Veronica P. Adams and Andrea DeField of Hunton Andrews Kurth write:
Last month, Ace American Insurance Company filed a subrogation action against its insured’s cybersecurity and technology vendors, alleging missteps by the technology companies. See Ace American Insurance Company v. Congruity 360, Trustwave Holdings, Case No. 2:25-cv-15657 (D.N.J. Sep. 15, 2025). Ace seeks to recover the $500,000 in damages it paid to its insured, CoWorx, under the cybersecurity policy issued by Ace. Ace alleges that its insured’s cyber incident occurred as a result of Congruity 360 and Trustwave’s negligence. Ace also asserts breach of contract against both defendants.
The complaint details several alleged bases for Ace’s subrogation action against the technology companies contracted by its insured. Against Congruity 360, Ace claims that the contract between CoWorx and Congruity 360 required Congruity 360 to set up multifactor authentication and secure network servers for CoWorx. Ace further alleges that Congruity 360 failed to do so, leading to installation of ransomware. The claims against Trustwave are similar. Ace alleges that Trustwave failed to properly notify the appropriate parties of the cyber incident, preventing CoWorx from being able to take relevant proactive action and significantly increasing CoWorx’s damages from the incident.
Read more at Hunton Insurance Recovery Blog