1. Forms
2. CY
3. CY-20-10

What the form is

The CY 20 10 endorsement, titled "Provide Coverage For Dishonest, Malicious Or Fraudulent Acts Committed By Employees," is an Insurance Services Office (ISO) form used to modify commercial cyber insurance policies. Its primary function is to broaden the scope of coverage to include losses arising from intentional wrongful acts carried out by an insured's own employees. Standard cyber insurance policies may exclude or limit coverage for such internal threats, particularly under certain insuring agreements. This endorsement specifically addresses that potential gap by expanding an exception related to employee acts to cover all insuring agreements within the policy.

Classes of business it applies to

This endorsement is relevant for a wide range of businesses that purchase cyber insurance and are concerned about the risk of cyber incidents caused by internal actors. It is particularly pertinent for organizations where employees have significant access to sensitive data, financial systems, or critical network infrastructure. Real-world examples include:

• Financial Institutions: Banks, credit unions, and investment firms where employees handle financial transactions and sensitive customer account information.
• Healthcare Providers: Hospitals, clinics, and other healthcare organizations where employees have access to patient health information (PHI) and billing systems.
• Retail Businesses: Companies that process large volumes of customer payment card information and personal data, where a disgruntled employee could misuse this information.
• Technology Companies: Firms that develop software or manage IT services, where employees might have high-level administrative access to systems and intellectual property.
• Any business with a significant number of employees who have access to computer systems and valuable digital assets.

Special considerations

It's crucial to understand that many standard cyber insurance policies contain exclusions or limitations related to fraudulent, dishonest, or criminal acts committed by employees. The CY 20 10 endorsement is designed to buy back some of this coverage. Key considerations include:

• Scope of Coverage: While this endorsement expands coverage, it's important to review the specific wording to understand any remaining limitations or conditions.
• Interaction with other policies: Businesses might also have crime insurance or fidelity bonds that cover employee dishonesty. It's important to understand how this cyber endorsement interacts with those policies to avoid coverage gaps or overlaps.
• Internal Controls: The availability and terms of this endorsement may be influenced by the insured's internal controls, employee screening practices, and overall risk management posture regarding insider threats.

For example, if a company's cyber policy initially only covered employee dishonesty under the computer fraud insuring agreement, this endorsement would extend that consideration to other areas like data breach liability or network interruption if an employee's malicious act was the cause.

Key information for agents and underwriters

For Agents:

• Proactively discuss the risk of insider threats with clients and explain how this endorsement can address potential coverage gaps in a standard cyber policy.
• Identify clients with significant employee access to sensitive systems or data as prime candidates for this coverage.
• Explain that while this endorsement provides valuable protection, it doesn't replace the need for robust internal security measures and employee monitoring.

For Underwriters:

• When this endorsement is requested, carefully assess the applicant's internal controls, pre-employment screening processes, and any history of employee-related incidents.
• The presence of strong internal controls may make an account more favorable for this endorsement.
• Consider the industry and the nature of the data and systems employees can access when evaluating the risk.
• Pricing for this endorsement should reflect the increased exposure to losses from intentional employee acts.
• Be aware that this endorsement modifies standard exclusions; therefore, a thorough understanding of the base policy language is essential.