The forms analysis of this new cyber product will be addressed in several parts. This is Part One which goes through the first four sections of the Information Security Protection Cyber Policy form, CY 00 03 11 21. Because the definitions are so critical to the understanding of the policy, we have an included an analysis of Section X – Definitions in both Parts One and Two.  The additional sections of this form are addressed in a separate contract analysis identified as ISO Commercial Cyber Product Replaced: Part Two CY 00 03 11 21 Sections V-X.

Topics Covered:

Information Security Protection Cyber Policy

Claims-Made and Reported Coverage

Preamble

Introduction

Section I – Insuring Agreements

Section II – Limits of Insurance

Section III – Retention

Section IV – Defense And Settlement

Section X – Definitions

Information Security Protection Cyber Policy

CY 00 03 Information Security Protection Cyber Policy form replaces the following forms. As such these forms are being withdrawn from use:

• CY 00 10 – Information Security Protection Cyber Policy
• CY 00 11 – Financial Institutions Information Security Protection Cyber Policy
• CY 00 12 – Media And Information Security Protection Cyber Policy
• CY 00 13 – Media And Information Security Protection Cyber Policy

Claims-Made and Reported Coverage

Coverage under the policy is clearly stated to be claims-made and reported liability coverage:

LIABILITY INSURING AGREEMENTS IN THIS POLICY PROVIDE CLAIMS-MADE AND REPORTED COVERAGE.

Analysis:

The obligation of an insurer to pay for a claim under a claims-made policy is triggered only if a covered claim is first made against the insured during the policy period or extended reporting period. The term trigger refers to the events or circumstances that effect the policy's coverage. This policy not only requires that the claim be first made during the policy period or extended reporting period, but also that the claim be discovered and reported within that same time frame.

Preamble

The policy form introduces a preamble (not included in the current form) as follows:

UNDER LIABILITY INSURING AGREEMENTS, CLAIMS MUST BE FIRST MADE AGAINST THE INSURED DURING THE POLICY PERIOD, OR ANY APPLICABLE EXTENDED REPORTING PERIOD, AND REPORTED TO US AS SOON AS PRACTICABLE, BUT IN NO EVENT LATER THAN 60 DAYS AFTER THE END OF THE POLICY PERIOD OR ANY APPLICABLE EXTENDED REPORTING PERIOD.

DEFENSE COSTS ARE PAYABLE WITHIN, AND NOT IN ADDITION TO, THE LIMIT OF INSURANCE. PAYMENT OF DEFENSE COSTS UNDER THIS POLICY WILL REDUCE THE LIMIT OF INSURANCE.

Analysis:

Adding the preamble using bold capitalization highlights the importance of meeting the claims-made and reporting requirements explicitly as stated, and ensures that the policyholder will be sure to see the requirements to avoid any confusion over this being a claims-made and reported policy.

Claim reporting requirements establish when and how claims made against the insured must be reported to the insurer. Policy CY 00 03 contains a very specific written reporting requirement of any "cyber incident", "cyber extortion event", "information security breach", or "interruption" that is discovered within the policy period as soon as practicable, but not later than sixty days after the end of the policy period; or if an extended discovery period applies, not later than sixty days after the end of such extended discovery period.

There must be an actual written reported claim; and, quite importantly, it is the first making of a claim that activates the policy's coverage process. "Claim" is also a defined term in the policy, which will be discussed later.

The second portion of the preamble states that defense expenses are payable within, and not in addition to, the Limit of Insurance. Paid defense expenses will reduce the limit of insurance for this coverage.

Introduction

Various provisions in this Policy restrict coverage. Read the entire Policy carefully to  determine rights, duties and what is and is not covered.

Throughout this Policy, the words "we", "us" and "our" refer to the company providing this  insurance.

Other words and phrases that appear in quotation marks have special meaning. Refer to  Section X – Definitions.

Analysis:

The initial ISO Rule 25 for the ISP form CY 00 01 designed the coverage for certain specified entities requiring that they have some form of web presence, and it excluded financial institutions. With the changes, ISO Rule 25 now states that the ISP CY 00 03 is designed for, but not limited to, medium to large commercial enterprises (including not-for-profit organizations), governmental entities, and financial institutions. Eligible financial institutions include banks, savings institutions, securities brokers and dealers, insurance companies, finance companies, credit unions, and mortgage bankers.

It may be helpful to know that the rating basis differs, depending on the type of entity being insured under this policy. For-profit entities, other than financial institutions, are rated based on revenue. Not-for-profit entities, other than financial institutions, including government entities, are based on budget (which must be converted to revenue to determine the premium). All financial institutions are rated based on assets.

Unlike the current form and other ISO forms, there is no identification of or reference to "you" or "your" in CY 00 03. Nor does it include any references to the first named insured, as there is only one named insured in the policy. Coverage however is extended to encompass the named insured and all of its subsidiaries and employees. The coverage applies to the named insured, and the company providing the insurance is referred to as "we", "us", and "our".

The terms "insured", "named insured", "organization", "subsidiary" and "employee" are all defined terms in the policy. Refer to Section X – Definitions for the meaning of each term.

Section I – Insuring Agreements

The coverage form consists of four first-party Insuring Agreements and four liability Insuring Agreements. Each Insuring Agreement carries its own separate Limit of Insurance as shown in the Declarations. It is noted that the term "organization" is used in the coverages and definitions. An "organization" includes the named insured and its subsidiaries.

By nature of the many types of cyber-related exposures, it is typical for a significant period of time (months or even years) to lapse between the time an incident occurs that might give rise to a loss, and the time that an insured becomes aware of such incident. Therefore, each Insuring Agreement utilizes a discovery based coverage trigger for the policy period shown in the Declarations, or during the period of time provided in the Extended Discovery Period. "Discover" or "discovered" is a defined term in the policy.

Discovery Example:

The XYZ Policy was effective 1/1/20 to 1/1/21. A disgruntled employee who was fired by the company on 3/1/16 breached the security systems of XYZ on 4/5/16; however, the breach was not discovered by XYZ until 6/1/20. This security breach would be covered under the 1/1/20 to 1/1/21 policy term because it was first discovered and reported by the insured during that policy period.

A. First Party Insuring Agreements

For coverage under First Party Insuring Agreements to apply, the "cyber incident", "cyber extortion event" or "information security breach" must be "discovered" within the "policy period" or, if applicable, within the Extended Discovery Period, and reported to us as soon as practicable, but in no event later than 60 days after the end of the "policy period" or, if applicable, the Extended Discovery Period, in accordance with the terms of this Policy.

1.  Cyber Incident Or Information Security Breach Expense

We will pay for "cyber incident or information security breach expenses" resulting directly from a "cyber incident" or an "information security breach".

2.  Cyber Extortion Events

We will pay for "cyber extortion expenses" resulting directly from a "cyber extortion event".

