Cyber Insurance Refusal: False Info | IT-Medienrecht

Learn why cyber insurance refused payout after a hacker attack due to false IT security info. Discover how to avoid fraudulent misrepresentation. Protect…

Regional Court Kiel: No Cyber Insurance Payout Due to False IT Security Information

Regional Court Kiel: No Cyber Insurance Payout Due to False IT Security Information

In a ruling dated May 23, 2024 (Ref. 5 O 128/21), the Regional Court of Kiel ruled that a cyber insurance policy is exempt from payment due to false information in the insurance application. The insurer had contested the contract on the grounds of fraudulent misrepresentation. This occurred after the insured company, a timber wholesaler, suffered a hacker attack resulting in significant damage.

Inadequate IT Security: A Timber Wholesaler's Case

When taking out cyber insurance in 2020, the timber wholesaler made specific claims about its IT security. The company asserted that all work computers had up-to-date malware detection. Furthermore, it stated that all security updates were promptly installed.

However, reality differed significantly. Several servers were running outdated, insecure operating systems for which no further updates were available. The IT employee admitted during the trial that he had "deliberately overlooked" these systems.

These neglected systems were not minor components. They included servers with central operational functions, such as an unprotected server with an outdated Windows system connecting the web store and the merchandise management system. Such critical vulnerabilities can have severe consequences, similar to risks discussed regarding cybersecurity tightening in 2025.

For companies with complex IT infrastructures, commissioning external security experts for an objective review is often beneficial. An external perspective can more easily identify weaknesses that internal employees might overlook due to operational blindness or time constraints. Such an analysis also ensures accurate representation of IT security to insurers, preventing unpleasant surprises.

Fraudulent Misrepresentation: The Court's Assessment

The court deemed the false information a fraudulent misrepresentation by the insured. It determined that the risk questions were answered incorrectly "ins Blaue hinein" (recklessly, without factual basis). The IT manager responsible had the means and duty to recognize these significant security deficiencies.

Consequently, the court declared the insurance contract null and void due to this fraudulent misrepresentation. This exempted the insurer from any obligation to pay. The crucial factor in the court's decision was the central role of the inadequately protected systems within the company.

Key systems with vulnerabilities included:

The court found it implausible that the IT manager was unaware of these critical system vulnerabilities. An expert witness confirmed that he could have easily verified virus protection and security update status via administration consoles. His failure to do so before answering the risk questions strongly indicated fraudulent intent.

This case highlights the critical importance of accurate IT security information when applying for cyber insurance. Companies must understand how seriously insurers treat these declarations, as any misrepresentation can void coverage, potentially leading to substantial financial losses, as often arises from issues like a data leak.

Implications for Companies and Cyber Insurance Providers

This ruling underscores the critical importance of accurately answering risk questions for cyber insurance policies. Companies must align their actual IT security standards with the information provided in their insurance applications to ensure coverage in case of a claim. Inaccurate statements, even if made negligently, can release the insurer from its obligation to indemnify.

For larger companies with intricate IT systems, engaging external security experts to answer risk questions is highly recommended. This approach facilitates an objective assessment and accurate representation of the current security posture. Regular penetration tests and vulnerability analyses by specialized service providers are also crucial for continuous IT security improvement.

For insurers, this decision validates the use of fraudulent misrepresentation as a "sharp sword" when false statements can be proven. Given the escalating threat of cybercrime, many insurers are likely to refine and specify their risk questions. This aims to prevent disputes and manage their exposure more effectively.

Conclusion

The judgment by the Regional Court of Kiel emphasizes the necessity of truthful risk declarations in cyber insurance. It enables insurers to maintain calculable liability risks. Ultimately, this ruling serves as a vital reminder for companies to prioritize their IT security diligently and not solely rely on insurance coverage, as proactive prevention remains superior to post-incident remedies.