adopting an aggressive new strategy: when they can't pursue the criminals, they go after the cybersecurity professionals instead.

The Ace v. Congruity Case: A Warning Shot

The Ace lawsuit alleges that Congruity 360 failed to set up required multifactor authentication and secure network servers as contractually obligated, which led to ransomware installation. Against Trustwave, Ace claims the vendor failed to properly notify appropriate parties of the cybersecurity incident, preventing timely proactive action and significantly increasing damages.

The insurer is pursuing both negligence and breach of contract claims against the vendors. While Ace paid out the claim to its policyholder as required, it's now attempting to recoup those losses through subrogation—a legal mechanism that allows insurers to step into their insured's shoes and pursue claims against third parties responsible for the loss.

Why Insurers Are Changing Tactics

The logic behind this shift is straightforward, if unsettling for cybersecurity vendors. When a cybersecurity incident occurs and insurers pay claims, they face the frustrating reality that pursuing the actual criminals—the threat actors—for indemnification is virtually impossible. Cybercriminals operate from jurisdictions beyond legal reach, use sophisticated anonymization techniques, and disappear into the digital ether with stolen funds.

Faced with mounting losses and no way to recover from the perpetrators, insurers are pivoting to a more accessible target: the cybersecurity vendors and MSSPs contracted to prevent these incidents in the first place.

The Subrogation Surge: Not an Isolated Incident

Subrogation actions by cyber insurers are becoming more prevalent, with insurers frequently requesting vendor contracts from their insureds following cyber incidents to evaluate potential subrogation rights. This isn't limited to major vendors like Trustwave—MSSPs of all sizes are finding themselves in the crosshairs.

Industry experts note several common scenarios where insurers pursue subrogation:

  • IT vendors making configuration errors during firewall installations or other security implementations that lead to unauthorized access
  • Managed service providers failing to maintain security controls as contractually required, resulting in ransomware attacks
  • Vendors neglecting to implement required security measures like multi-factor authentication or patching protocols
  • Incident response failures where vendors fail to properly notify stakeholders or take timely remediation actions

Determining the cause of cyber incidents is often difficult, as threat actors devise increasingly sophisticated techniques for gaining access and remaining undetected. However, when forensic investigations can establish a chain of causation linking vendor actions (or inactions) to the breach, insurers are increasingly willing to pursue recovery.

Understanding breach notification requirements is crucial for all parties. Resources like Breached Company Notification Hub can help organizations navigate the complex landscape of breach disclosure obligations across different jurisdictions.

The Blackbaud Reality Check: When Subrogation Fails

Not all subrogation attempts succeed, and the 2020 Blackbaud ransomware incident illustrates the challenges. Several nonprofit and higher education organizations insured by Travelers and Philadelphia Indemnity incurred substantial costs, and while insurers initially covered expenses, they later filed lawsuits against Blackbaud to recover payments. However, the Delaware court ultimately dismissed the insurers' breach claims, stressing the need for precise vendor contracts in cyber recovery.

The Blackbaud case demonstrates that vague contractual language can doom subrogation efforts—but it also serves as a learning opportunity for insurers, who are now more sophisticated in their approach.

The Underwriting Revolution: Vendor Contracts Now Under Microscope

The implications extend far beyond post-breach litigation. Insurers are now scrutinizing policyholders' security controls during policy underwriting, looking for evidence that policyholders are managing vendor risk proactively and contractually, to help set premiums and policy language.

This represents a fundamental shift in how cyber insurance operates:

At Application Time:

  • Insurers now ask about contracts between policyholders and third-party vendors as part of the underwriting process, making inquiries to assess potential exposure
  • Companies with weak or vague vendor agreements face higher premiums or coverage limitations
  • Organizations must demonstrate robust third-party risk management programs

At Renewal Time:

  • Weak subrogation cases where insurers struggle to recover costs from vendors have prompted more aggressive underwriting practices and heightened scrutiny during renewals
  • Policy terms increasingly depend on the quality of vendor contracts
  • Insurers may decline coverage for organizations with inadequate vendor risk management

What Insurers Want to See: Cyber insurance carriers are looking for robust third-party risk management programs that include strong contractual language, cybersecurity certifications from vendors, and requirements for vendors to purchase cyber or technology errors and omissions insurance.

Impact on MSSPs and Cybersecurity Vendors

For managed security service providers and cybersecurity vendors, this trend creates a perfect storm of risk:

Even when vendors believe they've acted properly, they may face expensive litigation. All press is not necessarily good press—even if vendors have done nothing wrong and have insurance to cover claims, it's too late once their name is in headlines. The reputational damage alone can be devastating.

