1. Forms
2. CY
3. CY-00-10

What the form is

The CY 00 10 Information Security Protection Cyber Policy is a claims-made and reported coverage form developed by the Insurance Services Office (ISO). Its primary purpose is to provide businesses with insurance coverage against risks associated with information security breaches and other cyber incidents. The policy typically includes various insuring agreements covering both first-party losses to the insured and third-party liability arising from cyber events. Defense costs are generally payable within, and not in addition to, the limit of insurance, meaning they can erode the policy limits.

Classes of business it applies to

The Information Security Protection Cyber Policy was initially designed for a range of commercial risks, including small to midsize businesses that have a cyber exposure. Its successor form, CY 00 03, which incorporated and replaced CY 00 10, is intended for medium to large commercial enterprises, not-for-profit organizations, governmental entities, and financial institutions. Examples of businesses that would utilize such a policy include retailers handling customer data, healthcare providers managing patient records, financial services firms, and any organization reliant on computer systems and data for their operations.

Special considerations

A significant consideration is that the CY 00 10 form, particularly the 01 18 edition, has been withdrawn and replaced by form CY 00 03 11 21 in most states. As of late 2022, the CY 00 10 01 18 was still noted as active in California, Florida, and the Virgin Islands. The replacement was part of a broader ISO initiative to update and streamline its commercial cyber insurance program, making the forms easier to read and enhancing coverages. Policies are written on a claims-made and reported basis, meaning the claim must be first made against the insured and reported to the insurer during the policy period or any applicable extended reporting period.

Key information for agents and underwriters

• Replacement: Agents and underwriters must be aware that CY 00 10 has largely been superseded by CY 00 03. It's crucial to verify which form is applicable in a specific jurisdiction and for a particular policy period.
• Coverage Scope: The policy typically offers a suite of insuring agreements, which can include coverage for cyber incident or information security breach expenses, cyber extortion, data restoration, business income and extra expense, and various liability coverages. Each insuring agreement usually has its own limit of insurance.
• Risk Assessment: Underwriting cyber risks requires a thorough assessment of an applicant's information security practices, data handling procedures, network security measures, and incident response plans. The nature and volume of sensitive data handled by the insured are critical factors.
• Claims-Made Nature: The claims-made and reported trigger is a key aspect. Agents should ensure clients understand the importance of timely claim reporting, as failure to do so can jeopardize coverage. Retroactive dates may also apply, limiting coverage for events that occurred before a specified date.
• Endorsements: Various endorsements (e.g., those in the CY 10 and CY 20 series) may be available to modify the base policy, tailoring coverage to specific needs or exposures.