Topics Covered:

Commercial Cyber Insurance Policy

Claims-Made and Reported Coverage

Preamble

Introduction

Section I – Insuring Agreements

Section II – Limits of  Insurance

Section III – Retention

Section IV – Defense and Settlement

Section V – Related Claims

Section VI – Coverage Extension

Section VII – Exclusions

Commercial Cyber Insurance Policy

CY 00 02 Commercial Cyber Insurance Policy replaces form CY 00 01, which will be withdrawn from use.

Claims-Made and Reported Coverage

As with CY 00 03 previously discussed in Part One, coverage under the policy is clearly stated to be claims-made and reported liability coverage:

LIABILITY INSURING AGREEMENTS IN THIS POLICY PROVIDE CLAIMS-MADE AND REPORTED COVERAGE. PLEASE READ THE ENTIRE POLICY CAREFULLY.

Analysis:

The obligation of an insurer to pay for a claim under a claims-made policy is triggered only if a covered claim is first made against the insured during the policy period or extended reporting period. The term trigger refers to the events or circumstances that effect the policy's coverage. This policy not only requires that the claim be first made during the policy period or extended reporting period, but also that the claim be discovered and reported within that same time frame.

Preamble

The policy form introduces a preamble (not included in the current form) as follows:

UNDER LIABILITY INSURING AGREEMENTS, CLAIMS MUST BE FIRST MADE AGAINST THE INSURED DURING THE POLICY PERIOD, OR ANY APPLICABLE EXTENDED REPORTING PERIOD, AND REPORTED TO US AS SOON AS PRACTICABLE, BUT IN NO EVENT LATER THAN 60 DAYS AFTER THE END OF THE POLICY PERIOD OR ANY APPLICABLE EXTENDED REPORTING PERIOD.

DEFENSE COSTS ARE PAYABLE WITHIN, AND NOT IN ADDITION TO, THE LIMIT OF INSURANCE. PAYMENT OF DEFENSE COSTS UNDER THIS POLICY WILL REDUCE THE LIMIT OF INSURANCE.

Analysis:

Adding the preamble using bold capitalization highlights the importance of meeting the claims-made and reporting requirements explicitly as stated, and ensures that the policyholder will be sure to see the requirements to avoid any confusion over this being a claims-made and reported policy.

Claim reporting requirements establish when and how claims made against the insured must be reported to the insurer. Policy CY 00 02 contains a very specific written reporting requirement of any "cyber incident", "cyber extortion event", "information security breach", or "interruption" that is discovered within the policy period as soon as practicable, but not later than sixty days after the end of the policy period; or if an extended discovery period applies, not later than sixty days after the end of such extended discovery period.

There must be an actual written reported claim; and, quite importantly, it is the first making of a claim that activates the policy's coverage process. "Claim" is also a defined term in the policy, which will be discussed later.

The second portion of the preamble states that defense expenses are payable within, and not in addition to, the Limit of Insurance. Paid defense expenses will reduce the limit of insurance for this coverage.

Introduction

Various provisions in this Policy restrict coverage. Read the entire Policy carefully to determine rights, duties and what is and is not covered.

Throughout this Policy, the words "we", "us" and "our" refer to the company providing this insurance.

Other words and phrases that appear in quotation marks have special meaning. Refer to Section X – Definitions.

Analysis:

The initial ISO Rule 65 addressing the description of coverage and Rule 67 which contained the base loss costs have been replaced by Rules 30 and 32, respectively. Rule 31, which replaces Rule 66, is now in use with guidelines stating that the CCI policy is not designed for financial institutions, including banks, savings institutions, securities brokers and dealers, insurance companies, finance companies, credit unions, and mortgage bankers. Note that these financial institutions are now eligible for the ISP form CY 00 03.

Unlike the current form and other ISO forms, there is no identification of or reference to "you" or "your" in CY 00 02. Nor does it include any references to the first named insured, as there is only one named insured in the policy. Coverage is provided to the named insured and all of its subsidiaries and employees. The coverage applies to the named insured, and the company providing the insurance is referred to as "we", "us", and "our".

The terms "insured", "named insured", "organization", "subsidiary" and "employee" are all defined terms in the policy. Refer to the Definitions section for the meaning of each term.

SECTION I – INSURING AGREEMENTS

The coverage form consists of four first-party Insuring Agreements and four liability Insuring Agreements. Each Insuring Agreement carries its own separate Limit of Insurance as shown in the Declarations. It is noted that the term "organization" is used in the coverages and definitions. An "organization" includes the named insured and its subsidiaries.

By nature of the many types of cyber-related exposures, it is typical for a significant period of time (months or even years) to lapse between the time an incident occurs that might give rise to a loss, and the time that an insured becomes aware of such incident. Therefore, each Insuring Agreement utilizes a discovery based coverage trigger for the policy period shown in the Declarations, or during the period of time provided in the Extended Discovery Period. "Discover" or "discovered" is a defined term in the policy.

Discovery Example: 

The XYZ Policy was effective 1/1/20 to 1/1/21. A disgruntled employee who was fired by the company on 3/1/16 breached the security systems of XYZ on 4/5/16; however, the breach was not discovered by XYZ until 6/1/20. This security breach would be covered under the 1/1/20 to 1/1/21 policy term because it was first discovered and reported by the insured during that policy period.