Insurance Becomes Critical

Professional liability insurance and errors and omissions (E&O) coverage are no longer optional for cybersecurity service providers. Many insurers won't write policies exceeding $5 million, even though breaches may exceed that amount, forcing some vendors to syndicate coverage across multiple policies at significant expense.

Organizations evaluating their insurance needs can use tools like the Cyber Insurance Calculator to estimate appropriate coverage levels based on their risk profile and business operations.

Contract Language Is Everything

The days of boilerplate service agreements are over. MSSPs and vendors need attorney-reviewed contracts that:

  • Clearly define the scope of services and security obligations
  • Specify what the vendor IS and IS NOT responsible for
  • Include appropriate liability limitations
  • Address incident notification procedures and timelines (see Breach Notification Resources for jurisdiction-specific requirements)
  • Clarify roles in incident response
  • Establish clear protocols for handling personally identifiable information (consult the PII Compliance Hub for comprehensive data protection standards)

The Waiver of Subrogation

A waiver of subrogation clause in master service agreements will prevent the client's insurance company from coming after the vendor. However, getting clients to agree to such clauses is becoming increasingly difficult, especially as insurers push back against them during their own underwriting reviews.

What This Means for Policyholders

Companies purchasing cyber insurance also face new realities:

Vendor Selection Matters More Than Ever

In today's cyber insurance landscape, the quality of vendor contracts can directly impact coverage, claims, and exposure to third-party litigation. Organizations must:

  • Conduct thorough due diligence on vendor security capabilities
  • Ensure vendors carry adequate insurance
  • Obtain certificates of insurance rather than relying on verbal assurances
  • Review vendor contracts with legal counsel experienced in cybersecurity

The Vendor Relationship Paradox

There's an uncomfortable irony at play: companies hire cybersecurity vendors to reduce risk, but if those vendors fail, the company may find itself caught between warring parties—their insurer pursuing their vendor through subrogation, potentially disrupting ongoing security relationships at the worst possible time.

Your Vendor's Problems Become Your Problems

If an insurer successfully pursues a vendor into bankruptcy or forces them out of business, the policyholder loses not just incident response support but potentially ongoing security services. Strategic redundancy is gaining traction, where companies contract multiple vendors for critical services to ensure rapid failover and minimize downtime.

Best Practices: Protecting All Parties

For Cybersecurity Vendors and MSSPs:

  1. Obtain Comprehensive Insurance: Carry robust professional liability and cyber E&O coverage with limits appropriate to your client base
  2. Invest in Ironclad Contracts: Work with attorneys experienced in technology services to craft agreements that clearly delineate responsibilities and include appropriate liability limitations
  3. Document Everything: Maintain detailed records of security implementations, client communications, and service delivery
  4. Include Waiver of Subrogation Clauses: While difficult to negotiate, these provisions can provide crucial protection
  5. Require Client Insurance: Make cyber insurance mandatory for clients, and include language that insurance companies cannot pursue the MSSP if clients make claims
  6. Never Fill Out Client Insurance Applications: If vendors fill out insurance policy forms for clients, they take on liability for any inaccuracies. Provide guidance instead
  7. Maintain Security Awareness Training Programs: Insurers may pursue subrogation if they discover vendors neglected to actively manage required services like security awareness training
  8. Be Selective About Clients: Not all business is good business—vendors should not be afraid of walking away from customers that pose too much risk

For Organizations Purchasing Cybersecurity Services:

  1. Demand Quality Vendor Contracts: Work with legal counsel to ensure contracts clearly define cybersecurity obligations, responsibilities, and performance standards
  2. Verify Vendor Insurance: Require certificates of insurance showing adequate coverage, including cyber liability and E&O policies
  3. Include Vendor Requirements in Contracts:
    • Minimum insurance coverage amounts
    • Policy duration extending beyond contract term
    • Naming your organization as additional insured
    • Waiver of subrogation provisions where possible
    • Notice requirements for policy cancellation or modification
    • Clear data handling and PII protection obligations (reference the PII Compliance Hub for comprehensive guidance on personal information protection requirements)
  4. Conduct Vendor Risk Assessments: Treat vendor risk with the same scrutiny as internal security, starting with rigorous front-end due diligence on technical controls
  5. Understand Your Own Coverage: Know what your cyber insurance covers and how vendor relationships affect your policy
  6. Maintain Continuous Monitoring: Don't just assess vendors at contract signing—implement ongoing monitoring of vendor security practices
  7. Embed Vendors in Incident Response Plans: Organizations should embed vendors into incident response plans as if they were part of their own network

For Insurance Brokers and Risk Managers:

  1. Educate Clients: Help organizations understand how vendor contracts affect insurance coverage and premiums. Utilize assessment tools like the Cyber Insurance Calculator to demonstrate coverage needs based on risk factors.
  2. Review Third-Party Agreements: Make vendor contract review part of the insurance placement process
  3. Set Realistic Expectations: Explain subrogation risks to both policyholders and their vendors
  4. Facilitate Coverage Coordination: Help ensure all parties have appropriate, complementary coverage

The Broader Implications

This trend reflects a maturation—and complication—of the cyber insurance market. As premiums have softened and capacity increased, insurers are using subrogation as a loss control mechanism to maintain profitability. While rate decreases have continued, insurers expect scrutiny around third-party risk management controls in 2025.