3.  Replacement Or Restoration Of Electronic Data

We will pay for "data restoration expenses" resulting directly from a "cyber incident".

4. Business Income And Extra Expense

We will pay for "business income loss" and "extra expenses" incurred during the "period of restoration" due to an "interruption" resulting directly from a "cyber incident".

Analysis:

The claims-made and reporting requirements apply in the same manner to all coverages provided in the policy, with no differentiation in the requirements. Each of the four first-party insuring agreements relate to costs that the named insured incurs from the time of the first incident or breach to pay extortionists or to replace data needed to continue operations, as well as provide business income and extra expense coverages due to an interruption that results directly from a cyber incident covered under the policy. The first four insuring agreements in this form are identical to form CY 00 02 11 21, Commercial Cyber Insurance Policy, analyzed separately.

Cyber Incident or Information Security Breach Expense

In the first Insuring Agreement, the policy pays for "cyber incident or information security breach expenses" as a direct result of a cyber incident or information security breach. An enhancement from the current form is that this coverage now extends to expenses from a cyber incident as well as information security breaches. Each of the terms are defined in the definitions but in simple, a loss can include any of the following: costs to investigate and establish whether a cyber incident or information security breach has occurred or is occurring; costs to investigate the cause, scope and extent of a cyber incident or information security breach and to identify any affected parties; costs to determine remedial action including but not limited to, fees paid for legal and other professional advice on how to respond to the cyber incident, public relations fees to protect the insured's reputation; notifications, overtime salaries, call center fees and costs, postevent credit and identity monitoring and other reasonable expenses authorized by the company.

There is an enhanced definition of "cyber incident" in the policy, defined to include any unauthorized access to or use of the organization's computer system (including the organization's electronic data), malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the organization's computer system (including the organization's electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the organization's computer system (including the organization's electronic data) or otherwise disrupt its normal functioning or operation. "Cyber incident" is also defined to include a denial of service attack specifically directed at an organization which disrupts, prevents or restricts access to or use of the organization's computer system, or otherwise disrupts its normal functioning or operation.

Cyber Extortion Events

The second Insuring Agreement provides coverage for "cyber extortion expenses" as a direct result of a "cyber extortion event". An enhancement over the current form is that the coverage will now pay loss expenses from a cyber extortion event, rather than just an extortion threat. These defined expenses include ransom demand payments in connection with an actual or threatened cyber incident or security breach; or the theft, disclosure, destruction, publication, or use of the organization's confidential corporate information. Covered expenses of a ransom demand include interest paid by the organization for a loan taken out to pay the ransom demand, and reward payments paid by the organization to anyone other than an employee for providing information not otherwise attainable that leads to the arrest and conviction of responsible parties. Refer to the limits of insurance section for more information on reward payments coverage under the cyber extortion insuring agreement. Ransom payments can also include payments made in the form of virtual currency, such as bitcoin.

Replacement Or Restoration Of Electronic Data

The third Insuring Agreement for Replacement Or Restoration Of Electronic Data includes coverage for loss of electronic data or computer programs if such loss is a direct result of a cyber incident discovered during the policy period. There really is no change in this coverage from what is on the current form, which provides coverage for the organization's costs to replace or restore its electronic data or computer programs stored on its computer system, and costs of data entry, reprogramming and computer consultation services that are a direct result of a cyber incident, as defined. The electronic data or computer programs must have been stored on a computer system, defined as any type of computer. "Computer" includes any personal data assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices. The computer or devices must be owned by an insured, leased by an insured and operated by an insured employee, or owned and operated by an employee who has agreed in writing to the insured's personal device use policy; or is operated by an authorized third party (with respect to the insured's electronic data), if such third party is under written contract to perform services for the insured. Aside from laptops and desktops this includes tablets, e-readers and similar devices.

Business Income And Extra Expense

The fourth Insuring Agreement addresses Business Income and Extra Expense coverage for loss due to an interruption that results directly from a cyber incident that is discovered during the policy period. (No longer is extortion threat included within the insuring agreement, due to a broader definition of "cyber incident".) Business Income and Extra Expense are the standard coverages as can be added to a property policy. An "interruption" is defined as an unexpected stoppage or slowdown of business activity. This is an enhancement over the current form which only covered loss resulting from the interruption of e-commerce activities. Not included as extra expense are costs associated with upgrading, maintaining, remediating or improving the system that was involved in the attack. For example, if a company's computers are hacked and the company is forced to shut down for a few days since the production machines are temporarily inoperable, the loss of income and extra expense would be covered.

Another enhancement to the coverage is a definition of "period of restoration", which expands the period from ninety days to 180 days, and also offers an option to accommodate a different maximum period that can be shown in the Declarations.

B. Liability Insuring Agreements

For coverage under Liability Insuring Agreements to apply, "claims" must be first made against an "insured" during the "policy period" or during any applicable Extended Reporting Period, and reported to us as soon as practicable, but in no event later than 60 days after the end of the "policy period" or any applicable extended reporting period, in accordance with the terms of this Policy.

1. Cyber Incident Or Information Security Breach Liability

We will pay for "liability loss" that an "insured" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

2. Regulatory Proceeding Liability

We will pay for "regulatory loss" that the "organization" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

3. Payment Card Industry Liability

We will pay for "payment card industry loss" that the "organization" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

4. Media Liability

We will pay for "liability loss" that the "insured" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

Analysis:

The basis of each of the liability coverages is a "claim" for a "wrongful act" or a series of "interrelated wrongful acts". The first two insuring agreements in this form are identical to the same titled insuring agreements in CY 00 02 11 21. Coverage is on a discovery basis, meaning that coverage is triggered when an insured first discovers there has been an incident, threat, breach or claim to which the insurance applies. The discovery must be made either during the policy period or during the Extended Reporting Period; or no later than sixty days after the end of the applicable period.

Because a cyber incident may not be discovered by the insured right away, the discovery trigger is very important, in that coverage will be activated at the time the insured discovers the breach and reports it to the insurer even though the incident occurred some time before its discovery. Take for example the Target data breach: the cyber attack started on November 27, 2013. Target personnel discovered the breach and notified the U.S. Justice Department by December 13, 2013. So for purposes of example, December 13th would be the discovery date triggering coverage.

The definition of wrongful act under the form is defined so that it is specific to each of the insuring agreements, which is a change from the current form.

Cyber Incident or Information Security Breach Liability

The first insuring agreement applies to Cyber Incident or Information Security Breach Liability coverage. This insuring agreement is enhanced over the current Security Breach agreement and provides broader coverage than the existing Programming Errors and Omissions Liability coverage. The insurer will pay for liability loss and defense costs resulting from a claim for actual or alleged programming error or omission if it results in the disclosure of a client's personal information held in a computer system meeting the policy definition. It also covers loss resulting from any actual or alleged neglect, breach of duty, act, error or omission by an insured based on or as a result of an information security breach. Information security breach includes any unauthorized access, acquisition, retention or use of personal information, which includes the client's personal information. The definition of "wrongful act" as it pertains to this coverage now includes cyber incidents, another enhancement over the current form.

