Cyber Lawsuits, Shared Responsibility, and What You Can Learn from a Real Ransomware Case

When companies get hit with ransomware, questions of “who’s at fault” can quickly become lawsuits. But in many cases, fault is shared—and the legal system divvies up liability based on the facts each party can prove. A new lawsuit filed by a cyber insurance company shows just how important that documentation is.

The Lawsuit: Ace American v. Congruity 360 & Trustwave

In 2024, CoWorx Staffing Services was hit by ransomware. Their insurer, Ace American (Chubb), covered the damages and is now suing two vendors:

  • Congruity 360, who hosted CoWorx’s systems but didn’t activate required MFA, and
  • Trustwave, who provided endpoint monitoring but didn’t escalate a key alert in time.

How Responsibility Gets Shared: A Legal Primer

This case isn’t just about who made the biggest mistake. It’s about who did what, and when—and who can prove it.

Explainer: Comparative Negligence

In cyber liability lawsuits, courts often divide fault among the involved parties. This is known as comparative negligence.

If multiple parties are found partially responsible, each is assigned a percentage of the blame. Damages are divided based on that percentage. That means:

  • If you're 25% responsible for a $600,000 incident, you may owe $150,000.
  • If you can prove you made the right decisions—or the right warnings—you can reduce your share.

Evidence matters more than opinions.

What You Can Do to Protect Your Business

Whether you’re the client, the vendor, or the insurer, your best protection is a well-documented security trail. You need:

  • Contracts that define each party’s responsibilities
  • Security Recommendations with written acceptance or refusal
  • Incident Logs that show what happened—and when

Ask your MSP if they can provide this kind of documentation. If they can’t, ask them to look into Galactic Advisors’ Cyber Liability Guard—a system designed to gather, centralize, and preserve the exact kind of evidence that matters in court.

Final Thought

This lawsuit is a reminder: even if you’re not the one who caused a breach, your lack of documentation can still cost you. Courts divide blame based on the facts—and the side with the best records often comes out ahead.

If you’d like to see the Complaint that initiated the lawsuit, you can download it here.