A.  First Party Insuring Agreements

For coverage under First Party Insuring Agreements to apply, the "cyber incident", "cyber extortion event" or "information security breach" must be "discovered" within the "policy period" or, if applicable, within the Extended Discovery Period, and reported to us as soon as practicable, but in no event later than 60 days after the end of the "policy period" or, if applicable, the Extended Discovery Period, in accordance with the terms of this Policy.

1. Cyber Incident Or Information Security Breach Expense

We will pay for "cyber incident or information security breach expenses" resulting directly from a "cyber incident" or an "information security breach".

2. Cyber Extortion Events

We will pay for "cyber extortion expenses" resulting directly from a "cyber extortion event".

3. Replacement Or Restoration Of Electronic Data

We will pay for "data restoration expenses" resulting directly from a "cyber incident".

4. Business Income And Extra Expense

We will pay for "business income loss" and "extra expenses" incurred during the "period of restoration" due to an "interruption" resulting directly from a "cyber incident".

Analysis:

The claims-made and reporting requirements apply in the same manner to all coverages provided in the policy, with no differentiation in the requirements. Each of the four first-party insuring agreements relate to costs that the named insured incurs from the time of the first incident or breach to pay extortionists or to replace data needed to continue operations, as well as provide business income and extra expense coverages due to an interruption that results directly from a cyber incident covered under the policy. The first four insuring agreements in this form are identical to form CY 00 03 11 21, Information Security Protection Cyber Policy.

In the first Insuring Agreement, the policy pays for "cyber incident or information security breach expenses" as a direct result of a cyber incident or information security breach. An enhancement from the current form is that this coverage now extends to expenses from a cyber incident as well as information security breaches. Each of the terms are defined in the definitions but in simple, a loss can include any of the following: costs to investigate and establish whether a cyber incident or information security breach has occurred or is occurring; costs to investigate the cause, scope and extent of a cyber incident or information security breach and to identify any affected parties; costs to determine remedial action including but not limited to, fees paid for legal and other professional advice on how to respond to the cyber incident, public relations fees to protect the insured's reputation; notifications, overtime salaries, call center fees and costs, postevent credit and identity monitoring and other reasonable expenses authorized by the company.

There is an enhanced definition of "cyber incident" in the policy, defined to include any unauthorized access to or use of the organization's computer system (including the organization's electronic data), malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the organization's computer system (including the organization's electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the organization's computer system (including the organization's electronic data) or otherwise disrupt its normal functioning or operation. "Cyber incident" is also defined to include a

denial of service attack specifically directed at an organization which disrupts, prevents or restricts access to or use of the organization's computer system, or otherwise disrupts its normal functioning or operation.

The second Insuring Agreement provides coverage for "cyber extortion expenses" as a direct result of a "cyber extortion event". An enhancement over the current form is that the coverage will now pay loss expenses from a cyber extortion event, rather than just an extortion threat. These defined expenses include ransom demand payments in connection with an actual or threatened cyber incident or security breach; or the theft, disclosure, destruction, publication, or use of the organization's confidential corporate information. Covered expenses of a ransom demand include interest paid by the organization for a loan taken out to pay the ransom demand, and reward payments paid by the organization to anyone other than an employee for providing information not otherwise attainable that leads to the arrest and conviction of responsible parties. Refer to the limits of insurance section for more information on reward payments coverage under the cyber extortion insuring agreement. Ransom payments can also include payments made in the form of virtual currency, such as bitcoin.

The third Insuring Agreement for Replacement Or Restoration Of Electronic Data includes coverage for loss of electronic data or computer programs if such loss is a direct result of a cyber incident discovered during the policy period. There really is no change in this coverage from what is on the current form, which provides coverage for the organization's costs to replace or restore its electronic data or computer programs stored on its computer system, and costs of data entry, reprogramming and computer consultation services that are a direct result of a cyber incident, as defined. The electronic data or computer programs must have been stored on a computer system, defined as any type of computer. "Computer" includes any personal data assistants (PDAs) and other transportable or handheld devices, electronic storage devices and related peripheral components; any systems and applications software, or any related telecommunications networks connected to or used in connection with such computer or devices. The computer or devices must be owned by an insured, leased by an insured and operated by an insured employee, or owned and operated by an employee who has agreed in writing to the insured's personal device use policy; or is operated by an authorized third party (with respect to the insured's electronic data), if such third party is under written contract to perform services for the insured. Aside from laptops and desktops this includes tablets, ereaders and similar devices.

The fourth Insuring Agreement addresses Business Income and Extra Expense coverage for loss due to an interruption that results directly from a cyber incident that is discovered during the policy period. (No longer is extortion threat included within the insuring agreement, due to a broader definition of "cyber incident".) Business Income and Extra Expense are the standard coverages as can be added to a property policy. An "interruption" is defined as an unexpected stoppage or slowdown of business activity. This is an enhancement over the current form which only covered loss resulting from the interruption of e-commerce activities. Not included as extra expense are costs associated with upgrading, maintaining, remediating or improving the system that was involved in the attack. For example, if a company's computers are hacked and the company is forced to shut down for a few days since the production machines are temporarily inoperable, that loss of income and extra expenses would be covered.

