Court Allows Insurers’ Contract Claims to Proceed in Cybersecurity Dispute

The cyber‑insurance market has exploded as ransomware attacks become routine, yet policy language often lags behind evolving threats. Insurers now demand explicit contractual clauses that obligate service providers to maintain robust security controls, because they are increasingly called upon to reimburse clients after breaches. This shift reflects a broader industry trend: risk transfer is no longer limited to indemnity payments but extends to enforcing vendors’ own security commitments.

In the Blackbaud dispute, the insurers argued that the software firm had breached its own data‑protection agreement with the nonprofit customers it served. By securing coverage for 97 clients, the insurers paid out claims and then stepped into the insureds’ shoes to sue Blackbaud for breach of contract. The Delaware Supreme Court’s decision affirms that such subrogation claims are viable when the vendor’s contractual duties are clearly defined, signaling that courts will scrutinize the allocation of cyber risk more closely than in the past.

For businesses, the ruling serves as a warning to review and tighten cyber‑risk contracts. Companies should ensure that service agreements contain measurable security standards, breach‑response obligations, and clear indemnity provisions. Insurers, meanwhile, are likely to draft more granular policies that tie coverage to compliance with these contractual safeguards. As litigation in this space gains momentum, proactive risk management and precise contractual language will become essential tools for protecting both bottom lines and reputations.