With respect to the first two liability insuring agreements the definition of wrongful act is:

"Wrongful Act" means any actual or alleged neglect, beach of duty, act, error or omission by an insured that results in or is based upon:

1. A "cyber incident";
2. An "information security breach";
3.  A "privacy regulation" violation; or
4. The "organization's computer system" or a "third party computer system" transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person's or entity's "computer system".

Liability loss is described in the Definitions, but basically it includes compensatory judgments, monetary settlements, punitive and exemplary damages where insurable by law; and fines or penalties assessed against the insured if such fines and penalties are permitted by the law most favorable for such damages. As with the definition of wrongful act, the definition of loss is defined specifically to the coverage for which it applies under the respective insuring agreements. Liability loss is defined with clarification as to what is not included, which encompasses such things as amounts or damages not considered insurable by law, excessive liquidated damages in the contract that the insured would not otherwise be liable for if there were no contract; restitution, royalties or any other illegal unjust enrichment, profits or advantage to the insured; costs for compliance with equitable or injunctive relief; or any fees or costs in connection with the replacement of payment cards whose card numbers were or may have been compromised.

Defense costs as defined encompasses any expenses incurred in the investigation, defense, appeals expense in connection with a claim, and bond attachments; but of course does not include salaries, wages, fees or benefits of "employees".

Example:

An online retailer's computer system is hacked and customer data including credit card numbers and other personal identifiable information is accessed. The retailer is sued and as a result must pay out a large settlement to consumers; the defense costs in the suit and the required settlement would be paid. Refer to Section IV – Defense and Settlement.

Regulatory Proceeding Liability

The second insuring agreement for Regulatory Proceeding Liability applies to the organization's (defined to mean the named insured and any subsidiary) regulatory loss and defense costs when the organization is held legally liable in a claim for wrongful acts under the policy. Regulatory loss is a new term not existing in the current form. A regulatory loss is a defined term, but in essence it is when an organization is legally required to create a depository of funds for equitable relief for paying consumer claims required in a settlement or an adverse judgment from a claim; or when an organization is fined or assessed by a governmental or regulatory agency. The fines or penalties will only apply where such are insurable under the applicable law that most favors that coverage. A regulatory loss as defined in the form can be exemplified in the case of the Equifax data breach of 2017, where the settlement included a requirement that Equifax deposit up to $425 million in a fund to provide affected customers with credit monitoring services, and to compensate consumers who bought credit or identify monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. An example of the fines and penalties is that Equifax agreed to pay $175 million to forty-eight states, the District of Columbia, and Puerto Rico, as well as $100 million to the CFPD in civil penalties.

Payment Card Industry Liability

The third insuring agreement for Payment Card Industry Liability applies in the same manner as the coverage for Regulatory Proceeding Liability, except that this coverage is for payment card industry loss for which the organization is legally liable for a wrongful act claim. Here also, defense costs are included in the coverage.

Payment card industry loss and payment card service agreement are both defined terms applicable to this coverage. In brief, a payment card service agreement is a written contract between an insured organization and the bank, payment card processor, or payment card brand, that sets for the terms and conditions regarding payment cards and the rules requiring a merchant to comply with Payment Card Industry Data Security Standards. Payment card industry loss is broken into four categories:

• Assessments, costs to reissue cards, fraud recoveries, and fines or penalties under contract the organization is obligated to pay under the payment card service agreement;
• Compensatory awards or judgments, including pre- and post- judgment interest;
• Money settlements;
• Punitive, exemplary and multiple damages where insurable under the law most favorable for those damages.

The definition also sets forth clarification of what is not a payment card industry loss, which includes such things as that are not insurable by applicable law, also restitution, royalties, unjust enrichment or advantages the insured was not legally entitled to, and fees for interchange rates, discounts or processing. If a company providing credit cards is hacked and must reissue credit cards, pay contractual fines with a bank and pay other awards and judgments, those costs are covered under this section.

Media Liability

The fourth liability insuring agreement is for Media Liability. This covers liability loss as defined that the insured is legally liable to pay, including defense costs, for a wrongful act claim.

Removed Insuring Agreements:

The current Cyber form being withdrawn contains six insuring agreements; this replacement form contains four. The Web Site Publishing Liability Insuring Agreement is no longer needed, as that coverage is now part of the Media Liability Insuring Agreement, and the coverage is broader than what was provided in CY 00 10 and CY 00 11. Likewise, the Programming Errors and Omissions Liability is now part of the Cyber Incident or Information Security Breach Liability Coverage, which states that the insurer will pay for loss and defense costs as a result of a claim for any actual or alleged programming error or omissions that results in the disclosure of the named insured's client's personal information held within a "computer system".

Optional Insuring Agreements:

Three additional Insuring Agreements are being made available by endorsement:

• CY 20 13 Computer And Funds Transfer Fraud Endorsement 
• CY 20 14 Computer Fraud Endorsement 
• CY 20 15 Telephone Toll Fraud Endorsement

These endorsements will be discussed in a separate contract analysis.

Section II – Limits of Insurance

A. Policy Aggregate Limit Of Insurance

The most we will pay for all "loss", and "defense expenses" if covered, under this Policy is the Policy Aggregate Limit Of Insurance shown in the Declarations. The Policy Aggregate Limit of Insurance shall be reduced by the amount of any payment made under the terms of this Policy. Upon exhaustion of the Policy Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under this Policy.

Analysis:

This limit of insurance provision is the same as it is in the current form edition 11 18. The total amount the policy will pay for all covered loss and defense expenses is the Policy Aggregate Limit of Insurance shown in the Declarations. Payment of loss and defense expenses reduce the Policy Aggregate Limit of Insurance, and once this limit is exhausted, the insurer has no further obligations under the policy. The ISO basic limit is $500,000/$1,000,000, which may be increased.

B. Insuring Agreement Limit Of Insurance

Subject to the Policy Aggregate Limit of Insurance, the most we will pay for all "loss", if covered, under each Insuring Agreement is the applicable Insuring Agreement Limit Of Insurance shown in the Declarations. Each Insuring Agreement Limit of Insurance shall be reduced by the amount of any payment for "loss", if covered, under that Insuring Agreement. Upon exhaustion of the Insuring Agreement Limit of Insurance by such payments, we will have no further obligations or liability of any kind under that Insuring Agreement.

