In a ruling dated 23.05.2024 (Ref. 5 O 128/21), the Regional Court of Kiel ruled that a cyber insurance policy is exempt from payment due to false information in the insurance application. The insurer had contested the contract on the grounds of fraudulent misrepresentation after the insured company, a timber wholesaler, suffered a hacker attack resulting in significant damage.
Inadequate IT security despite information to the contrary
In this case, when taking out cyber insurance in 2020, the timber wholesaler had stated, among other things, that all work computers were equipped with up-to-date malware detection and that available security updates were carried out without culpable hesitation. However, there were actually several servers in use with outdated, insecure operating systems for which updates were no longer available. The employee responsible for IT at the timber wholesaler stated during the trial that he had “deliberately overlooked” the systems in question when answering the risk questions. These were not subordinate computers, but servers with central functions for operations. An unprotected server with an outdated Windows system served as a connection between the web store and the company’s merchandise management system. For companies with complex IT systems in particular, it can make sense to commission external security experts to carry out an objective review of the system landscape. An external perspective often makes it easier to identify weaknesses than internal employees, who may be blind to the company’s operations or do not have an overview of all areas due to time constraints. Such a security analysis can also help to correctly present IT security to insurers and avoid unpleasant surprises in the event of a claim.
Fraudulent misrepresentation leads to exemption from benefits
The court considered the false information to be fraudulent misrepresentation on the part of the insurer, as the questions were answered incorrectly “in the blue”. The responsible IT manager could and should have recognized the security deficiencies. Due to the fraudulent misrepresentation, the insurance contract was null and void so that the insurer did not have to pay out. the decisive factor for the court’s assessment was that the inadequately protected systems had central functions in the company. The outdated Windows server was essential as a connection between the web store and merchandise management. The domain controller for managing access rights in the network was also still in an insecure delivery state. In the case of such important systems, the court could not believe that their security deficiencies had remained hidden from the IT manager, who, according to an expert witness, could have quickly checked that the virus protection and security updates were up-to-date by looking at the administration consoles. The fact that he had failed to do so before answering the risk questions was considered by the court to be an indication of fraudulent intent. Especially when taking out cyber insurance, the person responsible must be aware of how important the insurer takes the information on IT security.
Significance for companies and insurance companies
The ruling shows how important it is to answer risk questions correctly for cyber insurance policies. Companies must ensure that their IT security standards correspond to the information in insurance applications in order to be covered in the event of a claim. False statements, even if they are only made negligently, can lead to the insurer being released from its obligation to indemnify, and it can make sense for larger companies with complex IT systems in particular to have the risk questions answered by external security experts. This allows the actual security situation to be assessed objectively and presented correctly. It is also advisable to have penetration tests and vulnerability analyses carried out by specialized service providers at regular intervals in order to improve IT security overall. For insurers, the decision means that they can invoke fraudulent misrepresentation as a “sharp sword” if false statements can be proven. In view of the increasing threat of cybercrime, many insurers are likely to revise and specify their risk questions in order to avoid disputes and limit their exposure. Overall, the judgment of the Regional Court of Kiel is to be welcomed, as it underlines the importance of a truthful risk declaration and enables insurers to keep their liability risk calculable. It reminds companies to take their IT security seriously and not to rely solely on insurance cover. Because even with a cyber policy, prevention is better than cure.