Another enhancement to the coverage is a definition of "period of restoration", which expands the period from 90 days to 180 days, and also offers an option to accommodate a different maximum period that can be shown in the Declarations.

B.  Liability Insuring Agreements

For coverage under Liability Insuring Agreements to apply, "claims" must be first made against an "insured" during the "policy period" or during any applicable Extended Reporting Period, and reported to us as soon as practicable, but in no event later than 60 days after the end of the "policy period" or any applicable extended reporting period, in accordance with the terms of this Policy.

1. Cyber Incident Or Information Security Breach Liability

We will pay for "liability loss" that an "insured" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

2. Regulatory Proceeding Liability

We will pay for "regulatory loss" that the "organization" becomes legally obligated to pay and "defense costs" as a result of a "claim" for a "wrongful act" or a series of "interrelated wrongful acts" taking place on or after the Retroactive Date, if any, and before the end of the "policy period".

Analysis:

The basis of each of the liability coverages is a "claim" for a "wrongful act" or a series of "interrelated wrongful acts". The first two insuring agreements in this form are identical to the same titled insuring agreements in CY 00 03 11 21. Coverage is on a discovery basis, meaning that coverage is triggered when an insured first discovers there has been an incident, threat, breach or claim to which the insurance applies. The discovery must be made either during the policy period or during the Extended Reporting Period; or no later than sixty days after the end of the applicable period.

Because a cyber incident may not be discovered by the insured right away, the discovery trigger is very important, in that coverage will be activated at the time the insured discovers the breach and reports it to the insurer even though the incident occurred some time before its discovery. Take for example the Target data breach:  the cyber attack started on November 27, 2013. Target personnel discovered the breach and notified the U.S. Justice Department by December 13, 2013. So for purposes of example, December 13th would be the discovery date triggering coverage.

The definition of wrongful act under the form is defined so that it is specific to each of the insuring agreements, which is a change from the current form.

The first insuring agreement applies to Cyber Incident or Information Security Breach Liability coverage. This insuring agreement is enhanced over the current Security Breach agreement and provides broader coverage than the existing Programming Errors and Omissions Liability coverage. The insurer will pay for liability loss and defense costs resulting from a claim for actual or alleged programming error or omission if it results in the disclosure of a client's personal information held in a computer system meeting the policy definition. It also covers loss resulting from any actual or alleged neglect, breach of duty, act, error or omission by an insured based on or as a result of an information security breach. Information security breach includes any unauthorized access, acquisition, retention or use of personal information, which includes the client's personal information.The definition of "wrongful act" as it pertains to this coverage now includes cyber incidents, another enhancement over the current form.

With respect to the first two liability insuring agreements the definition of wrongful act is:

Any actual or alleged neglect, beach of duty, act, error or omission by an insured that results in or is based upon:

1. A "cyber incident";

2. An "information security breach"; 

3. A "privacy regulation" violation; or

4. The "organization's computer system" or a "third party computer system" transmitting, by e-mail or other means, malicious code, virus or any other harmful code to another person's or entity's "computer system".

Liability loss is described in the Definitions, but basically it includes compensatory judgments, monetary settlements, punitive and exemplary damages where insurable by law; and fines or penalties assessed against the insured if such fines and penalties are permitted by the law most favorable for such damages. As with the definition of wrongful act, the definition of loss is defined specifically to the coverage to which it applies under the respective insuring agreements. Liability loss is defined with clarification as to what is not included, which encompasses such things as amounts or damages not considered insurable by law, excessive liquidated damages in the contract that the insured would not otherwise be liable for if there were no contract; restitution, royalties or any other illegal unjust enrichment, profits or advantage to the insured; costs for compliance with equitable or injunctive relief; or any fees or costs in connection with the replacement of payment cards whose card numbers were or may have been compromised.

Defense costs as defined encompasses any expenses incurred in the investigation, defense, appeals expense in connection with a claim, and bond attachments; but of course does not include salaries, wages, fees or benefits of "employees".

For example, an online retailer's computer system is hacked and customer data including credit card numbers and other personal identifiable information is accessed. The retailer is sued and as a result must pay out a large settlement to consumers; the defense costs in the suit and the required settlement would be paid. Refer to Section IV – Defense and Settlement. 

The second insuring agreement for Regulatory Proceeding Liability applies to the organization's  (defined to mean the named insured and any subsidiary) regulatory loss and defense costs when the organization is held legally liable in a claim for wrongful acts under the policy. Regulatory loss is a new term not existing in the current form. A regulatory loss is a defined term, but in essence it is when an organization is legally required to create a depository of funds for equitable relief for paying consumer claims required in a settlement or an adverse judgment from a claim; or when an organization is fined or assessed by a governmental or regulatory agency. The fines or penalties will only apply where such are insurable under the applicable law that most favors that coverage. A regulatory loss as defined in the form can be exemplified in the case of the Equifax data breach of 2017, where the settlement included a requirement that Equifax deposit up to $425 million in a fund to provide affected customers with credit monitoring services, and to compensate consumers who bought credit or identify monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. An example of the fines and penalties is that Equifax agreed to pay $175 million to forty-eight states, the District of Columbia, and Puerto Rico, as well as $100 million to the CFPD in civil penalties.