Analysis:

Each insuring agreement has its own separate limit of insurance as shown in the Declarations from which losses will be settled for that corresponding limit. Once the applicable insuring agreement limit has been exhausted, coverage will cease for that insuring agreement. The limits under each insuring agreement are subject to the policy aggregate limit of insurance. For example, a policy aggregate is $3,000,000. Each of the four insuring agreements have a limit of $1,000,000. If claims under any one insuring agreement exceed $1,000,000 during the policy term, or extended reporting period, then the insurer is no longer obligated to pay any claims or provide any defense under that insuring agreement. However, this does not affect the insurer's obligation under any of the remaining insuring agreements. Once the total of all claims under all of the insuring agreements reach $3,000,000, then the insurer is no longer obligated to pay any claims or provide any defense under the policy.

C. Sublimit Of Insurance

Subject to the Cyber Extortion Events Insuring Agreement Limit of Insurance, the most we will pay for all Reward Payments is the Reward Payment Sublimit Of Insurance, if any, shown in the Declarations, if coverage is being provided under Insuring Agreement A.2. Cyber Extortion Events. This Sublimit of Insurance is part of, and not in addition to, the Cyber Extortion Events Insuring Agreement Limit of Insurance. Upon exhaustion of the Reward Payment Sublimit of Insurance by payment of "loss", we will have no further obligations or liability of any kind with respect to "loss" that is subject to the Reward Payment Sublimit of Insurance.

Analysis:

Paragraph C describes how the limit of insurance will apply for Reward Payments under the insuring agreement for Cyber Extortion Events. The Rewards Payment Sublimit is included within the limit that applies to Cyber Extortion Events, and not an additional limit. The ISO rules state that the Rewards Payment Sublimit is equal to 2.5 percent of the Cyber Extortion Events limit. Companies may select higher sublimit percentages of 5 percent, 10 percent, 25 percent, 50 percent, 75 percent, or 100 percent, for additional premium. So for example, a company may have a $1 million limit for Cyber Extortion Events with a 5 percent sublimit available for Reward Payments, which equates to $50,000. A description of how the reward payments will be paid is found in the definition of "cyber extortion expenses", but in essence it is when someone other than an employee provides information that is not otherwise obtainable that leads to the arrest and conviction of parties responsible for the cyber extortion event. For example, one cyber extortion event could have more than one person providing such information; therefore the organization may pay each person that meets this criteria until such time as the 5 percent, or $50,000, is exhausted or the cyber extortion limit is exhausted, whichever comes first.

If the company pays out the full 5 percent in reward payments this will leave $950,000 of the limit available to cover cyber extortion events. All of these payments will be subject to the Policy Aggregate Limit.

Section III – Retention

A. Under each insuring agreement, except under Insuring Agreement A.4. Business Income And Extra Expense, we will only pay for "loss" once the amount of "loss" exceeds the applicable Insuring Agreement Retention Amount shown in the Declarations.

B. Under Insuring Agreement A.4. Business Income And Extra Expense, we will only pay the amount of "loss" which exceeds the greater of:

1. The Business Income And Extra Expense Insuring Agreement Retention Amount shown in the Declarations; or
2. The amount of "loss" incurred during the Waiting Period shown in the Declarations.

In the event "loss" resulting from the same "cyber incident", "cyber extortion event", "information security breach", "wrongful act" or any combination of "interrelated wrongful acts" is covered under more than one insuring agreement, only the highest Insuring Agreement Retention Amount shall apply to all such "loss".

Analysis:

The existing cyber forms utilize a deductible approach to loss. In the replacement forms this has been changed to an insured retention. The retention applies in the manner in which the deductible applied per the insuring agreement; however the retention must be paid first out of the insured's own pocket before any coverage will commence under the policy. The base company rates or ISO loss costs reflect a $5,000 retention, which may be increased or decreased.

The retention will apply the same for all insuring agreements except for the Business Income and Extra Expense Insuring Agreement, given that this is a waiting period retention in lieu of a dollar amount retention. The Business Income and Extra Expense waiting period retention may be modified by using endorsement CY 20 36, Business Income And Extra Expense – Waiting Period (ISP).

If there is a loss that results from the same incident, event, breach, or wrongful act covered under the policy, or if the loss is covered under more than one of the insuring agreements, then only the highest amount of Insuring Agreement Retention Amount will apply.

Example:

The policy for XYZ organization has a $5,000 retention for all coverages under the Cyber Insurance Policy except for 3. Payment Card Industry Liability, which has a $1,000 retention. If a loss includes both 1. Cyber Incident Or Information Security Breach Liability and 3. Payment Card Industry Liability, the applicable retention for the loss will be the highest retention amount of $5,000.

Section IV – Defense And Settlement

The provisions contained within this section apply only to Liability Insuring Agreements:

Defense

1.  We shall have the right and duty to defend any covered "claim", including the right to select defense counsel, even if the allegations of such "claim" are groundless, false or fraudulent. However, we shall have the right but not the duty to defend the "insured" against a "claim" covered under Insuring Agreement B.2. Regulatory Proceeding Liability. We shall have no duty to defend the "insured" against any "claim" which is not covered under any Liability Insuring Agreement.

Settlement

1. We shall have the right to negotiate and settle any "claim", but will not enter into any settlement without the "organization's" consent. If the "organization" withholds consent to a settlement recommended by us and acceptable to the claimant, our duty to defend ends, and the most we will pay for that "claim" is the sum of:

1. The amount for which we could have settled the "claim";
2. "Defense costs" incurred, up to the date of the "organization's" refusal to settle the "claim";
3. 50% of all "loss", other than "defense costs", in excess of the settlement amount recommended by us; and
4. 50% of all "defense costs" incurred after the date of the "organization's" refusal to settle the "claim".

2. We shall not be liable for any "loss", settlement or assumed obligations or admissions to which we have not consented.

Analysis:

In the replacement forms, the defense applies to the entire liability section, except Regulatory Proceeding Liability, whereas the current forms being withdrawn apply defense to the Security Breach Liability Insuring Agreement. This Section IV describes the insurer's right and duty to select counsel and defend the insured against any claim covered under the other three liability insuring agreements. This is not a change, however, as in the current forms the insurer has the right, but not the duty, to defend the insured in a regulatory proceeding.

The settlement provision  however differs from the current form. The current forms do not provide for the payment of any defense costs after the insured refuses the amount recommended by the insurer, nor does it provide for any loss that exceeds the amount the claim could have been settled for. In the new forms, if the insured does not agree to the settlement recommended by the insurer, the provision allows that the amount paid by the insurer will not be greater than the amount the claim could have been settled for, defense costs will be incurred up to the date of the refusal, 50 percent of defense costs will be incurred after the refusal, and 50 percent of loss (other than defense costs) in excess of the settlement amount the insurer recommended.

Example:

The insurer for the XYZ policy will provide defense for a covered claim for Security Breach Liability in a court proceeding. The insurer offers to settle the claim for $5 million, including the defense costs. The insured refuses the settlement offer. The insured continues the defense of the claim for 60 days after the settlement offer and ends up settling for $6.5 million. The insurer will cover 50% of the defense costs for the 60 days following the insured's refusal, the recommended settlement amount of $5 million, and 50% of the additional $1.5 million over the recommended settlement, or $750,000. The insured will be responsible for the remaining defense costs and half of the settlement amount over the $5 million recommended settlement.

