1. Forms
2. CY
3. CY-00-01

Commercial Cyber Insurance Policy - CY 00 01

The CY 00 01 Commercial Cyber Insurance Policy is a standard insurance form developed by the Insurance Services Office (ISO) designed to provide businesses with coverage for a variety of cyber-related risks. Its primary function is to protect commercial enterprises, particularly small- to mid-sized businesses (SMEs), from financial losses stemming from cyber incidents. This policy is a stand-alone option and is structured as a bundled product with six core insuring agreements. Coverage is typically triggered on a "discovery basis," meaning the policy responds when the insured first becomes aware of an incident, threat, breach, or claim during the policy period or an extended discovery period. The CY 00 01 is a foundational component of ISO's Commercial Cyber Insurance Program and is used in conjunction with a declarations page, such as the CY DS 02 Commercial Cyber Insurance Policy Declarations, to specify the insured, limits, deductibles, and covered insuring agreements.

Classes of Business It Applies To

The CY 00 01 is broadly applicable to a wide range of commercial entities, including for-profit businesses, not-for-profit organizations, and governmental entities, though it is primarily designed for small to mid-sized commercial risks. While there are no strict restrictions on the type of entity that can purchase this coverage, factors like the size of the risk, desired limits, and types of operations will influence its suitability compared to other cyber policies ISO offers for larger or more complex risks. Businesses that handle sensitive customer data, rely heavily on computer systems for their operations, or have a significant online presence are prime candidates for this coverage. Real-world examples include:

• A local retail store that processes credit card payments and stores customer purchase history could use this policy to cover costs associated with a data breach, including customer notification, credit monitoring, and potential liability.
• A small accounting firm that manages sensitive financial data for its clients would benefit from coverage for network security liability in case a cyber attack compromises client information.
• A regional manufacturing company whose production line is halted due to a ransomware attack could find coverage for business interruption and extortion demands under this policy.
• Healthcare providers handling patient medical records subject to HIPAA regulations could utilize this policy to address security breach liability and regulatory defense costs.

Special Considerations

Several important considerations apply when utilizing the CY 00 01:

• Discovery Trigger: The policy operates on a discovery basis, meaning the insured must discover the cyber incident, extortion threat, security breach, or claim during the policy period or the extended period to discover loss for coverage to apply. The definition of "discover" or "discovered" is crucial and outlined within the policy.
• Bundled Insuring Agreements: The CY 00 01 is a bundled product with six insuring agreements. This differs from some other ISO cyber forms that allow for individual selection of up to eight insuring agreements. Understanding which specific insuring agreements are included and active is vital.
• Relationship to CY DS 02: The CY 00 01 policy form must be used with a declarations page, typically the CY DS 02 Commercial Cyber Insurance Policy Declarations. The declarations page personalizes the policy by detailing the named insured, policy period, limits of insurance, deductibles, and the specific insuring agreements that have been selected and apply to the insured.
• Exclusions: Like all insurance policies, the CY 00 01 contains exclusions. Common exclusions for pollution, war, and biological/nuclear events are present, but other exclusions specific to cyber risks also apply and require careful review.
• Evolving Risk Landscape: The cyber threat landscape is constantly changing. While the CY 00 01 provides a foundational level of coverage, businesses may need to consider endorsements or more specialized policies for emerging threats or unique exposures.
• Superseded by Newer Forms for Some Risks: It's important to note that ISO has introduced newer cyber policy forms (e.g., CY 00 02) that have replaced forms like the CY 00 01 for certain segments or offer different structures and coverages. For instance, the CY 00 02 is designed with a claims-made and reported coverage trigger and may be more suitable for different risk profiles.

Key Information for Agents and Underwriters

Agents and underwriters should focus on the following when working with the CY 00 01:

• Risk Assessment: Thoroughly assess the applicant's cyber risk profile. This includes understanding the nature of their business, the types and volume of sensitive data they handle, their existing cybersecurity measures, and their reliance on technology. Industries like healthcare, finance, and retail are often considered higher risk due to the data they manage.
• Pricing: Pricing will be influenced by factors such as the industry, size of the business, revenue, limits of liability selected, chosen deductible, and the strength of the applicant's cybersecurity controls. Organizations in higher-risk sectors may face higher premiums.
• Coverage Gaps: While the CY 00 01 offers broad cyber coverage, it's crucial to identify potential gaps. For example, it may not cover all forms of social engineering fraud or losses from wire transfer fraud without specific endorsements or supplemental coverage. Traditional business insurance policies often exclude cyber risks, making dedicated cyber coverage essential.
• Underwriting Guidelines: Adherence to underwriting guidelines is critical. This involves gathering detailed information about the applicant's IT infrastructure, data security protocols, incident response plans, and any prior cyber incidents. Insurers are increasingly scrutinizing the security controls businesses have in place.
• Insuring Agreements: Clearly explain the six bundled insuring agreements to the insured, ensuring they understand what is covered under each. These typically include security breach liability, extortion threats, business interruption, and data restoration.
• Declarations (CY DS 02): Ensure the CY DS 02 Declarations accurately reflects the agreed-upon coverages, limits, and deductibles, as this document works in tandem with the CY 00 01 to form the complete policy.
• Endorsements: Be aware of available endorsements that can modify or enhance the coverage provided by the CY 00 01 to tailor the policy to the specific needs of the insured.
• Definition of Terms: The policy contains many specific definitions (e.g., "cyber incident," "security breach," "wrongful act") that are critical to understanding the scope of coverage.