The steady and continuous increase in cyber claims should highlight the need for insureds to focus on a policy’s subrogation clause and the insured’s willingness to waive subrogation in contracts. Conversely, service vendors not obtaining waivers of subrogation from their customers can unexpectedly open them to cyber subrogation claims.
In a webinar just yesterday, attorneys for insurance carriers urged vigilance on the part of insurance carriers in seeking out potential targets that caused an insured’s cyber loss. Potential targets of subrogation may include an insured’s contracted IT vendors, software companies, background check companies, banks, and even their retailers and customers. If an insurance carrier counsel is creative enough, there are a wide range of claims they can bring for cyber subrogation purposes, ranging from breach of contract, negligence and trespassing to fraudulent misrepresentation, among others. The actual hacker or spoofer is generally not considered a viable subrogation target given the difficulty of tracking down a sophisticated and anonymous criminal behind a computer.
Given the lengths and breadth an insurance carrier and its attorneys may go in seeking subrogation, particularly as it relates to cyber claims, greater attention and consideration should be employed when addressing subrogation clauses in contracts. Agreeing to waive subrogation can ultimately affect an insured’s loss experience and conversely, parties that don’t obtain waivers of subrogation in their contracts, may be opening themselves to litigation they never envisioned.