With respect to an arbitration or other regulatory proceeding, for a claim that is not covered by the policy the insurer has the option to provide a defense for the insured; however they are not required to provide a defense for such claim.

Section X – Definitions

As with other sections, the definitions have been placed in alphabetical order for ease in locating a term.

A. "Application" means all signed "applications" for this Policy, including any attachments, addenda and other materials submitted in conjunction with the signed "applications".

B. "Business income loss" means the "organization's":

1. Actual loss of net income (net profit or loss before income taxes) that would have been earned or incurred; and
2. Continuing normal operating expenses incurred, including payroll.

C. "Card company" means any credit card company that requires its merchants to adhere to the Payment Card Industry Data Security Standards.

D. "Claim" means:

1. Under Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability:

1. A written demand against an "insured" for monetary or nonmonetary damages, including injunctive relief;
2. A civil proceeding against an "insured" commenced by the service of a complaint;
3. A written request for mediation or demand for arbitration against an "insured"; or
4. A written request to toll or waive a statute of limitations relating to a potential "claim" described in Paragraphs 1.a. through c.

2. Under Insuring Agreement B.2. Regulatory Proceeding Liability, an investigation, demand or proceeding brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other administrative or regulatory agency, or any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity commenced by the filing of a notice of charges, formal investigative order, service of summons or similar document against any "insured".

E. "Computer program" means a set of related electronic instructions, which direct the operation and function of a computer or devices connected to it, which enables the computer or devices to receive, process, store or send the "organization's" "electronic data".

F. "Content" means any type of communicative or informational material, regardless of its nature or form, including material disseminated electronically, such as via a web site or electronic mail.

G. "Computer system" means any computer, including any transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices.

H. "Cyber extortion event" means a demand for ransom payments made to the "organization" in connection with the actual or threatened:

1. Perpetration of a "cyber incident" or "information security breach"; or
2. Theft, disclosure, destruction, publication or use of the "organization's" confidential corporate or proprietary information that is stored on the "organization's computer system" or on a "third party computer system".

I. "Cyber extortion expenses" means:

1. Interest costs paid by the "organization" for any loan from a financial institution taken by the "organization" to pay a ransom demand;
2. Reward payments paid by the "organization" to a person, other than an "employee", providing information not otherwise obtainable, solely in return for a reward offered by the "organization", and which lead to the arrest and conviction of parties responsible for the "cyber extortion event";
3. Any other reasonable expenses incurred by the "organization" with our written consent, including:

a. Fees and costs of independent negotiators; and b. Fees and costs of a company hired by the "organization", upon the recommendation of the security firm, to protect the "organization's" "electronic data" from further threats; and

  4.  Ransom payments made by the "organization", including payments made in the form of virtual currency such as, but not limited to, bitcoin, as a result of a "cyber extortion event".

J. "Cyber incident" means any:

1. Unauthorized access to or use of the "organization's computer system" (including the "organization's" "electronic data").
2. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the "organization's computer system" (including the "organization's" "electronic data") and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the "organization's computer system" (including the "organization's" "electronic data") or otherwise disrupt its normal functioning or operation.   Recurrence of the same malicious code, virus, or any other harmful code after the "organization's computer system" has been restored shall constitute a separate "cyber incident".
3. Denial of service attack specifically directed at an "organization" which disrupts, prevents or restricts access to or use of the "organization's computer system", or otherwise disrupts its normal functioning or operation.

K. "Cyber incident or information security breach expenses":

1.  Means any of the following:

1. The costs to establish whether a "cyber incident" or "information security breach" has occurred or is occurring.

If a "cyber incident" or "information security breach" has occurred, the following costs are also included:

(1) Costs to investigate the cause, scope and extent of a "cyber incident" or "information security breach" and to identify any affected parties; and

(2) Costs to determine any action necessary to remediate the conditions that led to or resulted from a "cyber incident" or "information security breach" including, but not limited to, fees paid for legal and other professional advice on how to respond to the "cyber incident" or "information security breach";

b. Fees and costs of a public relations firm, and any other reasonable expenses incurred by the "organization" with our written consent, to protect or restore the "organization's" reputation solely in response to information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the "organization", or of one or more of its products or services;

c. Costs incurred to notify all parties affected by an "information security breach" as required by any "privacy regulation";

d. Overtime salaries paid to "employees" assigned to handle inquiries from the parties affected by an "information security breach";

e. Fees and costs of a company hired by the "organization" for the purpose of operating a call center to handle inquiries from the parties affected by an "information security breach";

f. Costs to provide credit and identity monitoring services to natural persons affected by an "information security breach" for up to one year, or longer if required by applicable law, from the date of notification to those affected natural persons of such "information security breach"; and

g. Any other reasonable expenses incurred by the "organization" with our written consent.

2.  Does not include:

1. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving "electronic data", any "computer program" or any "computer system"; or
2. Chargebacks, interchange fees or rates, discount fees, processing fees, or any costs to replace any payment cards whose card numbers were or may have been compromised.

L. "Data restoration expenses":

1.  Means the cost to replace or restore the "organization's" "electronic data" or "computer programs" stored within the "organization's computer system" as well as the cost of data entry, reprogramming and computer consultation services. To the extent that any of the "organization's" "electronic data" cannot be replaced or restored, we will pay the cost to replace the media on which such "electronic data" was stored with blank media of substantially identical type.

2.  Does not include:

1. The cost to duplicate research that led to the development of the "organization's" "electronic data" or "computer programs";
2. Any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving "electronic data" or any "computer program" to a level beyond the condition in which it existed immediately preceding the "cyber incident"; or
3. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving any "computer system".

M. "Defense costs" means all reasonable costs, charges, fees (including attorneys' fees and experts' fees) and expenses incurred in investigating, defending, opposing or appealing any "claim" and the premium for appeal, attachment or similar bonds. "Defense costs" shall not include any salaries, wages, fees or benefits of "employees".

N. "Discover" or "discovered" means the time when any "insured" first becomes aware of facts which would cause a reasonable person to assume that a "cyber incident", "cyber extortion event", "information security breach" or "interruption" has occurred, regardless of when the "cyber incident", "cyber extortion event", "information security breach" or "interruption" occurred, even though the exact amount or details of "loss" may not then be known.

O. "Electronic data" means information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property. "Electronic data" does not include the "organization's" "electronic data" that is licensed, leased, rented or loaned to others.

P. "Employee" means any natural person whose labor or service is, was or will be engaged and directed by the "organization" and includes part-time, seasonal or temporary workers, interns, volunteers, leased workers and "executives", but only while acting within the scope of their duties as determined by the "organization". "Employee" does not include independent contractors.

