In July 2017, ISO introduced in their circular LI-CY-2017-005 filing of a cyber coverage form for small- to mid-sized commercial risks and several new endorsements. With this filing, the ISO E-Commerce Program is renamed to the ISO Cyber Program to expand the types of coverages being addressed in this program. The filing also includes enhancements to the ISO Information Security Protection (ISP) Cyber coverage forms and optional multi-state endorsements. The ISO Commercial Cyber Insurance Policy  CY 00 01 01 18 is a stand-alone cyber option designed primarily for small- to mid-sized commercial risks (SMEs). A number of enhancements and endorsements that address the new policy are included in the filing, as well as revised multi-state applications and Declarations.

 Topics Covered:

Insuring Agreements

The coverage form consists of six separate Insuring Agreements. By nature of the many types of cyber-related exposures, it is not unusual for a significant period of time (months or even years) to lapse between the time an incident occurs that might give rise to a loss, and the time that an insured becomes aware of such incident. Therefore, each Insuring Agreement utilizes a discovery based coverage trigger for the policy period shown in the Declarations, or during the period of time provided in the Extended Period to Discover Loss Condition. "Discover" or "discovered" is a defined term in the policy.

 The policy also addresses discovery with respect to any cyber incident, extortion threat, security breach or claim that arises out of the same facts or circumstances and results in a loss that falls under one or more of the Insuring Agreements.

 Certain terms that are specific to a particular Insuring Agreement are defined within that Insuring Agreement. If the terms relate to more than one Insuring Agreement, they are defined under Section VII – Definitions.

 The policy form introduces a preamble stating that defense expenses under the Security Breach Liability Insuring Agreement are payable within, and not in addition to, the Limit of Insurance. Paid defense expenses will reduce the limit of insurance for this coverage.

 Named Insured

Throughout this policy, the words "you" and "your" refer to the Named Insured shown in the Declarations, and any other person or organization qualifying as a Named Insured under this policy. The words "we", "us", and "our" refer to the company providing this insurance.

 Analysis:

As with the CGL form, this definition has special significance when used within the body of the coverage form. For example, when an exclusion applies to "you", that means that only the named insured is affected by the exclusion. This is also true when an insuring agreement or a condition refers to "you" or "your"; only the named insured is the affected party, and not every person or organization that qualifies as an insured under the coverage form.

These words refer, of course, to the insurer, the insurance company. These terms and the ones discussed in the previous paragraph appear at the beginning of the coverage form as opposed to the remaining defined terms that appear in the Definitions section.

Section I – Insuring Agreements

Coverage under the following Insuring Agreements applies to "loss" (and "defense expenses" under Insuring Agreement 6. Security Breach Liability) resulting directly from a "cyber incident", "extortion threat", "security breach" or "claim" which is "discovered" during the policy period shown in the Declarations or during the period of time provided in the Extended Period To Discover Loss Condition 15.

 Analysis:

The first insuring agreement applies to Security Breach Liability coverage provided under the policy. Security Breach Liability covers losses and defense expenses resulting directly from a cyber incident, extortion threat, security breach or claim. Coverage is on a discovery basis, meaning that coverage is triggered when an insured first discovers there has been an incident, threat, breach or claim to which the insurance applies. The discovery must be made either during the policy period shown in the Declarations, or during the Extended Period To Discover Loss provided under the Conditions section.

Example:

The XYZ Policy was effective 1/1/17 to 1/1/18. A disgruntled employee who was fired by the company on 3/1/16 breached the security systems of XYZ on 4/5/16; however, the breach was not discovered by XYZ until 6/1/17. This security breach would be covered under the 1/1/17 to 1/1/18 policy term because it was first discovered by the insured during that policy period.

 Any "cyber incident", "extortion threat", "security breach" or "claim" that arises out of the same facts or circumstances and results in "loss" under one or more of the following Insuring Agreements will be deemed to be related and, as such, will be deemed to have been "discovered" during the earliest policy period that any such related "cyber incident", "extortion threat", "security breach" or "claim" was "discovered".

Analysis:

This is a comprehensive paragraph with a simple outcome – if the same facts or circumstances are the basis of a loss covered under any of the Insuring Agreements covered by the policy, then these facts or circumstances are related and will be considered to be discovered during the first policy period that either a cyber incident, extortion threat, security breach or claim was discovered. The earliest date that the facts and circumstances are discovered will be the policy term that will determine coverage.

Example:

XYZ has renewed their annual cyber policy three times with a current term of 1/1/2017 to 1/1/2018. Their systems were first hacked on 4/1/15 and it was discovered by XYZ on 6/9/2017 that not only had the hackers input a malicious code in 2015 that corrupted financial data, but they also obtained employee personal information and sold this information to third parties throughout 2016. Since all of these facts and circumstances were related to the 4/1/2015 hacking, and this hack was not discovered until 6/9/2017, then 6/9/2017 is the loss date and the policy determining coverage is the 1/1/2017 to 1/1/2018 policy term.

This premium content is locked for FC&S Coverage Interpretation Subscribers

Enjoy unlimited access to the trusted solution for successful interpretation and analyses of complex insurance policies.

  • Quality content from industry experts with over 60 years insurance experience, combined
  • Customizable alerts of changes in relevant policies and trends
  • Search and navigate Q&As to find answers to your specific questions
  • Filter by article, discussion, analysis and more to find the exact information you’re looking for
  • Continually updated to bring you the latest reports, trending topics, and coverage analysis