Removed Insuring Agreements:

The current Cyber form contains six insuring agreements; this revised form contains four. The Web Site Publishing Liability Insuring Agreement is no longer needed, as that coverage is now part of the Media Liability Insuring Agreement, and the coverage is broader than what was provided in CY 00 10 and CY 00 11. Likewise, the Programming Errors and Omissions Liability is now part of the Cyber Incident or Information Security Breach Liability Coverage, which states that the insurer will pay for loss and defense costs as a result of a claim for any actual or alleged programming error or omissions that results in the disclosure of the named insured's client's personal information held within a "computer system".

Optional Insuring Agreements:

Three additional Insuring Agreements are being made available by endorsement:

• CY 20 13 Computer And Funds Transfer Fraud Endorsement
• CY 20 14 Computer Fraud Endorsement
• CY 20 15 Telephone Toll Fraud Endorsement

These endorsements will be discussed following analysis of this coverage form CY 00 02.

SECTION II – LIMITS OF INSURANCE 

A.   Policy Aggregate Limit Of Insurance

The most we will pay for all "loss", and "defense expenses" if covered, under this Policy is the Policy Aggregate Limit Of Insurance shown in the Declarations. The Policy Aggregate Limit of Insurance shall be reduced by the amount of any payment made under the terms of this Policy. Upon exhaustion of the Policy Aggregate Limit of Insurance by such payments, we will have no further obligations or liability of any kind under this Policy.

Analysis:

This limit of insurance provision is the same as it is in the current form. The total amount the policy will pay for all covered loss and defense expenses is the Policy Aggregate Limit of Insurance shown in the Declarations. Payment of loss and defense expenses reduce the Policy Aggregate Limit of Insurance, and once this limit is exhausted, the insurer has no further obligations under the policy. The ISO basic limit is $500,000/$1,000,000, which may be increased.

B.   Sublimit(s) Of Insurance

Subject to the Policy Aggregate Limit of Insurance, the most we will pay under:

• Insuring Agreement A.1. Cyber Incident Or Information Security Breach Expense for all Public Relations Expenses is the Public Relations Expenses Sublimit Of Insurance;

• Insuring Agreement A.2. Cyber Extortion Events for all "cyber extortion expenses" is the Cyber Extortion Expenses Sublimit Of Insurance;

• Insuring Agreement A.2. Cyber Extortion Events for all Reward Payments is the Reward Payments Sublimit of Insurance subject to the Cyber Extortion Expenses Sublimit Of Insurance;

• Insuring Agreement A.4. Business Income And Extra Expense for all "business income loss" and "extra expenses" is the Business Income And Extra Expense Sublimit Of Insurance; and

• Insuring Agreement B.2. Regulatory Proceeding Liability for all "regulatory loss" and "defense costs" incurred as a result of a "claim" is the Regulatory Loss Sublimit Of Insurance;

if any, shown in the Declarations.

These Sublimit(s) of Insurance are part of, and not in addition to, the Policy Aggregate Limit of Insurance. Upon exhaustion of any Sublimit(s) of Insurance by payment of "loss", we will have no further obligations or liability of any kind with respect to "loss" that is subject to such Sublimit Of Insurance.

Analysis:

The current form being withdrawn contained three options for sublimited coverages: Ransom Payment, Business Income And Extra Expense, and Public Relations Expenses.

In the 11 21 edition, there are two additional coverage options, all of which are subject to a specific sub-limit of insurance, as shown in the Declarations. If there is no sublimit shown in the Declarations for that coverage, then there is no coverage. The optional sublimited coverages are included within the aggregate limit of insurance, not in addition to the aggregate.

Sublimits are offered for public relations expense, which will be included within the aggregate limit for Cyber Incident or Information Security Breach Expense coverage;

• Cyber extortion expenses, which will be included within the aggregate limit for Cyber Extortion Events coverage; 
• Reward Payment, which will be included within the aggregate limit for Cyber Extortion Events coverage; 
• Business income loss and extra expenses, included within the coverage for Business Income And Extra Expense; and 
• Regulatory loss and defense costs, which are included under the Regulatory Proceeding Liability coverage.

Once the applicable insuring agreement limit has been exhausted, coverage will cease for that insuring agreement. The limits under each insuring agreement are subject to the policy aggregate limit of insurance.

For example, a policy aggregate is $3,000,000. Each of the four insuring agreements have a limit of $1,000,000, and the Reward Payment coverage is added at a sublimit of $50,000. If a paid cyber claim amounts to $1,000,000 then there will be no additional funds left in the limit for the reward payment, as the reward payment limit is subject to the aggregate limit for Cyber Extortion Events coverage. Therefore, if claims under any one insuring agreement exceed $1,000,000 during the policy term, or extended reporting period, then the insurer is no longer obligated to pay any claims or provide any defense under that insuring agreement. However, this does not affect the insurer's obligation under any of the remaining insuring agreements. Once the total of all claims under all of the insuring agreements reach $3,000,000, then the insurer is no longer obligated to pay any claims or provide any defense under the policy.

SECTION III – RETENTION

A.  Under each insuring agreement, except under Insuring Agreement A.4. Business Income And Extra Expense, we will only pay for "loss" once the amount of "loss" exceeds the Policy Retention Amount shown in the Declarations.

