MFA disabled and hacked: who pays skyrocketing data bill?

An IT service provider fails to enable Multi-Factor Authentication (MFA) on a customer's cloud environment. A hacker penetrates and consumes more than 700,000 euros worth of cloud services. The distributor sends the bill to the service provider. The insurer denies coverage. This disaster scenario was recently the subject of a Dutch court case. Chances are that a Belgian judge would reach a similar, painful decision: the ICT service provider pays the entire bill itself.

An analysis of a Dutch judgement (ECLI:NL:RBNNE:2024:4317) shows that the distributor's invoice is considered a contractual debt and not ‘third-party damages. This crucial distinction sidelines the coverage of most professional liability insurance policies.

The legal context: the chain of ICT service provision

To understand the case, we need to look at the structure of the cloud market. It often operates in a tiered system:

1. The End Customer: SME company using cloud services.
2. The ICT Service Provider (Reseller): The ICT company ([A] in this case) that manages, sets up and bills the cloud environment for the end customer.
3. The Distributor (Indirect Provider): A wholesaler ([B] in this case) from which the service provider purchases cloud services.
4. The Producer: Microsoft, which provides and bills the Azure services to the distributor.

In this case, the ICT service provider ([A]) faced a huge bill from its distributor ([B]) after hackers had left some 60 virtual servers running undisturbed for weeks for cryptomining. This was only possible because the MFA security on the management account was not enabled.

The court's decision

The ICT service provider ([A]) attempted to recover costs from three parties, but failed in each claim:

1. Against the Distributor ([B]): The service provider argued that [B] had a duty to warn and monitor. The court rejected this. The distributor was merely a “conduit” and, moreover, had already sent an e-mail about the mandatory nature of MFA in 2020, more than two years before the hack. Thus, the service provider had been warned and was responsible for its own security.
2. Against the Insurer ([C]): The service provider argued that [B]“s invoice was ”damages to a third party,’ which should be covered by his professional liability insurance. The court ruled that this was fundamentally flawed. The invoice was not a claim for damages from a third party, but a claim for performance of [A]'s own contractual payment obligation. The insurance covers liability for errors that cause damage to others (such as the end customer), not payment of one's own purchase invoices.
3. Against the Insurance Broker ([D]): The broker had not promised to cover this particular, and very unusual, risk (an own contractual debt).

The court decided that the ICT service provider ([A]) was contractually obligated to pay the full invoice of €717,906.13 (excluding VAT) to its distributor ([B]).

Legal analysis and interpretation under Belgian law

Although this is a Dutch ruling, a Belgian court would most likely follow identical reasoning based on Belgian contract law (Book 5) and extra-contractual liability law (Book 6) in the Civil Code (CC).

1. The claim against the distributor (Party B).

Piste 1: Distributor's fault (Contractual liability)

The ICT service provider ([A]) would argue in Belgium that the distributor ([B]) committed a contractual fault by violating its duty to advise and warn (a breach of performance in good faith, Art. 5.73 CCW).

Like the Dutch court, the Belgian court would test this against the standard of a “prudent and reasonable person.” We find this standard in Belgian law in several places:

• Extra-contractual fault: Art. 6.6 CC defines the general standard of care.
• Contract Law: Both Article 5.72 CC (for a best efforts obligation) and Article 5.73 CC (for performance in good faith) use this criterion.

The fact that the distributor sent a clear email about the MFA requirement would almost certainly suffice to find that the distributor acted as a prudent and reasonable person and thus fulfilled its duty.

Piste 2: The prohibition on abuse of rights (Art. 5.73(2) CC)

This is the most likely Belgian angle. The ICT service provider would argue that while the distributor ([B]) is entitled to payment, it is abusing this right by demanding the immediate and full payment of +€700,000, knowing that this could drive the ICT service provider into bankruptcy, when there are less damaging ways to collect the debt.

However, the chances of success of this argument are very low. A judge will consider whether the distributor is acting in a manner that is manifestly unreasonable. The judge would find that:

1. The debt is real and the result of an error by the ICT service provider itself.
2. The distributor itself must pass these amounts on to Microsoft.
3. Demanding payment for a service provided (although fraudulent) for which one is contractually responsible is in se no abuse of rights.

