Cyber Insurance
Glossary of Terms

Key Terms by Category

Cover and Limits

Aggregate Limit

The amount stated in your policy schedule as the maximum aggregate amount of any Loss and other covered amounts payable by the Company under each Cover Item and each Cover Item Extension in respect of the Period of Insurance, irrespective of the number of Single Claims, Single Cyber Losses, the number of Sub-Limits (as stated in the Schedule), the number of Per Claim Limits, the number of claimants, number of Insureds making a claim, number of Cover Items and/or Cover Item Extensions claimed under and/or anything whatsoever, including any combination of those things.

Continuity Date

The inception date or, if you have uninterrupted insurance of the same type, the date this insurance was first incepted.

Damages

Includes:

• Compensatory damages, any award of prejudgment or post-judgment interest and settlements which the Insured becomes legally obligated to pay as a result of a Claim
• Punitive damages and exemplary damages, but only to the extent such damages are insurable under the laws of the applicable jurisdiction that most favours cover for such damages
• Payment Card Loss, Consumer Redress Fund and/or Regulatory Fines

Damages does not include:

• Any amount for which the Insured is not legally obligated to pay
• Matters uninsurable under the laws pursuant to which this Policy is construed
• The cost to comply with any injunctive or other non-monetary or declaratory relief, including specific performance, or any agreement to provide such relief
• The Insured’s loss of fees or profits, return of fees, commissions
• Royalties, or re-performance of services by the Insured or under the Insured’s supervision
• Disgorgement of any profit, remuneration or financial advantage to which the Insured is not legally entitled
• Any amounts other than those which compensate solely for a loss caused by an Act, unless specifically provided for in your Policy
• Any other consequential loss or damage

All Damages are subject to the applicable Sub-Limit, Per Claim Limit or Aggregate Limit listed on your policy schedule.

Cyber Threats and Events

Botnetting

The unauthorised use of your computer systems by a third party for the purpose of launching a denial of service attack or hacking attack against another third party.

Cryptojacking

The unauthorised use of your computer systems by a third party for the sole purpose of cryptocurrency mining activities.

Cyber Event

Any actual or suspected unauthorised system access, electronic attack or privacy breach, including an attack that utilises artificial intelligence (AI), denial of service attack, cyber terrorism, hacking attack, Trojan horse, phishing attack, man-in-the-middle attack, application-layer attack, compromised key attack, malware infection (including spyware or ransomware), computer virus or actions of a rogue employee.

Cyber Extortion Event

Any credible threat or connected series of credible threats made against the Insured expressing intent to perform or cause, or the actual performance of or causing of, the following:

• The release, divulgence, dissemination, destruction or use of confidential, sensitive or proprietary information, or personally identifiable information, stored on a Covered Computer System or a Shared Computer System
• A failure of Network Security on a Covered Computer System or a Shared Computer System
• The introduction or infliction of a Computer Malicious Act on a Covered Computer System or a Shared Computer System
• The alteration, corruption, destruction, misappropriation, manipulation of, or damage to, Data, instructions or any electronic information transmitted or stored on a Covered Computer System or a Shared Computer System
• The restriction or inhibition of access to a Covered Computer System or a Shared Computer System

This is for the purpose of demanding Money or cryptocurrency(ies) from the Insured or otherwise to meet a demand, in exchange for the mitigation or removal of such threat or connected series of threats, or the reversal or termination of the actual performance of such threats or series of connected threats.

Cyber Extortion Event does not include any threats or connected series of threats made against the Insured expressing intent to perform or cause any of the above if made, approved or directed by a member of the Control Group.

Cyber War

Any unauthorised access to or electronic attack on computer systems, carried out by or on behalf of a state, that directly results in another state becoming an impacted state.

Data Breach Event

The theft, loss or unlawful or unauthorised disclosure of personal data.

Malware

Any software, programs, files, content or instructions of a malicious nature including malicious code, ransomware, cryptoware, viruses, trojans, worms, zero day attacks, logic or time bombs which may disrupt, harm, destroy, impede access to or in any way corrupt the functioning or operation of or Data within any software or Computer System.