B.  Under Insuring Agreement A.4. Business Income And Extra Expense, we will only pay the amount of "loss" which exceeds the greater of:

1. The Policy Retention Amount shown in the Declarations; or
2. The amount of "loss" incurred during the Waiting Period shown in the Declarations.

In the event "loss" resulting from the same "cyber incident", "cyber extortion event", "information security breach", "wrongful act" or any combination of "interrelated wrongful acts" is covered under more than one insuring agreement, only the highest Retention Amount shall apply to all "loss".

Analysis:

The existing forms utilize a deductible approach to loss. In the newly revised forms this has been changed to an insured policy retention. The retention applies in the manner in which the deductible applied per the insuring agreement; however the retention must be paid first out of the insured's own pocket before any coverage will commence under the policy. The base company rates or ISO loss costs reflect a $5,000 retention, which may be increased or decreased.

The retention will apply the same for all insuring agreements except for the Business Income and Extra Expense Insuring Agreement, given that this is a waiting period retention in lieu of a dollar amount retention. The Business Income and Extra Expense waiting period retention may be modified by using endorsement CY 20 37, Business Income And Extra Expense – Waiting Period (CCI). This endorsement amends the retention so that the insurer will only pay the amount of loss that is incurred at the end of the waiting period.

If there is a loss that results from the same incident, event, breach, or wrongful act covered under the policy, or if the loss is covered under more than one of the insuring agreements, then only the highest Retention Amount will apply.

Example:

The policy for XYZ organization has a $5,000 retention for all coverages under the Commercial Cyber Insurance Policy except for Regulatory Proceeding Liability, which has a $1,000 retention. If a loss includes both Cyber Incident Or Information Security Breach Liability and Regulatory Proceeding Liability, the applicable retention for the loss will be the highest retention amount of $5,000.

SECTION IV – DEFENSE AND SETTLEMENT

The provisions contained within this section apply only to Liability Insuring Agreements:

A.  Defense

1. We shall have the right and duty to defend any covered "claim", including the right to select defense counsel, even if the allegations of such "claim" are groundless, false or fraudulent. However, we shall have the right but not the duty to defend the "insured" against a "claim" covered under Insuring Agreement B.2. Regulatory Proceeding Liability. We shall have no duty to defend the "insured" against any "claim" which is not covered under any Liability Insuring Agreement.

B.   Settlement

1. We shall have the right to negotiate and settle any "claim", but will not enter into any settlement without the "organization's" consent. If the "organization" withholds consent to a settlement recommended by us and acceptable to the claimant, our duty to defend ends, and the most we will pay for that "claim" is the sum of:

a.  The amount for which we could have settled the "claim";

b.  "Defense costs" incurred, up to the date of the "organization's" refusal to settle the "claim";

c.  50% of all "loss", other than "defense costs", in excess of the settlement amount recommended by us; and

d.  50% of all "defense costs" incurred after the date of the "organization's" refusal to settle the "claim".

2. We shall not be liable for any "loss", settlement or assumed obligations or admissions to which we have not consented.

Analysis:

A change from the existing forms is that the defense applies to the entire liability section, except Regulatory Proceeding Liability (current forms apply defense to the Security Breach Liability Insuring Agreement). The security breach coverage is renamed to Cyber Incident Or Information Security Breach since coverage now includes liability resulting from cyber incidents. This section describes the insurer's right and duty to select counsel and defend the insured against any claim covered under the liability insuring agreements. This is not a change, however, as under the current form the insurer has the right, but not the duty, to defend the insured in a regulatory proceeding.

The settlement provision differs from the current form. The current forms do not provide for the payment of any defense costs after the insured refuses the amount recommended by the insurer, nor does it provide for any loss that exceeds the amount the claim could have been settled for. In the new forms, if the insured does not agree to the settlement recommended by the insurer, the provision allows that the amount paid by the insurer will not be greater than the amount the claim could have been settled for, defense costs will be incurred up to the date of the refusal, 50 percent of defense costs will be incurred after the refusal, and 50 percent of loss (other than defense costs) in excess of the settlement amount the insurer recommended.

Example:

The insurer for the XYZ policy will provide defense for a covered claim for a Cyber Incident in a court proceeding. The insurer offers to settle the claim for $5 million, including the defense costs. The insured refuses the settlement offer. The insured continues the defense of the claim for 60 days after the settlement offer and ends up settling for $6.5 million. The insurer will cover 50% of the defense costs for the 60 days following the insured's refusal, the recommended settlement amount of $5 million, and 50% of the additional $1.5 million over the recommended settlement, or $750,000. The insured will be responsible for the remaining defense costs and half of the settlement amount over the $5 million recommended settlement.

With respect to an arbitration or other regulatory proceeding, for a claim that is not covered by the policy the insurer has the option to provide a defense for the insured; however they are not required to provide a defense for such claim.

SECTION V − RELATED CLAIMS, CYBER INCIDENTS, CYBER EXTORTION EVENTS AND INFORMATION SECURITY BREACHES

The policy also addresses discovery with respect to any "cyber incidents", "cyber extortion events", "information security breaches" or "claims" for "wrongful acts" or a series of "interrelated wrongful acts" that arises out of the same facts or circumstances will be deemed to be related, and will be deemed to have been made or discovered when the very first claim was made or at the time it was first discovered.