Q. "Executive" means any natural person who was, is now or will be a duly elected or appointed director, trustee, officer, member of the Board of Managers or the equivalent position of an "organization".

R. "Extra expenses":

1. Means necessary expenses the "organization" incurs:

1. During the "period of restoration" that the "organization" would not have incurred if there had been no "interruption"; or
2. To avoid or minimize the "interruption".

2. Does not include:

1. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving "electronic data", any "computer program" or any "computer system";
2. "Cyber incident or information security breach expenses";
3. "Cyber extortion expenses"; or
4. "Data restoration expenses".

S. "Information security breach" means any unauthorized access, acquisition, retention or use of:

1. "Personal information"; or
2. Any confidential corporate or proprietary information of any third party that is not available to the general public and which the "insured" is obligated to maintain in confidence pursuant to a written agreement; while in the care, custody or control of an "insured" or entity that the "organization" engaged under the terms of a written contract to perform services for or on behalf of an "insured".

T. "Insured" means the "organization" and "employees".

U. "Interrelated wrongful acts" means all causally connected "wrongful acts" arising out of the same or substantially the same facts, circumstance or allegations which are the subject of or the basis for any "claim".

V. "Interruption" means an unanticipated cessation or slowdown of the "organization's" business activities.

W. "Liability loss":

1. Means any of the following:

1. Compensatory awards or judgments, including prejudgment and post-judgment interest;
2. Monetary settlements; or
3. Punitive, exemplary and multiple damages where insurable under the applicable law which most favors coverage for such damages.

2.  Shall not include:

1. Taxes, fines or penalties imposed by law, other than punitive, exemplary or multiple damages that are considered insurable by the applicable law which most favors coverage for such damages;
2.  Liquidated damages stipulated to in a contract in excess of any amounts the "insured" is liable for in the absence of such contract;
3. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed;
4. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage the "insured" was not legally entitled to;
5. The cost to comply with any order or agreement to provide any equitable relief, including injunctive relief; or
6. Chargebacks, interchange fees or rates, discount fees, processing fees or any costs to replace any payment cards whose card numbers were or may have been compromised.

X. "Loss" means:

1. "Cyber incident or information security breach expenses" under Insuring Agreement A.1. Cyber Incident Or Information Security Breach Expense;
2. "Cyber extortion expenses" under Insuring Agreement A.2. Cyber Extortion Events;
3. "Data restoration expenses" under Insuring Agreement A.3. Replacement Or Restoration Of Electronic Data;
4. "Business income loss" and "extra expenses" under Insuring Agreement A.4. Business Income And Extra Expense;
5. "Liability loss" and "defense costs" under Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability; and
6. "Regulatory loss" and "defense costs" under Insuring Agreement B.2. Regulatory Proceeding Liability.

Y. "Named insured" means the individual or entity shown in the Declarations.

Z. "Organization" means the "named insured" and any "subsidiary".

AA. "Organization's computer system" means any "computer system" which collects, transmits, processes, stores or retrieves the "organization's" "electronic data", and is:

1. Owned by the "organization";
2. Leased by the "organization" and operated by any "insured"; or
3. Owned and operated by an "employee" who has agreed in writing to the "organization's" personal device use policy.

BB. "Over redemption or under redemption" means price discounts, prizes, awards or other valuable consideration given in excess of or below the total contracted, expected or posted amount.

CC. "Payment card industry loss":

1.  Means any of the following:

1. Assessments, including card reissuance costs and fraud recoveries, and contractual fines or penalties that the "organization" is legally obligated to pay under the terms of a "payment card service agreement", if any;
2. Compensatory awards or judgments, including prejudgment and post-judgment interest;
3. Monetary settlements; or
4. Punitive, exemplary and multiple damages where insurable under the applicable law which most favors coverage for such damages.

2.  Shall not include:

1. Taxes, fines, penalties or assessments imposed by law, other than punitive, exemplary or multiple damages that are considered insurable by the applicable law which most favors coverage for such damages or assessments and contractual fines or penalties that the "organization" is legally obligated to pay under the terms of a "payment card service agreement";
2. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed;
3. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage the "insured" was not legally entitled to; or
4. Interchange fees or rates, discount fees, processing fees.

DD. "Payment card service agreement" means a written contract between an "organization" and acquiring bank, payment card processor or payment card brand that establishes the terms and conditions regarding acceptance or processing of payment cards, including rules requiring the merchant to comply with Payment Card Industry Data Security Standards. EE. "Period of restoration" means the period of time:

1. Beginning immediately after the end of the Waiting Period shown in the Declarations; and
2. Ending when the "organization's computer system" is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the "interruption".

However, in no event will the "period of restoration" exceed 180 days, unless a different Maximum Restoration Period Days is shown in the Declarations.

The expiration date of this Policy will not cut short the "period of restoration".

FF. "Personal information" means any information not available to the general public for any reason through which an individual may be identified including, but not limited to, an individual's:

1. Social security number, driver's license number or state identification number;
2. Protected health information;
3. Financial account numbers;
4. Security codes, passwords, PINs associated with credit, debit or charge card numbers which would permit access to financial accounts;
5. Biometric data; or
6. Any other nonpublic information as defined in "privacy regulations".

GG. "Policy period" means the period of time from the inception date of the Policy shown in the Declarations to the expiration date specified in the Declarations or its earlier cancellation or termination date.

HH. "Pollutants" means any solid, liquid, gaseous or thermal irritant or contaminant, including smoke, vapor, soot, fumes, acids, alkalis, chemicals and waste. Waste includes materials to be recycled, reconditioned or reclaimed.

II. "Privacy regulations" means any of the following statutes and regulations, and their amendments, associated with the control and use of personally identifiable financial, health, biometric or other sensitive information including, but not limited to:

1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191);
2. The Health Information Technology for Economic and Clinical Health Act (HITECH) (American Recovery and Reinvestment Act of 2009);
3. The Gramm-Leach-Bliley Act of 1999;
4. Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)), but solely for alleged unfair or deceptive acts or practices in or affecting commerce;
5. The Identity Theft Red Flags Rules under the Fair and Accurate Credit Transactions Act of 2003;
6. The European Union General Data Protection Regulation (GDPR);
7. Children's Online Privacy Protection Act of 1998 ("COPPA"); or
8. Any other similar state, federal or foreign identity theft or privacy protection statute or regulation.

JJ. "Regulatory loss":

1. Means any of the following:

1. The sum of money which an "organization" is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to a settlement or an adverse judgment resulting from a "claim"; or
2. Fines or penalties assessed against an "organization" by a governmental or regulatory agency where insurable under the applicable law which most favors coverage for such fines or penalties.

2. Shall not include:

1. Any amounts that are uninsurable under the law pursuant to which this Policy shall be construed;
2. Restitution, disgorgement, royalties, unjust enrichment or any profits or advantage an "insured" was not legally entitled to; or
3. Chargebacks, interchange fees or rates, discount fees, processing fees or any costs to replace any payment cards whose card numbers were or may have been compromised.

