1. Forms
2. CY
3. CY-00-03

What the Form Is

The Information Security Protection Cyber Policy, form CY 00 03 11 21, is a standard policy form developed by ISO. It is designed to provide comprehensive cyber insurance coverage for commercial entities. This policy offers protection against a variety of cyber-related risks, encompassing both first-party losses sustained by the insured and third-party liability claims arising from cyber incidents. The policy is written on a claims-made and reported basis, meaning claims must be first made against the insured during the policy period (or applicable extended reporting periods) and reported to the insurer promptly, typically within 60 days after the policy period ends.

Classes of Business It Applies To

This form is intended for a wide array of organizations. Specifically, ISO Rule 25 indicates that the CY 00 03 is designed for, but not limited to:

• Medium to large commercial enterprises (including not-for-profit organizations)
• Governmental entities
• Financial institutions, such as:
• Banks
• Savings institutions
• Securities brokers and dealers
• Insurance companies
• Finance companies
• Credit unions
• Mortgage bankers

This represents an expansion from previous ISO cyber forms, as it now explicitly includes financial institutions which were previously excluded or covered under separate forms.

Special Considerations

It's important to note several key aspects of the CY 00 03 11 21:

• Form Consolidation: This form replaces several earlier ISO cyber forms, including CY 00 01, CY 00 10, CY 00 11 (Financial Institutions Information Security Protection Cyber Policy), CY 00 12 (Media And Information Security Protection Cyber Policy), and CY 00 13 (Media And Information Security Protection Cyber Policy). The coverages from these withdrawn forms have been incorporated into the new CY 00 03 to streamline the cyber product offering.
• Reporting Requirements: The policy contains very specific written reporting requirements for any "cyber incident", "cyber extortion event", "information security breach", or "interruption". These must be reported to the insurer as soon as practicable, but no later than sixty days after the end of the policy period, or if an extended discovery period applies, no later than sixty days after the end of that period.
• Claims-Made and Reported Basis: The insuring agreements provide claims-made and reported coverage. This means that not only must the claim be first made against the insured during the policy period (or an extended reporting period), but it must also be reported to the insurer within a specified timeframe (typically 60 days after the policy period or extended reporting period ends).
• Defense Within Limits: The Limit of Insurance and any retention will be reduced by amounts incurred as loss and defense costs.

Key Information for Agents and Underwriters

• Multiple Insuring Agreements: The form consists of four first-party Insuring Agreements and four liability Insuring Agreements. Each of these Insuring Agreements carries its own separate Limit of Insurance, which will be specified in the Declarations.
• Duty to Defend: The insurer has the right and duty to select counsel and defend the insured against any claim covered under the liability insuring agreements. This is a change from some prior forms where the insurer had the right but not the duty to defend regulatory proceedings.
• Settlement Provision: The settlement provision in CY 00 03 11 21 differs from previous forms. Under the current form, there is no provision for payment of defense costs after the insured refuses a settlement amount recommended by the insurer, nor for any loss that exceeds the amount for which the claim could have been settled.
• Market Usage: While ISO provides standardized forms like the CY 00 03, it is common for many insurers in the cyber market to use their own proprietary forms. Therefore, it's crucial to compare the ISO form with any proprietary alternatives.
• Risk Assessment: Underwriting for this policy will involve a thorough assessment of the applicant's information security practices, web presence, data handling procedures, and overall cyber risk exposure, particularly given the broad range of eligible entities including financial institutions.