All "cyber incidents", "cyber extortion events", "information security breaches" or "claims" for "wrongful acts" or a series of "interrelated wrongful acts" that arises out of the same facts or circumstances will be deemed to be related, and as such will be deemed to have been made or "discovered" the earlier of either the time the first "claim" for "wrongful acts" or a series of "interrelated wrongful acts" was first made or the time the "cyber incident", "cyber extortion event" or "information security breach" was first "discovered".

Analysis:

This is a comprehensive paragraph with a simple outcome – if the same facts or circumstances are the basis of a loss covered under any of the Insuring Agreements covered by the policy, then these facts or circumstances are related and will be considered to be discovered during the first policy period that either a cyber incident, extortion threat, security breach or claim was discovered. The earliest date that the facts and circumstances are discovered will be the policy term that will determine coverage.

Example:

XYZ has renewed their annual cyber policy three times with a current term of 1/1/2021 to 1/1/2022. Their systems were first hacked on 4/1/18 and it was discovered by XYZ on 2/28/21 that not only had the hackers input a malicious code in 2018 that corrupted financial data, but they also obtained employee personal information and sold this information to third parties from the date of the first hacking until discovered on 2/28/21. Since all of these facts and circumstances were related to the 4/1/2018 hacking, and this hack was not discovered until 2/28/21, then 2/28/21 is the loss date and the policy determining coverage is the 1/1/2021 to 1/1/2022 policy term.

SECTION VI − COVERAGE EXTENSION

Coverage shall extend to "claims" for "wrongful acts" of an "employee" made against:

1. The lawful spouse or domestic partner of such "employee" solely by reason of such spouse or domestic partner's status as a spouse or domestic partner, or such spouse or domestic partner's ownership interest in property which the claimant seeks as recovery for an actual or alleged "wrongful act" of such "employee";
2. The estate, heirs, legal representatives or assigns of such "employee" if they are deceased, or the legal representatives or assigns of such "employee" if they are legally incompetent, insolvent or bankrupt; or
3. A trust of such "employee" and any legally approved trustees of such trust.

This extension shall not afford coverage for any actual or alleged "wrongful act" committed by or directly involving the spouse or domestic partner, estate, heirs, legal representatives, trustees or assigns but shall apply only to "claims" arising out of any actual or alleged "wrongful acts" committed by or directly involving an "employee".

Analysis:

This new provision is a broadening of coverage, as it extends coverage to the spouse or domestic partner of an insured based on either status as such or because of their ownership interest in property sought as recovery by a claimant. The coverage also extends to other interested parties of the insured including those involved with handling the insured's estate, trustees or assigns. However, the extension does not provide coverage for any wrongful acts committed by any of those to which coverage is extended.

SECTION VII – EXCLUSIONS

We will not be liable for "loss":

A.  Act Of Nature

Based upon, arising out of or attributable to lightning, earthquake, hail, volcanic action or any other act of nature. However, this exclusion shall not apply to "loss" resulting directly from an "information security breach".

B.  Antitrust

Based upon, arising out of or attributable to any actual or alleged restraint of trade, monopolization, unfair trade, price fixing, violation of the Federal Trade Commission Act, the Sherman Antitrust Act, the Clayton Act, including any amendment thereto or any rule or regulation promulgated under any such statute, or any similar foreign, federal, state or local statute, rule or regulation. However, this exclusion shall not apply to a "claim" alleging unfair or deceptive acts or practices in or affecting commerce under Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)).

C.  Biological, Chemical Or Nuclear Material

Based upon, arising out of or attributable to the dispersal or application of pathogenic or poisonous biological or chemical materials, nuclear reaction, nuclear radiation or radioactive contamination, or any related act or incident, however caused.

D.  Bodily Injury

Based upon, arising out of or attributable to bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.

E.  Breach Of Contract And Assumed Liability

Based upon, arising out of or attributable to an "insured's" assumption of liability by contract or agreement, whether oral or written. However, this exclusion shall not apply to any liability that an "insured" would have incurred in the absence of such contract or agreement.

F.  Employment-related Practices

Based upon, arising out of or attributable to any actions or activities related to an "insured's" practices as an employer including, but not limited to, refusal to employ, termination of employment, coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution. This exclusion applies:

1. Whether the injury-causing event described above occurs before employment, during employment or after employment of that person;
2. Whether the insured may be liable as an employer or in any other capacity; and
3. To any obligation to share damages with or repay someone else who must pay damages because of the injury.

However, this exclusion shall not apply to any "loss" resulting directly from an "information security breach".

G.   Failure Or Interruption Of Services

Based upon, arising out of or attributable to:

1. The failure of, reduction in or surge of power from an external utility service; or
2. Any disruption or failure of communication services including, but not limited to, service relating to Internet access or access to any electronic, cellular or satellite network;

not under the operational control of the "insured".

H.   Fraudulent, Criminal, Malicious, Dishonest Or Intentional Acts

Based upon, arising out of or attributable to any deliberately fraudulent, criminal, malicious or dishonest act, error, omission or any willful violation of any statute or regulation by an "insured". This exclusion shall not apply to "defense costs" or terminate our duty to defend such "claim" unless and until there is a final, nonappealable judgment or adjudication against an "insured" that establishes such conduct.

