1. Forms
2. CY
3. CY-00-02

What the form is

The CY 00 02 11 21, titled COMMERCIAL CYBER INSURANCE POLICY, is a standard form developed by ISO. It provides claims-made and reported liability coverage for businesses facing cyber-related losses. This form was introduced as a significant update and replacement for the previous CY 00 01 Commercial Cyber Insurance Policy and other earlier cyber forms, aiming for greater clarity and more comprehensive coverage in response to the evolving cyber risk landscape. The policy covers the named insured, its subsidiaries, and employees, referring to the insured entity as the "organization". It is structured with four first-party Insuring Agreements and four liability Insuring Agreements, with each agreement having its own specific Limit of Insurance, all subject to a Policy Aggregate Limit.

Classes of business it applies to

This form is designed for a wide array of commercial enterprises that are exposed to cyber risks. Its comprehensive nature makes it suitable for businesses that:

• Handle sensitive customer or employee data (e.g., personally identifiable information, financial records, health information).
• Rely heavily on computer systems and networks for their daily operations.
• Have a significant online presence or engage in e-commerce.
• Are at risk of data breaches, malware attacks, ransomware, cyber extortion, and business interruption due to network security failures.

Real-world examples include retailers, healthcare organizations (though specific regulatory requirements like HIPAA may necessitate specialized endorsements or policies), financial service providers (some specific financial institution forms were withdrawn with coverages incorporated into newer forms like CY 00 03, which shares some insuring agreements with CY 00 02 ), manufacturing companies utilizing industrial control systems, and professional service firms (lawyers, accountants, consultants) that manage confidential client information.

Special considerations

• Claims-Made and Reported Basis: Coverage is triggered if a claim is first made against the insured and reported to the insurer during the policy period or any applicable extended reporting period. Strict adherence to reporting provisions is crucial.
• Reporting Requirements: The insured must report any "cyber incident", "cyber extortion event", "information security breach", or "interruption" as soon as practicable, but no later than sixty days after the end of the policy period (or the end of an extended discovery period if applicable).
• Named Insured Definition: The term "organization" is used and defined to include the named insured and its subsidiaries.
• Separate Limits: Each Insuring Agreement has its own Limit of Insurance, which is subject to the overall Policy Aggregate Limit of Insurance. Payments under any agreement reduce the aggregate limit.
• Retention: A retention (deductible) typically applies to most insuring agreements. For Business Income and Extra Expense coverage, this often takes the form of a waiting period, which can be modified by endorsement CY 20 37. The standard ISO loss costs often reflect a $5,000 retention.
• Defense and Settlement: The insurer typically has the right and duty to defend claims and controls the settlement of covered claims.
• Form Replacement: This form (CY 00 02 11 21) replaced the CY 00 01 01 18 and other forms in many jurisdictions.

Key information for agents and underwriters

• Risk Assessment: A thorough evaluation of the applicant's cybersecurity posture is essential. This includes assessing their data security protocols, network security measures, employee training programs on cybersecurity awareness, incident response and business continuity plans, the nature and volume of sensitive data handled, and any history of prior cyber incidents.
• Pricing and Limits: The ISO basic limit is often $500,000/$1,000,000, which can be increased. Pricing will be influenced by the selected limits for each insuring agreement, the aggregate limit, the chosen retention, the industry, size of the organization, and its specific risk profile.
• Coverage Customization: While a standard form, the ability to select different limits for various insuring agreements allows for some tailoring of coverage. Agents should discuss the availability and suitability of optional endorsements, such as those for Computer and Funds Transfer Fraud (CY 20 13), Computer Fraud (CY 20 14), or Telephone Toll Fraud (CY 20 15), to address specific client needs.
• Underwriting Guidelines: Underwriters must stay informed about the dynamic nature of cyber threats and vulnerabilities. The introduction of CY 00 02 11 21 reflects an effort to modernize cyber coverage. Understanding the defined terms, conditions, and exclusions within this newer form is critical for accurate risk selection and pricing. The policy's clear structure around distinct insuring agreements aids in delineating coverage grants.
• Exclusions: Agents should clearly explain the policy exclusions to clients to manage expectations and identify potential coverage gaps that might need to be addressed through other policies or risk management techniques.