Cybersecurity Insurance – Are you covered? Part 4
In this series, we are looking at the built-in Cybersecurity Insurance traps for your business – no matter the size. Business Insurance Cybersecurity Riders aren’t the same as full Cybersecurity Insurance, but they are a good starting point to up your security game.
One of our partner companies – Ben Yarbrough from Calyptix – has posted an excellent article on ChannelPro Network for MSPs (like daviestrek) to evaluate their security stance and posture with clients to make sure the client AND the MSP are covered in the event of a disaster. “Cyber Insurance Litigation: 3 Pitfalls Every MSP Needs to Understand” is a great article with a number of points worth taking a second look at.
Subrogation Is No Longer Theoretical
“Perhaps the most concerning trend for MSPs is the rise of cyber insurance subrogation. Once an insurer pays a claim, it may pursue third parties that allegedly contributed to the loss. In the cyber context, MSPs, MSSPs, and vendors are increasingly viewed as recovery targets.
Early cases signaled insurer commitment in recovering losses. In Travelers v. Blackbaud, Inc., insurers sought recovery after a 2020 ransomware attack affecting hundreds of nonprofits. Although the insurers recently lost in April of 2025 due to contractual limitations and pleading defects, the case demonstrated carriers’ willingness to pursue technology providers.
In Ace American Insurance Co. v. Accellion, Inc., insurers claimed a software provider was negligent in handling a security vulnerability in its online file-transfer service. This allegedly led to a ransomware attack on a Boston law firm.
The case was settled, but it highlights insurers focusing recovery on failed patching, notification, and monitoring. All of these are all key services provided by MSPs.
Direct Exposure: Congruity 360 and Trustwave
In September 2025, Ace American Insurance Co. v. Congruity 360, LLC and Trustwave Holdings, Inc. squarely targets an IT provider and an MSSP following a ransomware incident at CoWorx Staffing Services. Ace paid approximately $500,000 under CoWorx’s cyber policy. Then, it invoked subrogation rights against its service providers. Ace alleged Congruity 360 failed to properly enforce MFA and secure servers while Trustwave failed to timely detect and escalate suspicious activity.
Unlike earlier cases against software vendors, this action directly targeted outsourced IT and security providers for core MSP responsibilities including MFA enforcement, server hardening, monitoring, and incident escalation. Those same controls are routinely referenced in underwriting applications.
Subrogation increasingly converts MSP operational decisions into legal exposure. In many cases, MSP Tech E&O coverage becomes the primary defense.”
Key Takeaway on Trap #3:
Other than a new vocabulary word today, subrogation can become a problem for anyone you tell your insurance company is helping you. This is a troubling but not unexpected development. Insurance companies will minimize their losses aggressively. That puts a large potential target on anyone in the IT help business.
It’s important to take security seriously and if you don’t trust the security advice you’re getting – seek out alternative opinions. There will always be “cheaper” products on the market – but do they work well with the other products you’re using? Do they do what they say they do? Have a serious discussion with your Computer Expert to determine the best course of action for you and your company.