1. This exclusion shall apply to the "organization" only if:
2. The conduct was committed or allegedly committed by an "executive"; or
3. An "executive" knew, or had reason to know, of such conduct by any "employee".
4. This exclusion shall apply only to an "employee" who:
5. Personally committed;
6. Personally participated in;
7. Personally acquiesced to; or
8. Remained passive after having personal knowledge of;

any such acts, errors or omissions.

I.   Governmental Proceeding Or Action

Based upon, arising out of or attributable to any action or proceeding brought by, or on behalf of, any governmental authority or regulatory agency including, but not limited to:

1. The seizure or destruction of property by order of a governmental authority; or
2. Regulatory actions or proceedings brought by, or on behalf of, the Federal Trade Commission, Federal Communications Commission or other regulatory agency, except when covered under Insuring Agreement B.2. Regulatory Proceeding Liability.

However, this exclusion shall not apply to actions or proceedings brought by a governmental authority or a regulatory agency acting solely in its capacity as a customer of the "organization".

J.   Insured Versus Insured

Based upon, arising out of or attributable to any "claim" brought or alleged by one "insured" against another, except for a "claim" brought or alleged by an "employee" against an "insured" as a result of an "information security breach".

K.   Material Published With Knowledge Of Falsity

Based upon, arising out of or attributable to any oral or written publication of material, if done by an "insured" or at an "insured's" direction with knowledge of its falsity.

L.   Patent Or Trade Secret

Based upon, arising out of or attributable to any actual or alleged patent or trade secret violation, including any actual or alleged violation of the Patent Act, the Economic Espionage Act of 1996 or the Uniform Trade Secrets Act, including any amendments thereto or any rules or regulations promulgated under such statutes, or any similar foreign, federal, state or local statutes, rules or regulations.

M.   Payment Card Industry

Based upon, arising out of or attributable to any "claim" brought by, or on behalf of, any:

1. "Card company";
2. Issuing bank or any financial institution that issues credit cards to consumers on behalf of "card companies";
3. Payment card processor; or
4. Acquiring bank or any financial institution that maintains the "organization's" bank account;

alleging noncompliance with Payment Card Industry Data Security Standards.

N.   Pollution

Based upon, arising out of or attributable to any of the following:

1. The actual, alleged or threatened discharge, dispersal, seepage, migration, release or escape of "pollutants" at any time;
2. Any request, demand, order or statutory or regulatory requirement that any "insured" or others test for, monitor, clean up, remove, contain, treat, detoxify or neutralize, or in any way respond to, or assess the effects of, "pollutants"; or
3. Any "claim" or "suit" brought by, or on behalf of, any governmental authority for damages because of testing for, monitoring, cleaning up, removing, containing, treating, detoxifying or neutralizing, or in any way responding to, or assessing the effects of, "pollutants".

O.   Prior Knowledge

Based upon, arising out of or attributable to any "cyber incident", "cyber extortion event", "information security breach", "interruption", "wrongful act", "interrelated wrongful acts" that any "insured" became aware of prior to the effective date of this Policy.

P.   Prior Notice

Based upon, arising out of or attributable to the same facts, "cyber incident", "cyber extortion event", "information security breach", "interruption", "wrongful act" or "interrelated wrongful acts" or in any circumstances of which notice has been given, under any insurance policy of which Policy is a renewal or replacement.

Q.   Property Damage

Based upon, arising out of or attributable to physical damage to or destruction of tangible property, including loss of use thereof.

Q.   Prior Or Pending Litigation

Based upon, arising out of or attributable to:

1. Any "claim", administrative or regulatory proceeding or investigation filed or commenced against an "insured" on or prior to the Prior Or Pending Litigation Date shown in the Declarations; or
2. The same or substantially the same "wrongful act", "interrelated wrongful act", fact or circumstance alleged in or underlying such "claim" or proceeding.

S.   Racketeer Influenced And Corrupt Organizations Act

Based upon, arising out of or attributable to any actual or alleged violation of the Racketeer Influenced and Corrupt Organizations Act (RICO), including any amendments thereto or any rules or regulations promulgated under such statutes, or any similar foreign, federal, state or local statutes, rules or regulations.

T.   Recording And Distribution Of Material In Violation Of Law

Based upon, arising out of or attributable to any actual or alleged violation of the:

1. Telephone Consumer Protection Act (TCPA);
2. CAN-SPAM Act of 2003;
3. Fair Debt Collection Practices Act (FDCPA); or
4. Fair Credit Reporting Act (FCRA), including the Fair and Accurate Credit Transactions Act (FACTA);

and any amendments of or additions to such law, or any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003, FDCPA or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information. However, this exclusion shall not apply to a "loss" resulting directly from an "information security breach".

U.   Retroactive Date

Based upon, arising out of or attributable to any "wrongful act" or "interrelated wrongful acts" that occurred before the Retroactive Date, if any, shown in the Declarations.

V.   Securities

Based upon, arising out of or attributable to:

1. The purchase or sale of or offer to purchase or sell any securities or any violation of the Securities Exchange Act of 1934 or the Securities Act of 1933 and any amendments thereto or any other foreign, federal, state or local statute, or any rule or regulation promulgated under such statutes, that regulates the offering, sale or purchase of securities. 
2. Any "claim" brought by any security holder of the "organization", in their capacity as such, whether directly, by class action, or derivatively on behalf of the "organization".

