Financial Forensics Blog

Are Insurers Playing on the Right Cyber Subrogation Field?
November 1, 2020

LFI cyber subrogation article claims magazine

By Daniel T. Devine CPA, CFF
Original Publish Date: November/December 2020, Claims Magazine

Today’s technology has put the world at our fingertips. Unfortunately, it has done the same for threat actors. Everywhere we look, cyberattacks are on the rise. From the rise in ‘bot’ attacks on financial services to the growing threat of brute-force attacks in Brazil, to an increasing number of sophisticated hands-on hacking campaigns, cybercriminals continue to evolve their practices and tools to exploit vulnerabilities. With system attacks on the rise, so are the costs of dealing with these events. The expense of responding to cyber data and security incidents can be crippling to an organization. Consider ransomware demands running six to eight figures, investigation and attendant notification costs, regulatory inquiries, and the cost to defend third-party lawsuits. Not to mention damage to the affected brand and loss of customers that typically result from a cyber incident. Through all of this, cyber insurers often find themselves with exhausted policy limits and deflated subrogation teams struggling to find recovery sources when threat actors perpetrate unknown and unidentifiable attacks.


When an insurer pays a loss, it then has the opportunity to subrogate against third parties that were responsible for that loss. Subrogation is a right held by insurance carriers to legally pursue a third party that caused the insurance loss. This right is very important to insurance companies because any monies recovered go directly to the insurance company’s bottom line, which can then be passed on to its policyholders in the form of lower premiums. For cyber risk insurance, where the threats and players are increasingly diverse and complex, insurers must handle subrogation correctly. Unfortunately, for carriers, insureds often enter into contracts with cyber service providers that include a waiver of subrogation, which limits the insurer’s ability to recoup the insurance claims payments made to the insured.


A phishing scheme enables a threat actor to breach the data of a large financial institution, exposing personal information on more than two million customer accounts. The incident response is all-consuming. The affected organization, insurer and investigators focus their efforts on figuring out how the threat actors got into the system, determining if they are indeed out of the system, ensuring the threat actors cannot regain access, and understanding the legal and business implications of the hackers’ actions. All attention focuses on the threat actors because they “caused” the chaos.

  • What if we adjust the lens a bit? Often, the threat actors are not the sole cause. What happens if:
    A third-party host (MSP) had lax security measures allowing unauthorized access to the third party’s environment impacting the affected financial institution?
  • The institution’s outside IT provider set up this now-infiltrated environment?
  • An unrelated third party — O365 breach, unauthorized acquisition, reverse SEF — played a role?

From this perspective, it’s hard to talk about cyber risk insurance without the topic of subrogation coming to the forefront of the conversation in a much more meaningful way.


How does insurance protect insureds from the complex and evolving threats of cyber risk, while also using subrogation to rightfully recoup damages? Cyber insurers are increasingly relying on claims, adjusting, forensic and legal professionals to work collectively on cyber subrogation to get to the ground truth of cause. Comprising these teams are:


  • Single point of contact of policyholders
  • Communicate policy coverages
  • Coordinate third-party claims
  • Coordinate response plan


  • Flag potential areas of subrogation early
  • Preserve critical evidence


  • Investigate method, scope and impacts of a breach
  • Accurately quantify losses
  • Root cause analysis


  • Legal analysis
  • Insurance defense
  • Subrogation recovery


A 2019 eSentire, Inc.-commissioned survey of 600 IT and security decision-makers found that while the majority of respondents “felt confident” in their third-party vendors’ abilities to
keep data safe, nearly half (44%) of the firms had experienced
a “significant, business altering data breach” caused by a vendor. So, how can insurers put together a successful subrogation claim that holds responsible third parties accountable, improves loss recoveries and decreases expenses? When it comes to technology-related losses, it is tempting, for insurers and insureds to feel intimidated since there are so many different types of software products, vendors and players involved. However, the steps to investigate, preserve, identify theories of liability, damages and the like are, at their core, the same as pursuing a commercial property damage subrogation claim.
There are four primary keys to success:

1. Investigate for cause and damages

There will never be a successful subrogation claim without a system in place. Insurers must assemble a team of experts to investigate the breach along with stopping additional data loss. Hiring a forensic accountant to calculate the “actual loss sustained” by the insured is an important component of the overall data breach quantification.

2. Document, document, document

The most critical step is the preservation of the evidence by the IT department of the insured and the investigators hired to examine the breach. Do not destroy forensic evidence in the course of the investigation and remediation. If the digital evidence is not obtained properly, it can negatively affect the insurer’s subrogation ability.

3. Use technology and analytics effectively

With the effective use of technology and advanced analytics, insurers have the opportunity to control the costs associated with cyber claims and the subrogation process as teams can leverage predictive technology and AI to streamline calculations and reduce manual labor. This can further allow specialists to spend their time where it matters most — on the subrogation evidence and substantiation.

4. Think ahead

Consider bringing in a cost recovery subrogation specialist to review contracts to establish the scope of responsibilities, risk allocation and recovery provisions across a client’s service providers. A forensic accountant, as a member of the actual breach response team, can provide beneficial advocacy for preserving cost recovery options in the decisions the breach response team makes in real-time. As part of data breach response preparations, insurers should be collecting and reviewing their clients’ third-party computer service providers’ contracts. A small expansion in the scope of a review that you are already conducting may make a significant difference to your client, both in service agreement negotiations (by having a better context for indemnification provisions) and in the ultimate net cost to the client in the event of a breach. Many insurance industry thought leaders believe subrogation will be the single most important issue impacting the cyber risk insurance industry going forward, so assembling the right team matters.

Reprinted with permission from the NOVEMBER/DECEMBER 2020 issue of Claims Magazine. © 2020 ALM. Further duplication without permission is prohibited. All rights reserved.

Get our latest posts delivered to your inbox: