1. Forms
2. CY
3. CY-20-07

What the Form Is

The CY 20 07, titled "Exclusion – Regulatory Agency," is an endorsement designed for use with specific ISO Commercial Cyber Insurance Policies. Its primary purpose is to explicitly and completely remove coverage for any losses or defense expenses that arise from actions, investigations, or proceedings initiated by a regulatory agency. This means that if a governmental or regulatory body imposes fines, penalties, or if the insured incurs legal costs in defending against such regulatory actions following a cyber incident or data breach, this endorsement, when attached to the policy, would preclude coverage for those specific costs. It is specifically designated for use with cyber policy form CY 00 11.

Classes of Business It Applies To

This endorsement is intended to be used with the CY 00 11 Financial Institutions Information Security Protection Cyber Policy. Consequently, it is applicable to businesses and organizations within the financial sector that would typically be insured under such a specialized cyber policy. This includes, but is not limited to:

• Banks and credit unions
• Insurance companies (for their own cyber risk exposure)
• Investment firms and asset managers
• Other financial service providers

Real-world example: If a regional bank, insured under a CY 00 11 policy with the CY 20 07 endorsement, experiences a data breach leading to an investigation and subsequent fine by a state banking regulator, the costs associated with that fine and the legal expenses to respond to the regulator would not be covered by the cyber insurance policy due to this exclusion.

Special Considerations

• Significant Coverage Reduction: The foremost consideration is that this endorsement creates a substantial gap in what would otherwise be covered under a cyber policy, as regulatory actions (investigations, fines, penalties) can represent a major portion of the financial impact of a cyber event.
• Specific Policy Form: The CY 20 07 is explicitly linked for use with form CY 00 11.
• ISO Program Updates: Insurance Services Office (ISO) periodically updates its policy programs. Form CY 00 11 was scheduled to be withdrawn, with its coverages integrated into the newer CY 00 03 Information Security Protection Cyber Policy form. Agents and underwriters should verify the current applicability of CY 20 07 or if a corresponding exclusionary endorsement has been introduced for use with newer cyber policy forms.
• Insured's Awareness: It is crucial that the insured fully understands the implications of this exclusion – namely, that they will bear the full financial responsibility for all costs related to regulatory agency actions.

Real-world example: A financial advisory firm has the CY 20 07 endorsement on their policy. After a ransomware attack, a regulatory body governing financial advisors launches an investigation into their data security practices. The legal fees to respond to the investigation and any potential fines levied would be the firm's own responsibility, not covered by their cyber insurance.

Key Information for Agents and Underwriters

• Risk Assessment: Financial institutions face a high degree of regulatory scrutiny, especially concerning data protection and cybersecurity. The presence of this exclusion dramatically alters the risk profile for the insured, shifting significant potential costs back to them.
• Pricing Implications: The addition of this endorsement should typically result in a premium credit for the insured, reflecting the reduced scope of coverage.
• Clear Communication of Coverage Gaps: Agents must meticulously explain to the insured that costs stemming from regulatory body actions (e.g., investigations by the SEC, OCC, state financial regulators, or data protection authorities like those enforcing GDPR or CCPA if applicable to the regulatory action) will be excluded. This is a critical point of disclosure.
• Underwriting Documentation: Underwriters should ensure that the insured's acknowledgment and acceptance of this significant exclusion are well-documented in the underwriting file. The decision to offer or mandate this endorsement may depend on the insurer’s underwriting strategy for regulatory exposures or specific risk characteristics of the applicant.
• Alternative Solutions: Explore if the insurer provides any options to buy back limited regulatory coverage or if there are other endorsements that might offer a less absolute exclusion if this broad exclusion is a major concern for an otherwise desirable risk.
• Form Version Control: Always use the latest edition of forms and ensure compatibility between endorsements and the base policy form, particularly in light of ongoing updates to ISO's cyber insurance program.