KK. "Subsidiary" means any entity in which:

1. More than 50% of the outstanding securities or voting rights representing the present right to vote for the election of directors or an equivalent position is owned, in any combination, by the "organization"; or
2. The "organization" has the right, pursuant to a written contract or the bylaws, charter, operating agreement or similar documents of an entity, including a limited liability company or joint venture, to elect, appoint or designate a majority of the board of directors or equivalent executives of such entity.

LL. "Suit" means a civil proceeding in which damages to which this Policy applies are claimed against the "insured". "Suit" includes:

1. An arbitration proceeding in which such damages are claimed and to which the "insured" submits with our consent; or
2. Any other alternative dispute resolution proceeding in which such damages are claimed and to which the "insured" submits with our consent.

"Suit" does not include a civil proceeding seeking recognition and/or enforcement of a foreign money judgment.

MM. "Third party computer system" means any "computer system" which collects, transmits, processes, stores or retrieves the "organization's" "electronic data" and that is operated by any entity, including any cloud service provider, that the "organization" engages under the terms of a written contract to perform services for the "insured" or on the "insured's" behalf, but only with respect to the "organization's" "electronic data".

NN. "Wrongful act" means:

1. With respect to Insuring Agreement B.1. Cyber Incident Or Information Security Breach Liability and Insuring Agreement B.2. Regulatory Proceeding Liability:

Any actual or alleged neglect, breach of duty, act, error or omission by an "insured" that results in or is based upon:

1. A "cyber incident";
2. An "information security breach";
3. A "privacy regulation" violation; or
4. The "organization's computer system" or a "third party computer system" transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person's or entity's "computer system".

2.  With respect to Insuring Agreement B.3. Payment Card Industry Liability:

Any actual or alleged noncompliance with Payment Card Industry Data Security Standards.

3.  With respect to Insuring Agreement B.4. Media Liability:

Any actual or alleged error, misstatement or misleading statement arising out of the gathering, recording, collecting, writing, editing, publishing, exhibiting, broadcasting or releasing of "content" that results in:

1. Any type of defamation, disparagement or harm to the character, reputation or feelings of a person or entity, including libel, slander, product disparagement or trade libel;
2. Any type of negligent or intentional infliction of emotional distress, outrage or outrageous conduct;
3. Any actual or alleged negligent act, error or omission, misstatement or misleading statement committed by, or on behalf of, the "organization";
4. Any type of invasion, infringement or interference with the right of privacy or publicity, including:

(1) Eavesdropping; (2) False light; (3) Public disclosure of private facts; (4) Misappropriation of name or likeness; or (5) Trespassing or wrongful entering;

e. False arrest, detention or imprisonment, abuse of process or malicious prosecution;

f. Any type of infringement of copyright, plagiarism or misappropriation of ideas or information; or

g. Any type of infringement or dilution of title, slogan, trademark, trade name, trade dress, service mark or service name.

Analysis:

a.  Definitions With No Change

The following definitions are consistent with how the terms are defined in the existing forms, except that the term business income loss has been renamed:

• Application
• Computer Program
• Content (this definition was found in the Media and Information Security Protection Cyber Policy, but is now incorporated into this Information Security Protection Cyber Policy form)
• Electronic Data
• Interrelated Wrongful Acts
• Pollutants
• Suit

b.  Revised Definitions:

The following terms are revised from their current definition, largely to correspond to changes in the policy form:

"Claim" – This definition has been revised to more closely relate to the coverages being provided, with the addition of a written demand for mediation and a demand for arbitration. In addition, the definition has been expanded to include a paragraph for the Payment Card Industry Liability Insuring Agreement. Such claims must be brought by a card company, issuing bank, payment card processors or an acquiring financial institution.

"Computer system"  – This definition has been revised to remove PDAs as that term is no longer applicable in the new forms, but it still includes transportable or handheld devices. In addition, since organization's computer system and third-party computer system are both newly defined terms, the paragraph in the definition that described the ownership and operation of the computer system has been removed from this definition. The definition still includes electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices.

"Cyber extortion event" – The portion of the definition for extortion expenses which provided for security firm costs or the costs of a person or organization hired to determine the validity and severity of an extortion threat is no longer included in the definition. This is because the definition of cyber incident and information security breach expenses includes this type of loss resulting from a cyber incident.

"Cyber incident" – This definition has been updated to include unauthorized access to or use of the organization's computer system and malicious code, virus or any other harmful code designed to also exploit the organization's computer system or otherwise disrupt its normal functioning or operation. Also, the term hacker attack has been removed.

"Cyber incident or information security breach expenses" – This definition replaces the definition of security breach expense, as that definition did not apply to cyber incidents. The new definition includes the costs to establish whether a cyber incident has occurred or is occurring, investigative costs in relation to the cause, scope and extent of a cyber incident, costs identify any affected parties, and costs to determine any remedial actions, including but not limited to, legal fees or fees paid for professional advice on how to respond to the cyber incident, as well as public relation expenses. All of these costs are in connection with the cyber incident.

"Defense costs" – This definition replaces the definition for defense expenses, and is consistent with that definition, except that the term defense costs also includes expenses incurred in investigating or opposing any claim.

"Discover or discovered" – This definition has been revised to remove its application to claims, but otherwise is unchanged.

"Employee" – The updated definition now includes temporary workers, interns, and executives, but does not include independent contractors.

"Executive" – The positions that are included in this definition were previously included within the definition of employee. Executive means any natural person who is, was, or will be a duly elected or appointed director, trustee, officer, member of the Board of Managers, or equivalent position of an organization.

"Extra expenses" – The revised definition makes it clear that extra expenses do not include any cyber incident or information security breach expenses, or any data restoration expenses. Otherwise, the definition is unchanged.

"Information security breach" – This updated definition replaces the definition of security breach in the existing forms, which only applied to the acquisition of personal information. The revised definition is much broader and includes any unauthorized access, acquisition, retention or use of personal information, or any confidential corporate or proprietary information of any third party, that is not available to the general public and which the insured has a legal obligation to maintain in confidence. So for example, if a vendor accesses employee information from the organization's computer system and uses that information to contact the employees directly to try and sell them products or services, that unauthorized access would be an information security breach.

"Insured" – In the new forms there are definitions for named insured, employee, and organization. Insured now means the named insured (an organization), its subsidiaries and employees.

"Interruption" – In the revised definition reference to e-commerce has been removed because the definition of cyber incident includes the introduction of malicious code into a computer system, which includes ransomware. The definition is enhanced to mean an unanticipated cessation or slowdown of the organization's business activities. In this manner, the definition is broadened by not limiting the interruption to e-commerce activities alone. Also, the reference to time element is removed from this definition as it is now addressed in the definition of period of restoration, which makes more sense to have it there.

