What Is a Waiver of Subrogation?

The subrogation clause section in an insurance policy gives the insurer the right to take legal action against a third party that’s responsible for the loss of the insured in case of a breach.

In simple terms, it means that the insurance company will adopt the role of the insured and sue the third party that’s responsible for the damage.

Let’s say you’re running an eCommerce company, and you face a data breach. The IT company that created the code for you didn’t put the necessary security measures in place. 

You make a claim against the insurance company, and you recover the losses. It’s done for you. But the insurance company still has a lot to do. They will try to recover the funds from the IT company that delivered the non-secure code. 

The insurance company will step into your shoes and chase the party that’s responsible for (or has contributed to) the loss. 

What Does Waiving Subrogation Mean?

A waiver of subrogation simply means that it waives the insurer’s right to subrogate.

So using the example above, the insurance company can’t sue the IT contractor or company for the subpar code they delivered to the eCommerce business. Thus, the insurance company will not be able to recover the costs of the claim from the party that caused the breach.

How to Obtain a Waiver of Subrogation

You can request a waiver of subrogation in some cyber insurance policies. When you give up your right to recover the cost of a cyber breach, your cyber insurer gets fewer rights to recover for the claims it pays. This increases the insurer’s exposure, and as a result, your premiums might be higher.

The insurer and insured can remove the insurer’s right of recovery. This is rare and happens only when the insured wishes to maintain the financial health of the party against whom the insurer would assert its rights. 

Since the waiver of subrogation means that the insurer cannot recover their costs, some insurance policies come with a provision that the insured cannot sign an agreement with third parties that impair the insurer’s subrogation rights. Some insurers do not grant waivers of subrogation. 

The problem is that several data management vendors in IT projects have provisions that contain limitations of liability. This can create a dispute if a breach occurs and the insured makes a claim. 

A fix to such a problem is to have a partial waiver of subrogation. In such cases, the insurance company will not declare that its rights are impaired by an agreement that you signed before the breach.

Example of a Waiver of Subrogation

"THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY.

WAIVER OF SUBROGATION

(CUSTOMER NAME)

It is agreed that the following is added to Section X . SUBROGATION in the General Provisions: The Insurer will waive any right of recovery it may have against a customer of the Insured Entity when the Insured requests in writing to the Insurer to waive such rights because of payments the Insurer makes for Loss arising out of Network Security Breach or Privacy Violation. All other terms and conditions of this Policy remain unchanged."

Should You Waive the Subrogation Rights?

Not all insurers will grant you a waiver of subrogation. If they do and you waive the right to subrogation, you might have to pay higher premiums. Since it’s difficult to assert the scope of damage that your company might face due to a data breach, it’s generally not advisable to waive the rights. But if you do consider waiving them, there are a few considerations to keep in mind. 

Best Practices for Waiver of Subrogation

Follow these best practices to get the maximum from your cyber insurance policy when you have a waiver of subrogation: 

• Inform your insurer when you get a contract with a waiver of subrogation. If you enter into a contract with a third party that wants a waiver of subrogation, it’s best to let your insurer know about this. Your cyber insurer might endorse this contract, but you may have to pay a higher premium. If you do not inform the insurer, it could result in the denial of coverage in case of a claim.
• Read the document carefully. Make sure you go through the document carefully and understand what’s included in the waiver of subrogation. IT projects are generally complex and involve a lot of people. Your contractors may be outsourcing some services, and there might be more people involved in the project than you know. It’s important to understand the contract before you sign it.
• Be aware of potential issues with subcontractors. When you enter into an agreement with a contractor, they may have hired other sub-contractors who have signed waivers of subrogation with the main contractor. While you did not sign a direct contract with them, you might face legal issues should a claim arise. If there is a data breach, and the responsibility falls on the subcontractors, there can be legal disputes that may lead to a denial of coverage. If you’re unsure of what to do, make sure you talk to the insurer before taking action.

Cyber insurance policies usually do not deny coverage if the insured party has signed a waiver of subrogation. However, it’s important to let the insurer know if you have signed such contracts. Since a waiver of subrogation will increase the insurer’s risk, they may add an extra fee apart from the premium. But if you fail to inform them about such contracts, you may face legal issues and might be denied a claim when the need arises.