Policy Guides

Search InfoCentral

The following major coverages are generally offered by admitted and nonadmitted insurers providing Cyber Liability and Information Security Policies in the marketplace. We reviewed policy forms used by seven different insurers as well as the ISO Information Security Protection Policy. 

In most cases, the major coverages and variations described below are available in a "cafeteria" of options – either in the basic form or by endorsement – and triggered by the insured's selection of the coverage for a separate premium charge. 

The Coverage Comparison Chart denotes the coverages available on the ISO Information Security Protection Policy and then summarizes other coverage options that may be available on policy forms offered by insurers. You can compare various forms by checking the boxes when the same or similar coverages are available. 

Liability for Disclosure of Private Information

Covers the insured's legal liability for failure to secure third-party information while in the insured's care, custody or control. Such failure can result in unauthorized acquisition and/or disclosure of the information, caused either by unauthorized disclosure by a person who is not authorized to do so or by a programming error. Liability can arise in private causes of action brought be the affected parties, as well as expenses related to an investigation, demand or proceeding brought by a governmental agency, including any resulting fines and penalties. 

Variations to watch for:
  • Some policies do not cover liability for disclosure of personal information caused by a programming error.
  • Some policies include liability coverage for disclosure of "third party corporate information," as well as personal information on individuals, while others cover only personal information.
  • Most policies cover liability arising out of security breach involving an employee's private information, but some policies cover this exposure as a separate insuring agreement available for an additional premium.
  • Some policies cover disclosure of private information contained in non-electronic format, such as paper files, as well as information contained in or transmitted by electronic format, while others are limited to records contained in electronic format.
  • Some policies cover the costs incurred to respond to a regulatory proceeding that results from an actual or alleged disclosure of private information (such as actions brought by the Federal Trade Commission, Federal Communications Commission or other federal, state or local governmental entity), while others do not.
  • Some policies cover fines and penalties assessed by governmental entities as a result of disclosure of private information, while others do not.
  • Some policies cover liability coverage for failure to comply with the insured's written privacy policies for security of personal information, while others do not.
  • Some policies cover fines and penalties owed by the insured under the terms of a Merchant Services Agreement (MSA) with a payment card company.
Liability for Transmitting Virus to Third Party 

Covers the insured's legal liability for transmitting a virus, malicious code or denial-of-service attack to another's computer system.

Security Breach Response Expenses

Covers expenses incurred by the insured following a breach of security that results in (1) unauthorized disclosure of personal information, or (2) transmitting a virus, including costs to investigate the cause of the breach, notify parties affected by the breach, handle inquiries from parties affected by the breach, provide post-event credit monitoring services, and determine how to correct conditions that led to the breach. 

Variations to watch for:
  • The list of covered expenses and services differ from one policy to another.
Public Relations Expense

Covers expenses incurred by the insured to hire a public relations firm and other reasonable expenses to protect or restore its reputation in response to negative publicity resulting from an incident covered by the policy.  

Variations to watch for:
  • Some policies cover expenses resulting from any claim covered by the policy, while others apply only to certain claims covered by the policy.
  • Since some policies cover more types of incidents, this coverage in those policies applies to some incidents that are not covered by other policies.
  • Some policies cover expenses incurred when negative publicity is imminent, while others cover expenses only after negative publicity has occurred.
Media Liability

Covers the insured's legal liability for specified injuries or financial harm arising out of material displayed on the insured's web site, such as defamation (including libel or slander), disparagement, infringement of another's copyright, trademark, trade dress, or service mark, or violation of a person’s right of privacy.


Variations to watch for:

  • Not all policies cover all the causes of action listed above and some policies cover more causes of action.
  • Some policies cover claims alleging damages caused by third-party reliance on the textual content displayed in the insured's web site. (Example: an insurance agent's web site contains technical information on policy coverages and recommendations for handling risk exposures.)
  • Some policies cover material published in any form (not just the web site), including printed advertising and other types of publications.
Other Coverages Offered on Some Policies under Main Form or by Endorsement

Replacement or Restoration of Electronic Data: Covers the costs incurred by the insured to replace or restore electronic data or computer programs that are damaged or destroyed as a direct result of a computer virus, malicious code or denial of service attack introduced or enacted upon the insured's computer system.

Extortion Threats: Covers extortion expenses and ransom payments incurred (and rewards paid, in some policies) as a direct result of a threat to introduce a virus, malicious code or denial of service attack, disseminate or divulge the insured's proprietary information, inflict ransomware or publish a client's personal information.

Business Income and Extra Expense: Covers loss of business income and/or extra expense incurred by the insured as a direct result of a virus or denial-of-service attack or an extortion threat.

Cyber Terrorism: Covers loss of business income and/or extra expense incurred by the insured as a result of interruption, degradation in service or failure of the insured's computer system directly caused by an act of terrorism.