Blog

The Takeaway

As the insurance industry turns to subrogation to manage escalating cyber losses more aggressively, recent cases point to steps insureds can take to mitigate the risks:

• Focus on risk transfer provisions in contracts.
• Watch for waiver of subrogation provisions that could limit or jeopardize a carrier’s recovery rights.
• Pay attention to shortened statutes of limitation and release provisions.
• Monitor vendor relationships as part of overall cyber hygiene practices.
• Expect underwriting changes that reinforce subrogation rights.

Introduction to Cyber Insurance Subrogation

Traditional subrogation principles allow a party (the subrogee) who pays the debt or loss of another (the subrogor) to assert the subrogor's rights against third parties regarding a loss. An insurer who pays losses an insured incurs can generally use subrogation to pursue the insured's rights against any third party responsible for the losses. The insurer stands in the insured’s shoes and has the same rights as the insured.

Notably, an insurer's right to pursue subrogation against third parties can be contractually waived by an insured's waiver of the right to pursue claims against those third parties or by other contractual limitations. With the increasing focus on risk transfer for cyber risk, subrogation has become an increasingly important factor in cyber insurance.

Ransomware Subrogation Cases

Insurers are paying significant amounts on ransomware claims. Consequently, insurers are taking more aggressive positions on claims and are seeking to mitigate losses through subrogation actions. Three recent cases illustrate these trends.

The Blackbaud Case

Travelers Casualty and Surety Co. of America v. Blackbaud, Inc., Nos. N22C-12-130 & N22C-12-141 (Del. Sup. Ct. 4/3/25) was a consolidated action by various insurance companies against Blackbaud, Inc. (Blackbaud). The case arose from a significant 2020 ransomware attack targeting its donor relationship management software. The threatened release of personal identifying information on donors impacted hundreds of educational institutions and nonprofit organizations. The insurers sought to recover expenses paid to insureds for investigations, notifications to constituents, forensic services, attorneys’ fees, and credit monitoring.

Plaintiffs’ policies all included a right of subrogation for payments made to their insureds. Blackbaud’s contracts with its clients required it to safeguard confidential information, use commercially reasonable cybersecurity procedures, notify clients if a defined “security breach” occurred, and take reasonable efforts to mitigate negative consequences. Its contracts also contained limitation of liability provisions (the greater of $25,000 or the total fees paid in the six months before the breach) and excluded indirect, special, incidental, or consequential damages.

In the wake of the breach, Blackbaud allegedly provided untimely and inaccurate disclosures to clients and in its public company filings. Ultimately, Blackbaud entered into a $49.5 million settlement with 49 attorneys general to resolve consumer protection, HIPAA, and data breach notification law claims.  It also agreed to an August 2020 SEC Consent Decree.

The insurers alleged Blackbaud breached its contracts by failing to maintain any commercially reasonable cybersecurity procedures as promised, failing to provide timely notice, and attempting to shift its obligations post-breach. Blackbaud moved to dismiss, arguing that the proposed complaints failed to individualize the insureds’ claims and to show the expenses were proximately caused by any contractual breach. It also argued that the damages claimed were excluded consequential or indirect damages and that deductibles could not be recovered due to lack of consent to assignment.

Applying New York law, the Court held that “[a] subrogation claimant must assert well-pleaded allegations of fact to show that the subrogor has a valid claim against the defendant, and in a multi-subrogor action, a plaintiff must separately plead facts for each.” The court agreed that blanket allegations untethered to a particular claimant are insufficient, particularly when, as here, the violations of privacy statutes weren’t linked to the specific insureds. Absent factual information as to each insured’s claim, the Court could not assess whether each insured had a valid claim. The Court also found the risk allocation in the Blackbaud client agreements that limited the types of recoverable damages precluded a no-fault across-the-board mitigation obligation. Accordingly, the Court dismissed the subrogation claims with prejudice.

