Form CY DS 02: Commercial Cyber Insurance Policy Declarations
1. What the form is
The Commercial Cyber Insurance Policy Declarations, form CY DS 02, is a crucial component of a Commercial Cyber Insurance Policy. It functions as the "cover page" of the policy, providing a summarized, at-a-glance overview of the specific agreements and terms tailored to the insured. This document officially declares the named insured, the policy period (effective and expiration dates), the specific insuring agreements that have been chosen by the insured, and the corresponding limits of insurance for each. It also details the deductibles applicable to various coverages, lists any endorsements that modify the policy, and includes other essential policy-specific information such as the premium. Essentially, it personalizes the broader policy language found in forms like the CY 00 01 (Commercial Cyber Insurance Policy) to reflect the unique coverage needs and risk profile of the insured business.
2. Classes of business it applies to
The CY DS 02 is applicable to a wide array of commercial entities purchasing cyber insurance. While virtually any business that handles sensitive data or relies on technology can benefit from cyber insurance, certain industries have a particularly high need and are frequent users of such policies. Examples include:
- Healthcare: Hospitals, clinics, and other healthcare providers handle vast amounts of sensitive patient data (Protected Health Information - PHI), making them prime targets for cyberattacks and subject to strict regulations like HIPAA.
- Financial Services: Banks, credit unions, investment firms, and insurance companies manage significant financial assets and sensitive customer information (Personally Identifiable Information - PII), making them attractive to cybercriminals.
- Retail and E-commerce: Businesses that process online payments and store customer data, including credit card information (Payment Card Industry - PCI data), face substantial risks from data breaches.
- Technology Companies and MSPs: Companies in the tech sector, including Managed Service Providers (MSPs), often have access to their clients' sensitive data and systems, creating a significant liability exposure.
- Professional Services: Law firms, accounting firms, and consultants handle confidential client information that, if breached, can lead to significant financial and reputational damage.
- Manufacturing: Modern manufacturing relies heavily on interconnected systems and operational technology (OT), which can be vulnerable to cyberattacks leading to business interruption and supply chain disruptions.
- Construction: Construction firms exchange sensitive project data, financial information, and may have access to client networks, making them targets for cybercrime, including funds transfer fraud.
- Educational Institutions: Schools and universities store a wealth of personal data on students and staff, making them vulnerable to breaches.
Essentially, any commercial enterprise, regardless of size, that stores or processes sensitive data, relies on computer systems for its operations, or could suffer significant financial or reputational harm from a cyber incident would utilize a policy structure that includes the CY DS 02 declarations page.
3. Special considerations
Several special considerations are important when dealing with the CY DS 02 and the underlying cyber insurance policy:
- Accuracy of Information: The information provided in the application, which is then reflected in the Declarations, is critical. Misrepresentations, even unintentional, regarding security controls (like multi-factor authentication) or prior incidents can lead to claim denials or policy rescission. Insurers may engage in "post-loss underwriting," scrutinizing application details after a claim is filed.
- Claims-Made and Reported Basis: Most cyber insurance policies, including those using the CY DS 02, are written on a "claims-made and reported" basis. This means the policy only covers claims first made against the insured AND reported to the insurer during the policy period (or an applicable extended reporting period). Prompt notification of incidents or potential claims is crucial.
- Retroactive Date: The Declarations will specify a retroactive date. Acts occurring before this date are typically not covered unless specifically endorsed.
- Sublimits: The Declarations page will clearly outline various insuring agreements and their respective limits. It's important to note that some coverages may have sublimits, which are lower limits than the main policy aggregate. These sublimits are part of, not in addition to, the aggregate limit.
- Defense Costs within Limits: For many cyber policies, defense expenses are included within, and therefore erode, the limits of insurance. This means that significant legal costs can deplete the available coverage for settlements or judgments.
- Cybersecurity Controls: Insurers increasingly expect organizations to have robust cybersecurity measures in place as a condition of coverage. The Declarations may reference the application where these controls are detailed. Failure to maintain these controls could jeopardize coverage.
- Understanding Definitions: Cyber insurance policies contain many specific definitions for terms like "cyber incident," "security breach," "wrongful act," "PII," etc. These definitions are critical in determining coverage and will be referenced in the policy form (e.g., CY 00 01) associated with the CY DS 02.
- Related Incidents: The policy, as referenced in the Declarations, will likely treat related cyber incidents, extortion threats, security breaches, or claims arising from the same facts or circumstances as a single event, discovered during the earliest policy period that any part of the related event was discovered.
Real-world example: A retail company completes its cyber insurance application, stating it uses multi-factor authentication (MFA) for all remote access. The CY DS 02 is issued based on this information. Later, the company suffers a data breach due to a compromised remote access account that did not have MFA enabled. The insurer, upon investigation, might deny the claim or seek to void the policy based on the misrepresentation in the application, as the Declarations were issued in reliance on that information.
4. Key information for agents and underwriters
The CY DS 02 is a critical document for both agents and underwriters:
- Pricing and Risk Assessment: The choices reflected on the Declarations—such as selected insuring agreements, limits, and deductibles—are direct outputs of the underwriting process and significantly impact the premium. Underwriters assess the applicant's risk profile, including industry, size, security posture, and claims history, to determine appropriate terms and pricing. The Declarations will also reflect any specific requirements based on the business's size or the types of operations.
- Coverage Gaps: Agents should carefully review the Declarations with clients to ensure the selected coverages, limits, and sublimits adequately address the client's specific cyber risks. It's important to identify potential gaps, such as insufficient limits for business interruption or a lack of coverage for social engineering if not specifically selected or endorsed.
- Underwriting Guidelines: The Declarations page is a reflection of the insurer's underwriting appetite and guidelines. For example, an underwriter might require a higher deductible or offer lower limits for a business in a high-risk industry or one with weaker cybersecurity controls. The information on the application form, which forms the basis for the Declarations, is paramount. Key underwriting data points often include revenue, number of PII/PHI records, security controls (like MFA, encryption, backups, employee training), and incident response plans.
- Policy Structure: The CY DS 02, in conjunction with the CY 00 01 and any endorsements, forms the complete policy. Agents and underwriters must understand how these forms interact. For instance, the CY 00 01 might offer a bundle of six insuring agreements, and the Declarations will specify which of these (or others if available through different forms/endorsements) are active and their specific terms.
- Endorsements: The "Endorsements" section of the Declarations is vital. It lists all modifications to the standard policy language. Agents and underwriters need to be aware of how these endorsements alter coverage (e.g., adding or excluding specific risks, amending definitions, or changing conditions).
- Clarity for Insured: Agents should use the Declarations page to clearly explain to the insured what they have purchased, what is covered (and what isn't), the costs involved (premium and deductibles), and their obligations under the policy, particularly concerning incident reporting.
Real-world example for underwriters: An underwriter reviewing an application for a healthcare provider (a high-risk class) will pay close attention to the number of patient records (PHI) declared, the security measures in place to protect that data (e.g., encryption, access controls, HIPAA compliance efforts), and any prior breach history. This information will directly influence the limits offered for Security Breach Liability, the deductible, and the premium quoted, all of which will be detailed on the CY DS 02. If the applicant cannot demonstrate robust security, the underwriter might decline coverage or offer very limited terms.