The Dutch court ruled similarly: threatening normal legal action to collect a legitimate claim is in principle not abuse.

(Note: In the Dutch case, the payment arrangement itself was also attacked for “abuse of circumstances.” The Belgian equivalent, Article 5.37 CC, would also fail here because there was no “manifest imbalance” in the payment arrangement itself; it only served to pay off a pre-existing debt).

2. The claim against the insurer (Party C).

This is the legal and strategic heart of the whole matter. Professional liability insurance generally covers the financial consequences of your liability (contractual or non-contractual) for damages caused to your client or other third parties.

In the Dutch case, the ICT service provider ([A]) made a crucial strategic error. He paid (part of) the invoice to his distributor ([B]) and tried to make that own fault subsequently recovered from his insurer ([C]). The insurer rightly refused. Such an insurance policy is not a credit insurance; it does not cover its own purchase invoices, even if they were incurred through its own fault.

So what would have been the correct path to activate the policy in the first place? The answer is counterintuitive, but legally necessary:

1. Chargeback: The ICT service provider ([A]) should have billed the distributor's ([B]) full costs to the end customer.
2. Provoking the claim: The end client would have obviously (and rightly) protested that invoice. The client would have judged that these costs arose because of [A]'s professional error (failure to engage MFA) and would have held [A] formally liable for these damages.
3. Submission of the correct claim: That formal protest - the client's liability claim - is the “covered claim.” The IT service provider should have reported that claim by its client to its third-party insurer ([C]).

The insurer would then (normally) have to handle the claim, assume the defense and indemnify the customer (which in fine amounts to paying the distributor's bill through the policy).

Thus, the insurer's ([C]) refusal was legally watertight because the claim was made incorrectly. The insurer was asked to pay an own fault claim, whereas it only covers liability claims by injured third parties (such as the client).

What this specifically means

• For ICT service providers: This is a crucial warning. You are the administrator and therefore the gatekeeper. Failure to enable basic security such as MFA is an occupational hazard. The financial consequences with your suppliers are your own business risk and will not be covered if the claim is made incorrectly. A BA policy does not cover your own purchase invoices. As the verdict literally shows, the ICT service provider should have been better off provoking the liability claim from the end customer (by forwarding the invoice) and submitting that claim to the insurer. Additionally, check your ‘first-party’ cyber insurance to see if such own operational costs (e.g., fraudulent consumption) are indeed covered.
• For distributors: Document your communications. The 2020 email about MFA was the crucial piece of evidence that absolved the distributor from any liability in this case. Provide a conclusive file in which you inform partners of essential security measures.

---

Frequently asked questions (FAQ)

What should the ICT service provider have done strategically for insurance coverage?
The ICT service provider tried to claim its own purchase invoice, which failed . The correct strategy would have been to forward the invoice to the end customer. The end customer would have (rightly) refused to pay and held the ICT service provider liable for the error. That customer's liability claim, if any, would have been a covered claim under the BA policy.

Does a distributor then never have a duty to monitor for fraud?
Not automatic. In this case, the court ruled that the distributor was merely an ‘Indirect Provider,’ a conduit for billing. A monitoring obligation exists only if explicitly contractually agreed upon or if the distributor has the technical ability and role to do so.

Is the distributor's bill now ‘own damages’ (first-party) or ‘third-party damages’ (third-party)?
The court defined this clearly: it is the ICT service provider's own contractual debt to its supplier. It is not a ‘loss’ in the insurance sense, but simply the performance of a payment obligation for (fraudulently) consumed services.

Conclusion

The responsibility for basic cyber hygiene, such as implementing MFA, lies squarely with the ICT service provider managing the environment. The financial consequences of failure in this cannot simply be passed on to the distributor or professional liability insurer. As this case painfully demonstrates, BA insurance covers liability to your customer, not your own purchase invoices. Setting the insurance claim correctly and strategically is essential in this regard.

---