SELL SELFISH CYBER By Kevin C. Amrhein, CIC, CBIA In talking with agents through the years about first-party cyber risks I’ve learned two things: 1) many have a general idea of what first-party cyber risks are, and 2) many have little or no idea how first-party cyber insurance works. Many cyber insurance policies address both first- and third-party exposures. In this edition, I focus solely on insurance designed for the former. It is not my intention to understate the value of cyber insurance applicable to thirdparty exposures. In this article, I reference the Commercial Cyber Insurance Policy (CY 00 01) as provided by 4
our friends at ISO. As you may expect, many cyber risk insurers use proprietary forms. Such proprietary forms may vary significantly from the ISO form referenced in this article. The ISO form contains six Insuring Agreements, five of which are geared towards first-party exposures. For each of the five, I’ve included a brief summary/purpose and a potential concern. My goal with this article is to provide general information and give agents who have less confidence with this insurance a few points to discuss with insureds. Please do not consider this as a comprehensive review of cyber risk insurance coverage – it is not intended to be such. NOVEMBER 2021
INSURING AGREEMENT #1 – SECURITY BREACH EXPENSE. Primary purpose: cover cost of diagnosing the breach and costs associated with notifying affected parties. Something to watch out for: this Insuring Agreement does not cover costs or expenses associated with upgrading or repairing computers, software, or network components affected by the breach.
INSURING AGREEMENT #2 – EXTORTION THREATS. Primary purpose: cover costs of hiring a service to determine the