Ace American v. Accellion

Ace American Insurance Co. v. Accellion, Inc., No. 4:21-cv-09615-YGR (N.D. Cal. 2022) is a warning to service providers that subrogation claims for negligence, breach of contract, breach of implied warranties, failure to mitigate, and negligent failure to monitor are on the rise.

Ace American Insurance Company (Ace) filed a subrogation action against software company Accellion, Inc. (Accellion), claiming its negligence in handling a security vulnerability in its online collaboration software services caused a ransomware attack on a Boston law firm that was Accellion’s customer and Ace’s insured.

Ace alleged that Accellion knew that its software, which stored confidential files, contained a security vulnerability but initially failed to notify the law firm about the existence of the problem or a critical software update patch. When Accellion eventually sent a notification to the law firm, it failed to verify anyone received it. (The critical notification was directed to two former law firm employees.) Ace asserted that due to the lack of effective notice, the law firm could not update its systems with a “fix” before hackers noticed the vulnerability and exploited it. The hackers exfiltrated confidential legal files and threatened to publicly disclose them unless the law firm paid millions of dollars.

The Boston law firm eventually paid more than $2 million in ransom and filed a claim under its Ace cyber policy for the ransom payment and data restoration costs. Accellion tried to shift the blame to the law firm, claiming the firm failed to update its contact information on Accellion’s emergency notification system. Ace claimed, however, that the law firm did notify Accellion about its former employees’ departures and that it was Accellion’s responsibility to update its own notification systems. The case settled in December 2022.

Another Ace American Case

In September 2025, Ace also filed a $500,000 subrogation claim in the United States District Court for the District of New Jersey arising from an April 2024 ransomware attack on CoWorx Staffing Services. The complaint alleges Congruity 360 LLC, a cloud services provider, and Trustwave, a cybersecurity monitoring firm, contributed to the security breach. Congruity allegedly failed to implement two-factor authentication that its contract with CoWorx required, which allowed the attackers access with a stolen password. Trustwave allegedly identified suspicious activity but misclassified it as moderate rather than high risk and failed to notify CoWorx. Without adequate backup, CoWorx had to pay ransom to access its data.

How Insurers Can Mitigate the Risks

Through subrogation, insurers have a powerful tool to manage escalating cyber losses by pursuing responsible third parties whose negligence or failure contributed to a cyber incident. These three cases illustrate the rise in insurance subrogation claims in the cyber market as insurers seek to recoup all or part of their payouts from parties that enabled the security breach and resulting ransomware attack.

What can we learn?

• Expect insureds to remain involved in litigation long after they hoped the ordeal was over, often incurring tangible costs.
• Clients should focus on risk transfer provisions in their contracts, such as indemnification and limitation of liability provisions. Without a sunset provision, indemnification obligations can last a long time.[i]
• Clients must watch for waiver of subrogation provisions that can limit or jeopardize their carrier’s recovery rights. Insureds also risk forfeiting coverage through adverse interpretations of cooperation clauses.
• Recognize the increasing likelihood of attempts to shift liability between contractual parties. Watch for shortened statutes of limitation and release provisions.
• Pay attention to vendor relationships as part of overall cyber hygiene. Avoid dangerous handshake agreements.
• Expect underwriting changes that reinforce insurers’ subrogation rights.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

[i] For example, A typical Subcontract Waiver Clause provides:

Notwithstanding any other provision of the Contract Documents, no party shall be liable to another party or to any insurance company (by way of subrogation or otherwise) for any loss of, or damage to, any of its property located within the Project or upon, or constituting a part of, the Project, which loss or damage arises from the perils that could be insured against under the ISO Causes of Loss-Special Form Coverage, including deductibles (whether or not the party suffering the loss or damage actually carries such insurance, recovers under such insurance, or self-insures the loss or damage). Said mutual waivers shall be in addition to, and not in limitation or derogation of, any other waiver or release contained in the Contract Documents with respect to any loss of, or damage to, property of the parties. This waiver applies whether or not the loss is due to the negligent acts or omissions of a party or Tenant [i.e., Amazon], or their respective officers, directors, employees, agents, contractors, or invitees....