Cyber Insurance Voided: The High Cost of Misrepresenting Your IT Security
You invest in cyber insurance to protect your business from the financial fallout of a data breach or ransomware attack. But what if the policy itself becomes worthless because of incorrect information you provided during the application? A recent German court case delivers a stark warning: inaccurate or misleading answers about your IT security posture can be deemed fraudulent misrepresentation (arglistige Täuschung), allowing the insurer to void the contract and deny even a valid claim. In this instance, a company lost its right to a €424,000 payout. This guide explains the legal principles at play and provides actionable steps to ensure your coverage remains intact when you need it most.
The Case: A €424,000 Claim Denied Over Outdated Servers
A North German company with 16 locations purchased a cyber liability insurance policy. During the application process, the company's representative answered the insurer's risk assessment questions. Crucially, they stated that:
- All work computers were equipped with current security software.
- Security updates were installed without delay.
Later, the company suffered a cyber incident and filed a claim. During the investigation, the insurer discovered the truth: the company's IT system had severe security flaws. It was using outdated servers without current security patches or adequate antivirus protection—directly contradicting the application answers.
The Kiel Regional Court (Landgericht Kiel, Az. 5 O 128/21) ruled in favor of the insurer. The court found that the employee had answered the risk questions "into the blue" without verifying their accuracy, constituting fraudulent misrepresentation. As a result, the insurer was entitled to rescind the contract from its inception and deny the €424,000 claim. The decision underscores that the duty of disclosure is not a formality but a foundational element of the insurance contract.
Fraudulent Misrepresentation vs. Honest Mistakes: What the Law Says
Insurance is a contract based on utmost good faith (uberrima fides). This principle requires you to disclose all material facts that could influence the insurer's decision to accept the risk or set the premium. The consequences of failing this duty depend on intent:
| Scenario | Legal Consequence | Impact on Claim |
|---|---|---|
| Fraudulent Misrepresentation (Arglistige Täuschung): Intentionally or recklessly providing false information. | Insurer can void the contract ab initio (from the beginning). | Claim will be denied, even if the misrepresentation didn't cause the loss. Premiums may be forfeited. |
| Negligent or Innent Misrepresentation: Providing incorrect information without fraudulent intent but due to carelessness. | Insurer's remedies depend on policy law; may adjust the claim or cancel the policy prospectively. | Claim may be reduced or denied if the undisclosed fact was material to the risk. |
| Full & Accurate Disclosure: All material questions answered truthfully and completely. | Contract is valid and enforceable. | Coverage proceeds as expected in the event of a covered loss. |
The Kiel case fell into the first category. The court viewed the act of answering critical security questions without knowledge or verification as a reckless disregard for the truth, amounting to fraud.
Contrasting Ruling: When Outdated IT Doesn't Void Coverage
Not every IT security flaw leads to a denied claim. In a contrasting case from the Tübingen Regional Court, a company also had outdated servers and missing updates. However, an expert report concluded that the downloaded malware would have affected both old and new servers equally, and the security gaps did not influence the occurrence or extent of the damage. Therefore, the insurer had to pay. The key difference was the causal link: in Kiel, the misrepresentation was material to the risk assessment itself; in Tübingen, the flaws were not proven to be the cause of the specific loss.
How to Protect Your Business: A Compliance Checklist
To ensure your cyber insurance policy responds when needed, follow these best practices during application and renewal:
- Designate a Knowledgeable Respondent: The person completing the application must have direct knowledge of the company's IT security measures, network architecture, and data protection protocols. Never guess or assume.
- Conduct a Pre-Application IT Audit: Before applying, review your systems against common application questions: patch management, endpoint protection, encryption, access controls, backup procedures, and employee security training.
- Document Your Answers: Keep a copy of the completed application and all supporting documentation you provided. This is your baseline.
- Disclose Proactively: If you're unsure whether a fact is material, disclose it. It's better to provide too much information than too little. If your security posture changes significantly after policy inception, notify your insurer.
- Work with a Specialist Broker: A broker experienced in cyber risk insurance can help you interpret questions accurately, present your risk profile fairly, and choose an insurer with clear policy wording.
Final Verdict: Honesty is the Best Cyber Defense
A cyber insurance policy is only as strong as the accuracy of its foundation. The Kiel ruling is a powerful reminder that the application process is a critical part of your risk management strategy. Treat the insurer's questions with the same seriousness as a technical security audit. By ensuring truthful, verified, and complete disclosures, you secure not just a piece of paper, but a reliable financial backstop that will stand up in court when a real cyber crisis strikes. Don't let a preventable misrepresentation turn a covered event into a total loss.