Privacy & Information Security Law Blog

Ace American Insurance Company (“Ace”) recently filed a subrogation lawsuit against two technology and cybersecurity providers, following a cybersecurity incident suffered by an insured policyholder that had engaged the providers. This case highlights the growing risk of subrogation lawsuits following a cybersecurity incident.

When a cybersecurity incident occurs and the insurer pays out the claim, they often face the frustrating reality that pursuing the actual criminals – the threat actors – for indemnification is virtually impossible. Thus, insurers are now turning to subrogation claims against the very cybersecurity vendors entrusted by policyholders to protect their systems. Indeed, insurers are increasingly examining whether outsourced cybersecurity providers may have breached their contractual obligations or failed to deliver adequate protection, leading to the loss. This shift means policyholders may find their cybersecurity vendors facing legal action from their own insurer, creating a new layer of risk in vendor relationships.

Last month, Ace filed a subrogation action against its insured’s cybersecurity and technology vendors, alleging missteps by the technology companies. See Ace American Insurance Company v. Congruity 360, Trustwave Holdings, Case No. 2:25-cv-15657 (D.N.J. Sep. 15, 2025). Ace seeks to recover the $500,000 in damages it paid to its insured, CoWorx, under the cybersecurity policy issued by Ace. Ace alleges that its insured’s cybersecurity incident occurred as a result of Congruity 360 and Trustwave’s negligence. Ace also asserts breach of contract against both defendants.

The complaint details several alleged bases for Ace’s subrogation action against the technology companies contracted by its insured. Against Congruity 360, Ace claims that the contract between CoWorx and Congruity 360 required Congruity 360 to set up multifactor authentication and secure network servers for CoWorx. Ace further alleges that Congruity 360 failed to do so, leading to installation of ransomware. The claims against Trustwave are similar. Ace alleges that Trustwave failed to properly notify the appropriate parties of the cybersecurity incident, preventing CoWorx from being able to take relevant proactive action and significantly increasing CoWorx’s damages from the incident.

Subrogation actions by cyber insurers are becoming more prevalent and cyber insurers frequently request vendor contracts from their insureds following a cyber incident so that the insurer can evaluate potential subrogation rights. Insurers are likewise scrutinizing a policyholder’s security controls during policy underwriting, looking for evidence that policyholders are managing vendor risk proactively and contractually, to help set premiums and respective policy language. This underscores that, in today’s cyber insurance landscape, the quality of vendor contracts can directly impact coverage, claims, and exposure to third-party litigation.