Neglected Software Exploit

The exploitation of a vulnerability in software, firmware or hardware, where, as of the first known date of exploitation:

• Such software, hardware or firmware has been withdrawn, is no longer available, is no longer supported by, or has reached end-of-life or end-of-support status with the vendor that developed it; or
• Such vulnerability has been listed as a Common Vulnerability and Exposure (a “CVE”) in the National Vulnerability Database, operated by the National Institute of Standards and Technology, and a patch, fix, or mitigation technique for such vulnerability has been available to the Insured, but has not been applied by such Insured

For the applicable number of days shown as ranges depending on your policy schedule.

Ransomware

Any extortive demand of Money or cryptocurrency(ies) from the Insured in connection with a:

• Cyber Incident and/or Business Interruption Incident and/or Cyber Extortion Event and/or Privacy and Network Security Liability that involves malicious software which is designed to block access to a Computer System or Data, or alter, corrupt, damage, manipulate, misappropriate, encrypt, delete, or destroy Data; and/or
• Credible threat, or series of credible connected threats, to release, divulge, disseminate, or use such data that has been exfiltrated as part of an event described above

Systems and Technology

Computer Systems

All electronic computers used directly by you, including operating systems, software, hardware and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, iPhones, tablets or personal digital assistants. Computer Systems also means supervisory control and data acquisition (SCADA) systems, industrial control systems and other similar operational technology.

Core Infrastructure Failure

Means any:

• Failure, material degradation or termination of any core element of the internet, telecommunications or GPS infrastructure that results in a regional, countrywide or global outage of the internet or telecommunications network, including a failure of the core DNS root servers, satellite network or the IP addressing system or an individual state or non-state actor disabling all or part of the internet
• Failure in the power supply, including where the failure is caused by any surge or spike in voltage, electrical current or transferred energy
• Failure, disruption or reduction in the supply of utilities, including telecommunications, gas and water infrastructure or services

Operator Error

Any unintentional human error in entering or amending electronic data within your computer systems or in the upgrade, maintenance or configuration of those computer systems, where the proximate cause is not physical damage to any tangible equipment or property. “Operator error” does not mean any error in the design or architecture of any computer systems.

System Failure

Any sudden, unexpected and continuous downtime of your computer systems which renders them incapable of supporting their normal business function and is caused by an application bug, an internal network failure or hardware failure.

However, system failure can also mean any sudden, unexpected and continuous downtime of computer systems used directly by a supply chain partner which renders them incapable of supporting their normal business function and is caused by an application bug, an internal network failure or hardware failure.

“System failure” does not mean a cyber event.

Technology Services

The supply by you of technology services to your client, including but not limited to hardware, software, data processing, internet services, data and application hosting, computer systems analysis, consulting, training, programming, installation, integration, support and network management.

Data and Privacy

Data

Any corporate or personal information in any format, including records, reports, designs, plans, formulas, processes, trade secrets, patents, financial information, medical or healthcare information, contact information, account numbers, account histories, passwords or credit or debit card details, whether or not in electronic form, and whether or not belonging to the Insured.

Payment Card Breach

An actual or suspected unauthorised disclosure of payment card data stored or processed by you arising out of an electronic attack, accidental disclosure or the deliberate actions of a rogue employee. This does not mean a situation where payment card data is deliberately shared with or sold to a third party with the knowledge and consent of a senior executive officer.

Personal Data

Means:

• An individual’s name, national identity number or national insurance number, medical or healthcare data, other protected health information, driver’s licence number, state identification number, credit card number, address, telephone number, email address, account number or passwords; or
• Any other non-public personal information as defined in the Privacy Regulations

In any format if such information creates the potential for an individual to be uniquely identified or contacted.

Privacy Breach

An actual or suspected unauthorised disclosure of information (including information in electronic, paper or audio format) arising out of an electronic attack, accidental disclosure, theft or the deliberate actions of a rogue employee or third party. “Privacy breach” does not mean a situation where information is deliberately shared with or sold to a third party with the knowledge and consent of a senior executive officer.

Privacy Regulations

Laws and regulations applying anywhere within Great Britain, Northern Ireland, the Isle of Man or the Channel Islands associated with the care, custody, control or use of Personal Data.

