CoWorx, an insured policyholder of Ace American Insurance Company, suffered a ransomware attack due to alleged negligence by its cybersecurity vendors, Congruity 360 and Trustwave Holdings. Ace, after paying a $500,000 claim to CoWorx, filed a subrogation lawsuit (Case No. *2:25-cv-15657*) against both vendors. The lawsuit claims Congruity 360 failed to implement multifactor authentication (MFA) and secure network servers, enabling the ransomware installation. Meanwhile, Trustwave allegedly delayed critical incident notifications, preventing CoWorx from mitigating damages proactively. The attack led to financial losses, operational disruption, and reputational harm, with Ace asserting breach of contract and negligence against the vendors. This case underscores rising risks in third-party cybersecurity vendor accountability, where insurers increasingly pursue legal action against service providers post-incident.
Source: https://natlawreview.com/article/cyber-insurer-sues-policyholders-cyber-pros
TPRM report: https://www.rankiteo.com/company/coworx-staffing-services
"id": "cow0002200101425",
"linkid": "coworx-staffing-services",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'name': 'CoWorx', 'type': 'Insured Policyholder'},
{'industry': 'Technology/Cybersecurity',
'name': 'Congruity 360',
'type': 'Cybersecurity Vendor'},
{'industry': 'Technology/Cybersecurity',
'name': 'Trustwave Holdings',
'type': 'Cybersecurity Vendor'},
{'industry': 'Insurance',
'name': 'Ace American Insurance Company',
'type': 'Insurer'}],
'date_publicly_disclosed': '2025-09-15',
'description': 'Ace American Insurance Company filed a subrogation lawsuit '
'against two cybersecurity providers, Congruity 360 and '
'Trustwave Holdings, following a cybersecurity incident '
'suffered by its insured policyholder, CoWorx. Ace alleges '
'negligence and breach of contract by the vendors, leading to '
'a ransomware attack and $500,000 in damages paid by Ace. The '
'lawsuit highlights the growing trend of insurers pursuing '
'subrogation claims against cybersecurity vendors for failing '
'to meet contractual obligations, such as implementing '
'multifactor authentication and timely incident notification.',
'impact': {'financial_loss': '$500,000 (paid by Ace to CoWorx)',
'legal_liabilities': ['Subrogation lawsuit filed by Ace against '
'Congruity 360 and Trustwave'],
'operational_impact': 'Increased due to delayed notification and '
'proactive action failure'},
'investigation_status': 'Ongoing (subrogation lawsuit filed)',
'lessons_learned': ['Insurers are increasingly pursuing subrogation claims '
'against cybersecurity vendors for contractual failures, '
'such as inadequate security controls or delayed incident '
'response.',
'Policyholders must proactively manage vendor risk '
'through robust contracts and security controls to '
'mitigate exposure to third-party litigation and ensure '
'cyber insurance coverage.',
'Vendor contracts and security postures are now critical '
'factors in cyber insurance underwriting, premium '
'pricing, and policy language.'],
'post_incident_analysis': {'root_causes': ['Failure by Congruity 360 to '
'implement multifactor '
'authentication (MFA) and secure '
'network servers as contractually '
'required.',
'Failure by Trustwave to properly '
'notify CoWorx of the '
'cybersecurity incident, delaying '
'proactive response and increasing '
'damages.']},
'ransomware': {'data_encryption': 'Alleged (due to ransomware installation)'},
'recommendations': ['Policyholders should ensure cybersecurity vendors '
'fulfill contractual obligations, such as implementing '
'MFA and timely incident notification.',
'Regular audits of vendor security controls and '
'contractual compliance are essential to reduce legal and '
'financial risks.',
'Cyber insurance policies should explicitly address '
'vendor risk management and subrogation clauses to '
'clarify liabilities.'],
'references': [{'date_accessed': '2025-09-15',
'source': 'Ace American Insurance Company v. Congruity 360, '
'Trustwave Holdings'}],
'regulatory_compliance': {'legal_actions': ['Subrogation lawsuit: *Ace '
'American Insurance Company v. '
'Congruity 360, Trustwave '
'Holdings*, Case No. '
'2:25-cv-15657 (D.N.J. Sep. 15, '
'2025)']},
'title': 'Ace American Insurance Company Subrogation Lawsuit Against '
'Cybersecurity Vendors',
'type': ['Cybersecurity Incident', 'Ransomware Attack', 'Subrogation Lawsuit'],
'vulnerability_exploited': ['Lack of Multifactor Authentication (MFA)',
'Unsecured Network Servers',
'Delayed Incident Notification']}