Three letters that can reduce your insurance coverage to zero: OLG (Higher Regional Court)
Cyber insurance is sold to small and medium-sized businesses much like household insurance – but when a claim occurs, it behaves more like a minefield. Anyone who does not complete the risk assessment questionnaire with the mindset of an IT forensic investigator may find themselves without coverage when it matters most, facing instead an expensive legal dispute.
In its decision of January 9, 2025 (Case No. 16 U 63/24), the Higher Regional Court of Schleswig (OLG Schleswig) ruled that an insurer may expect a certain degree of diligence from a larger company when answering risk-related questions. A complete lack of knowledge about common cyber insurance practices is not sufficient. Nor is a “good-faith” belief that everything is in order. Earlier, the Regional Court of Tübingen (LG Tübingen) and the Regional Court of Kiel (LG Kiel) had reached similar conclusions – in cases involving losses of up to €500,000, which the companies ultimately had to bear themselves. And the market is becoming stricter: nearly one in three applications is now being rejected- a significant increase compared to the previous year.
A cyber insurance policy without an Information Security Management System (ISMS) is like a life insurance policy where a pre-existing medical condition was concealed. When a claim arises, it is not worth the paper it is written on. When was the last time you reviewed your risk questionnaire with your CISO (Chief Information Security Officer)? Do you need support?
Expected objections and responses:
- “We have a broker.”
The broker is not responsible for the reality of your IT environment. Under Section 19 of the German Insurance Contract Act (VVG), you personally bear the duty of disclosure.
- “I’m sure everything is accurate on our side.”
That’s exactly what the timber wholesaler in Schleswig thought. The lawsuit involved more than €500,000.
- “But we have certifications.”
Certifications are only snapshots in time. Insurance questionnaires focus on your ongoing operations: patch management, backups, MFA coverage, and other day-to-day security controls.
