In January 2018 Insurance Service Office (ISO) introduced standardized cyber insurance forms. One of the forms, CY 00 01, is for small commercial enterprises and the others are for medium to large ones. The CY 00 01 is a bundled product with six insuring agreements while the other forms contain eight insuring agreements that can be selected individually.
The first party insuring agreements apply only when a cyber incident, extortion threat or security breach occurs. The third-party insuring agreements apply only when a wrongful act occurs. All these terms are defined in the coverage forms as are many other terms. These policies are filled with definitions due to the specific, carve-out method used to provide coverage.
Cyber insurance is similar to one-peril approach found in boiler machinery/equipment breakdown coverage. If a loss is related to electronic data exploitation, then the first place to look for coverage is cyber insurance. Other policies may provide limited amounts of coverage, but ISO’s cyber insurance policies specifically address this exposure.
There are no restrictions as to which commercial, not-for-profit or governmental entities can purchase this coverage. There are, however, restrictions based on size of risk, limits desired and types of operations as to which of the five available policies can be selected.
POLICY MAKE UP
The ISO Commercial Cyber Insurance Policy consists of three basic forms:
- Commercial Cyber Insurance Policy Declarations
- CY 00 01-Commercial Cyber Insurance Policy
- Policy Cover Page or Jacket
Individual insurance companies design this form for their own purposes. It may include a table of contents or index to meet the requirements of some states.
CY 00 01-Commercial Cyber Insurance Policy provides the following Insuring Agreements:
- Security Breach Expense
- Extortion Threats
- Replacement or Restoration of Electronic Data
- Business Income and Extra Expense
- Public Relations Expense
- Security Breach Liability
The other policies offer any of the above plus:
- Programming Errors and Omissions Liability
- Website Publishing or Media Liability
The coverage provided is specific to cyber, so exclusions are used to restrict coverage to that exposure. The exclusions for pollution, war, biological/nuclear are common to other forms but that is not the case with other exclusions. It is important to carefully review all of them.
The CY 00 01 contains 25 definitions. Thirty-five definitions are contained in the other coverage forms. In addition, some definitions are within the insuring agreements. These definitions should be carefully reviewed because in many cases their wording is what provides coverage.
A number of endorsements are available to tailor the coverage for the individual risk. Some will restrict coverage while others will add. This coverage is also subject to Terrorism Risk Insurance Program Reauthorization Act of 2015, so the appropriate endorsements will need to be added.