The practice also creates a potential feedback loop: as subrogation becomes more common, vendors will demand higher fees to cover increased insurance costs and legal risks. These costs ultimately flow through to end customers, potentially driving up the total cost of cybersecurity even as insurance premiums decline.

There's also a philosophical question about fairness. When insurers pursue vendors who may have made good-faith efforts to provide security but were outmaneuvered by sophisticated threat actors, does this create a chilling effect on the industry? Will talented professionals avoid cybersecurity vendor roles due to liability concerns?

Looking Ahead

The Ace v. Congruity case is unlikely to be the last of its kind. As cyber insurance matures, expect to see:

  • More Subrogation Litigation: Insurers will continue pursuing vendors when they can establish causation and breach of duty
  • Stricter Underwriting Standards: Vendor risk management will become a primary factor in policy pricing and terms
  • Contract Evolution: Both vendor agreements and insurance policies will become more sophisticated in addressing these issues
  • Possible Legislative Action: If subrogation becomes widespread enough to disrupt the cybersecurity services market, regulators may step in
  • Increased Insurance Costs for Vendors: MSSPs and cybersecurity vendors should expect rising E&O premiums as insurers price in subrogation risk
  • Market Consolidation: Smaller vendors without resources for robust insurance and legal protection may exit the market or be acquired

Helpful Resources

To help navigate this complex landscape, organizations can leverage these specialized resources:

  • Cyber Insurance Calculator - Assess appropriate coverage levels and estimate premiums based on your organization's risk profile
  • Breach Notification Hub - Comprehensive guidance on breach notification requirements across different jurisdictions
  • PII Compliance Hub - Detailed information on personally identifiable information protection standards and compliance requirements

Conclusion: A New Era of Accountability

The rise of cyber insurer subrogation lawsuits against vendors represents a significant shift in how risk is allocated in the cybersecurity ecosystem. While holding vendors accountable for negligence or breach of contract is reasonable, the practice creates new tensions and costs throughout the industry.

For cybersecurity vendors and MSSPs, the message is clear: professional excellence is no longer enough. Robust insurance, ironclad contracts, and meticulous documentation are now existential requirements. The cost of doing business has increased, and vendors must adjust their operations and pricing accordingly.

For organizations purchasing cybersecurity services, vendor selection is no longer primarily a technical decision—it's a risk management decision that directly affects insurance coverage and costs. Due diligence on vendor contracts and insurance is now as important as evaluating technical capabilities.

The quality of vendor contracts can directly impact coverage, claims, and exposure to third-party litigation. In this new landscape, all parties—insurers, policyholders, and vendors—must adapt to a more complex risk environment where yesterday's handshake agreements and trust-based relationships no longer suffice.

The cybersecurity industry has always operated in a high-stakes environment. Now, as insurers add legal pressure to the technical challenges, the stakes have risen higher still. Success will require not just technical excellence, but sophisticated risk management, contractual precision, and comprehensive insurance protection across all parties in the cybersecurity ecosystem.

About the Author's Research: This article is based on analysis of recent legal developments including the Ace American Insurance Company v. Congruity 360 and Trustwave Holdings case (Case No. 2:25-cv-15657, D.N.J., filed September 15, 2025), industry reports on cyber insurance trends, and expert commentary on subrogation practices in the cyber liability space.

Read more

American Airlines Subsidiary Hit by Clop Ransomware in Oracle Zero-Day Attack

American Airlines Subsidiary Hit by Clop Ransomware in Oracle Zero-Day Attack

Quick Facts * Victim: Envoy Air (American Airlines subsidiary) * Threat Actor: Clop ransomware gang (TA505/FIN11) * Attack Vector: Oracle E-Business Suite zero-day (CVE-2025-61882) * CVSS Score: 9.8 (Critical) * Attack Timeline: July-August 2025 (pre-patch exploitation) * Data Compromised: Limited business information and commercial contact details (no customer or sensitive data confirmed) * Pattern: Third

By Breached Company