Financial Terms

Betterment

Putting you in a better financial position as a result or you benefitting from upgraded versions of your computer systems.

Chargebacks

Any charges by any credit card company or bank, wholly or partially, reversing or preventing a payment transaction.

Consumer Redress Fund

A sum of money that the Insured is legally obligated to deposit in a fund as equitable relief for the payment of any Claim by consumers against the Insured as a consequence of a Privacy and Network Security Liability due to an adverse judgment or settlement of a Regulatory Proceeding.

Consumer Redress Fund does not include any sums paid which constitute taxes, fines, penalties, injunctions or sanctions.

Costs and Expenses

Means:

• Third party legal and professional expenses (including disbursements) reasonably incurred in the defence of claims or circumstances which could reasonably be expected to give rise to a claim or in quashing or challenging the scope of any injunction, subpoena or witness summons
• Any post judgment interest
• The cost of appeal, attachment and similar bonds including bail and penal bonds

Subject to all costs and expenses being incurred with the insurers prior written agreement.

Income Loss

Your income that, had the cyber event, system failure or operator error which gave rise to the claim not occurred, would have been generated directly from your business operations (less sales tax) during the indemnity period or reputational harm period, less:

• Actual income (less sales tax) generated directly from your business operations during the indemnity period or reputational harm period; and
• Any cost savings achieved as a direct result of the reduction in income

Increased Cost of Working

Your reasonable sums necessarily incurred in addition to your normal operating expenses to mitigate an interruption to and continue your business operations, provided that the costs are less than your expected income loss sustained had these measures not been taken.

Loss

Any direct financial loss sustained by the company.

Time Periods

Indemnity Period

The period starting from the first occurrence of:

• The computer systems downtime; or
• The downtime of computer systems used directly by a supply chain partner

And lasting up to the period stated as the indemnity period in the Schedule.

Period of Indemnity

The period during which the Insured incurs Business Interruption Loss or Data and System Recovery Costs, beginning with when the Business Interruption Incident occurs.

Reputational Harm Period

The period starting from when the cyber event is first discovered and lasting for the period stated as the reputational harm period in your policy schedule.

Other Key Terms

Dishonest Act

Any actual or alleged criminal, dishonest, fraudulent or malicious conduct committed by any person or organisation.

Dishonest Act does not include damages, loss, cost or expense incurred as a consequence of acts carried out with the consent or prior knowledge of any senior manager, director or partner, or spouse of any officer, director or partner of the Insured.

Impacted State

Any state that suffers a major detrimental impact on its: ability to function; or defence and security capabilities; as a direct result of any unauthorised access to or electronic attack on computer systems, carried out by or on behalf of another state.

Independent Expert

A suitably qualified lawyer or accountant with a minimum of 5 years’ experience in the subject matter of the claim.

Media Content

Any content created or disseminated by you or on your behalf, including but not limited to content disseminated through books, magazines, brochures, social media, billboards, websites, mobile applications, television and radio. This does not include any:

• Tangible product design
• Industrial design
• Architectural or building services
• Any advertisement created by you for a third party
• Business, company, product or trading name
• Product packaging or labelling
• Software products

Regulatory Investigation

A formal hearing, official investigation, examination, inquiry, legal action or any other similar proceeding initiated by a governmental, regulatory, law enforcement, professional or statutory body against you.

Senior Executive Officer

Board members, C-level executives, in-house lawyers and risk managers of the company.

Supply Chain Partner

Any:

• Third party that provides you with hosted computing services including infrastructure, platform, file storage and application level services; or
• Third party listed as a supply chain partner in an endorsement attaching to this policy which we have issued

Third Party

Any person who is not an employee or any legal entity that is not the company.

War

Any physical:

• War, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), civil war, rebellion, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power; or
• Action taken in controlling, preventing, suppressing or in any way relating to the above

Need Further Clarification?

Understanding cyber insurance terminology is crucial for ensuring your business has appropriate protection. Our cyber insurance experts are here to help explain these terms in the context of your specific business needs and the cover we can arrange for you.

If you have questions about any of these terms or would like to discuss how cyber insurance could protect your business, please contact us.