Cyber insurance: Higher Regional Court ruling on fraudulent intent

The article was first published on January 6 in Versicherungsmonitor.

While the number of claims is rising, court rulings on cyber insurance remain few and far between. In Schleswig-Holstein, a higher regional court has now dealt with the question of under what conditions a cyber insurance contract can be contested on the grounds of fraudulent intent. In doing so, the judges also commented on the requirements for the clarity of the insurer's risk questions.

The Schleswig-Holstein Higher Regional Court had the opportunity to rule on cyber insurance in an appeal against the judgment of the Kiel Regional Court of May 23, 2024 (Ref. 5 O 128/21), which has already been discussed elsewhere. In the previous instance, the action brought by the policyholder affected by a hacker attack had been unsuccessful.

The Regional Court of Kiel ruled that the cyber insurance contract concluded by the plaintiff was void due to a challenge on the grounds of fraudulent misrepresentation and that the defendant insurer had therefore rightly refused to provide cover. The insurer had been able to base its challenge on the fact that the policyholder had answered risk questions posed via the insurer's online portal "at random" and thus deliberately provided incorrect answers.

The Schleswig-Holstein Higher Regional Court concurred with this view in a reference decision dated October 14, 2024 (Ref. 16 U 63/24).

The Schleswig-Holstein Higher Regional Court shares the view of the lower court that the existence of the right of contestation does not depend on whether the plaintiff's risk questions were formally asked in writing or whether the insurer pointed out the consequences of incorrect information in the application.

Risk questions must be clear and not vague or ambiguous

In addition, the Schleswig-Holstein Higher Regional Court attests that the risk questions on which the fraudulent misrepresentation was based were clearly formulated.

The addressee of a risk question must be enabled by this question to form a reasonable picture of the circumstances covered by the question. It is the insurer's responsibility to formulate the question in such a way that, if answered correctly, it provides the insurer with complete knowledge of the circumstances relevant to the risk. How a risk question is to be understood depends on the understanding of a reasonable policyholder, taking into account the insurance to be taken out and the insurer's interest in providing information that is apparent to the policyholder.

According to the Schleswig-Holstein Higher Regional Court, cyber insurance must therefore be based on the understanding of a “commercial entrepreneur who is extensively involved in online business.”

Such an entrepreneur would be sufficiently aware, when asked whether all stationary and mobile work computers are equipped with up-to-date software for detecting and preventing malware, that the question refers to the current virus protection status of all computers that perform functions in the company's network and "work" in this sense.

A reasonable policyholder must therefore understand that the question also refers to servers. Since a web SQL server used by the policyholder had neither a virus scanner nor antivirus software, the policyholder should not have answered the risk question in the affirmative, but rather in the negative.

The same applies to the question of whether available security updates are carried out without undue delay and whether only products for which security updates are provided by the manufacturer are used for the operation of the IT system. This question clearly aims to determine whether it is ensured that the software used in the company's network is kept up to date with the manufacturer's products and that updates are carried out as quickly as possible and as appropriate to the operational circumstances.

Since updates were not actually guaranteed for an operating system used by the policyholder on a server and no software or security updates had been provided for this for some time, the policyholder also had to answer this question in the negative.

Answering "into the blue" was fraudulent

In the opinion of the Schleswig-Holstein Higher Regional Court, the policyholder had a special duty of care when answering the risk questions because the policyholder had special expertise. According to the IT-Grundschutz Compendium of the Federal Office for Information Security (BSI-OPS1.3), patch and change management with regard to typical risks should have included, among other things, a concept for management, the definition of responsibilities, and the regular updating of IT systems and software as basic requirements.

An insurer who explicitly asks about the current security status of the IT system can expect a commercial enterprise to observe such standards and not to give vague answers to the questions asked, but to base its answers on concrete and currently available knowledge in accordance with the aforementioned standards. Since the policyholder did not have such standards in place, it was obvious that the unqualified affirmative answers to the questions constituted a statement made without any basis in fact, from which conditional intent to deliberately provide incorrect answers to the risk questions could be inferred.