"Loss" – The revised definition spells out what the term means under each of the insuring agreements, rather than referring back to the agreements section. Loss means: cyber incident or information security breach expenses, cyber extortion expenses, data restoration expenses, business income loss, extra expenses, liability loss, regulatory loss, payment card industry loss and defense costs – as they apply to each coverage.

"Named insured" – This updated definition removes subsidiary, as that is now included in the definition of Insured. The definition now means the individual or entity shown in the Declarations.

"Period of restoration" – means the period of time beginning immediately after the end of the Waiting Period shown in the Declarations and ending when the organization's computer system is or could have been repaired or restored with reasonable speed to the same functionality and level of service that existed prior to the interruption. The period of restoration is 180 days (which can be amended). In the previous definition of Interruption, the period was limited to ninety days.

"Personal information" – The revised definition adds biometric data to the list, but is otherwise unchanged.

"Privacy regulations" – This definition is new, but was described in the definition of loss. The newly revised definition applies to the  Regulatory Proceeding Liability coverage, and is enhanced to include the sum of money an organization is required to deposit in an equitable relief fund for paying customer claims in connection with a settlement or adverse judgment resulting from a claim.

"Subsidiary" – This definition is broadened to include not just entities receiving more than 50 percent of majority voting rights; but now also includes any entity in which the organization has the written right to elect, appoint or designate a majority of the board of directors or equivalent executives of such an entity.

"Wrongful act" – Instead of having only one definition limited to a security breach or a computer system transmitting, by e-mail or other means, a virus to another person or organization, wrongful act is now defined differently, depending on its applicable insuring agreement.

• For the Cyber Incident Or Information Security Breach Liability and the Regulatory Proceeding Liability insuring agreements, wrongful act means any actual or alleged neglect, breach of duty, act, error or omission by an insured that results in or is based upon a cyber incident, an information security breach, a privacy regulation violation, or the organization's computer system or a third party computer system transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person or entity's computer system.
• Under the Payment Card Industry Liability Insuring Agreement, wrongful act means any actual or alleged noncompliance with Payment Card Industry Data Security Standards.
• Under the Media Liability Insuring Agreement, wrongful act is consistent with the definition found in the Media Liability ISP policy.

c.  New Definitions:

This analysis is for the new definitions being added.

"Card company" – While a similar definition appeared in form CY 20 12, that form is being withdrawn since Payment Card Industry coverage is being provided in the new form. Card company means any credit card company that requires its merchants to adhere to the Payment Card Industry Data Standards.

"Data restoration expenses" – This new definition separates out the data restoration expense part of the loss to stand on its own. The definition includes the cost to replace or restore the organization's electronic data or computer programs stored within its computer system to its preloss condition before the cyber incident. It also includes the cost of data entry, reprogramming and computer consultation services in connection with the cyber incident. So for example, if a cyber incident destroys certain computer data and it cannot be accessed without manual re-entry of the data and reprogramming that data into the system, these expenses will be part of the data restoration expenses.

"Liability loss" – Under the forms being withdrawn, the definition of liability loss was part of the definition of loss. Liability loss is applicable to loss paid under the Cyber Incident And Information Security Breach and the Media Liability Insuring Agreements. It is defined to mean compensatory awards or judgments, or punitive, exemplary and multiple damages where insurable by the law most favoring such damages. Liability loss does not include any costs to comply with orders or agreements to provide equitable relief, including injunctive relief or chargebacks, interchange fees or rates, discount fees, processing fees, or costs to replace any payment cards whose numbers were or may have been compromised. In application, assume a cyber incident has breached computer systems of an organization in several states, compromising the personal information of millions of the organization's customers across these states. The plaintiffs' attorney may select among the affected states and request damages be awarded based on the laws of the state that will provide the most favorable outcome to the affected customers in the class action suit.

"Organization" – This new definition means the named insured and any subsidiary.

"Organization's computer system" – This term was included within the definition of computer system, but now has its own definition. Organization's computer system means any computer system which collects, transmits, processes, stores or retrieves the organization's electronic data; and is owned or leased by the organization and operated by any insured; or owned and operated by an employee who has agreed in writing to the organization's personal device use policy. This broadens the definition to include those insured organizations who permit employees to use their personal devices, as long as they are aware of the organization's policies regarding such use and acknowledge this in writing.

"Over redemption or under redemption" – The term over redemption is defined in the existing forms, but the new definition now includes under redemption. Over redemption or under redemption means price discounts, prizes, awards or other valuable consideration that either exceeds or is below the amount that has been contracted for, or is expected or posted.

"Payment card industry loss" – This new definition applies only to the Payment Card Industry Liability Insuring Agreement. The definition includes the same types of loss that are included within the definition of liability loss, but unlike liability loss payment card industry loss does not exclude chargebacks or costs to replace payment cards whose numbers were or may have been compromised. Payment card industry loss includes loss specific to credit cards, including payments of assessments, card reissuance costs, fraud recoveries, and contractual fines or penalties the organization must legally pay under the terms of a payment card service agreement, if any.

"Payment card service agreement" – This definition also applies to the payment card industry and its data security standards. Payment card service agreement means a written contract between an organization and acquiring bank, payment card processor or payment card brand that establishes the terms and conditions regarding acceptance or processing of payment cards, including the rules requiring the merchant to comply with Payment Card Industry Data Security Standards.

"Regulatory loss" – This definition applies only to the Regulatory Proceeding Liability coverage. The type of loss described was in the Security Breach Liability Insuring Agreement of the forms being replaced; however, this new definition is enhanced to include the sum of money an organization is legally required to deposit in an equitable relief fund for the payment of consumer claims due to a settlement or adverse judgment resulting from a claim.

"Third party computer system" – While a similar description was included in the definition of computer system in the forms being replaced, this is a new definition that specifically defines a third party computer system. It means any computer system which collects, transmits, processes, stores or retrieves the organization's electronic data. It can be any entity or cloud service provider that the organization contracts with in writing to perform services by or on behalf of the insured, but only with respect to the organization's electronic data. Examples of such entities might be Google, Apple, or Microsoft.

d.  Deletion of Defined Terms:

To conform with changes in the new forms, the following definitions are no longer needed and thus have been removed:

"E-commerce activities" – this definition has been replaced by the undefined and broader term: business activity.

"Hacker" – this term is no longer used in defining a cyber incident.

"Informant" – this term is now included in the definition of cyber extortion expenses.

"Negative publicity" – this term is now included in the definition of cyber incident and information security breach expenses.

"Public relations expenses" – this term is also now included in the definition of cyber incident and information security breach expenses.

"Ransomware" – while this term has been removed, the definition of cyber incident includes malicious code, virus or any other harmful code, which includes ransomware.

"Regulatory proceeding" – this term is now included in the definition of a claim.

"Virus" – this term has been removed as a stand-alone definition.

Includes copyrighted material of Insurance Services Office, Inc., with its permission.