W.   War

Based upon, arising out of or attributable to:

1. War, including undeclared or civil war or civil unrest;
2. Warlike action by military force, including action hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
3. Insurrection, rebellion, revolution

Analysis:

The following exclusions (identified by their number in the form being replaced) are not in the 11 21 edition of the form, constituting a broadening of coverage:  Exclusion numbers 3, 4, 5, 8, 10, 22, and 24.

For your convenience, these are the exclusions not included in the new form:

• Any unexplained or indeterminable:

1. Failure, malfunction or slowdown of a computer system; or 
2. Inability to access or manipulate data.

Any disruption in normal computer function or network service or function due to insufficient capacity to process transactions or due to an overload of activity on a computer system or network. However, this exclusion shall not apply if such disruption is caused by a cyber incident.

• Any disruption of:

1. Internet service; or 
2. Any external telecommunication network;

regardless of the cause. However, this exclusion shall not apply if such disruption is caused by a denial of service attack under Paragraph b. Of Definition 6. Cyber incident.

• Any failure of, reduction in or surge of power, regardless of the cause.
• Any malfunction or failure of any satellite.
• Fines, penalties or assessments imposed pursuant to contract or agreement, whether oral or written, including, but not limited to, Payment Card Industry (PCI) fines, penalties or assessments.
• Any costs or expenses associated with upgrading, maintaining, repairing, remediating or improving a computer system regardless of the reason.

This Exclusion section has been revised with the addition of headings. Also, the exclusions are placed in alphabetical order to make them easier to find. The exclusions in CY 00 02 11 21 are identical to those listed in CY 00 03 11 21.

The Antitrust exclusion is newly added to exclude claims based upon, arising out of, or attributable to an insured's anticompetitive behavior, actual or alleged. The exclusion does not apply to a claim that alleges unfair or deceptive acts or practices related to commerce under Section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)).

The Bodily Injury exclusion has been separated from the property exclusion, and coverage has been broadened by removing the mental and emotional types of injuries from the definition.

The Breach of Contract and Assumed Liability exclusion no longer applies to violation of payment card service agreement if coverage is provided under the Payment Card Industry Liability coverage.

Employment-related Practices exclusion is enhanced to provide an exception for loss resulting directly from an information security breach.

The Failure or Interruption of Services exclusion precludes coverage for loss in connection with power from an external utility service or any disruption or communication service failure. This includes internet access service or access to electronic, cellular or satellite networks, but only applies if such are not under the operational control of the insured.

The exclusion for Fraudulent, Criminal, Malicious, Dishonest or Intentional Acts has been revised and clarified so that it only applies to deliberate acts and willful violations by an insured; and then is only applicable to conduct that has been established by final judgment or adjudication that cannot be appealed. With respect to the organization, the conduct must be committed, or alleged to be committed, by an executive; or if an executive knew or should have known that such conduct was by an employee, and to an employee who personally committed, participated in, acquiesced to, or remained passive after having personal knowledge of any of the excluded acts, errors or omissions. There is a broadening in that the exclusion no longer provides that the insurer will not indemnify the insured for any claim to which any insured enters a guilty plea or pleads no contest. It is no longer necessary for the exclusion to reference Security Breach Liability or Security Breach Expenses as these are not in the revised form.

The Independent Contractor exclusion and the Music Licensing and Royalties exclusions are each clarified to only apply to the Media Liability coverage.

A new Payment Card Industry exclusion precludes coverage for claims brought by card companies, issuing banks, payment card processors or acquiring banks alleging noncompliance with PCI data security standards. This exclusion does not apply to Payment Card Industry Liability coverage.

The exclusions for Prior Knowledge and Prior Notice now include the term interruption.

The exclusion Promotional Activities and Contests only applies to the Media Liability Insuring Agreement and the exclusion has been enhanced to also apply to under-redemption of coupons, rebates, discounts, prizes, or awards.

Property Damage is now separated from the bodily injury exclusion but is otherwise unchanged.

The exclusion for Prior Or Pending Litigation precludes coverage for claims, administrative or regulatory proceedings and investigations made against an insured which were pending on, or existed prior to, the applicable Prior Or Pending Litigation Date shown in the Declarations. It also applies to the same or substantially the same wrongful acts, interrelated wrongful acts, fact or circumstance alleged in or underlying such claim or proceeding.

A new exclusion is added for Recording and Distribution of Material in Violation of Law to preclude coverage for violations of The Telephone Consumer Protection Act, The CAN-SPAM Act of 2003, The Fair Debt Collection Practices Act, the Fair Credit Reporting Act and any amendments and any similar laws. The exclusion does not apply to a loss resulting directly from an information security breach.

A new Securities exclusion is added precluding coverage with regard to the purchase, sale of or offer to purchase or sell any public offering of securities or any violation of the Securities Exchange Act of 1934 or the Securities Act of 1933 or similar law that regulate the offering, sale or purchase of securities. The exclusion also applies to claims brought by any security holder of the organization in their capacity as a security holder.

Includes copyrighted material of Insurance Services Office, Inc., with its permission.