The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from a cyber incident that could have been prevented by applying a readily available software patch or update. Insureds have a responsibility to maintain reasonable security measures, including promptly installing security patches released by software vendors. Failure to do so can invalidate coverage if a breach occurs due to the unpatched vulnerability. Connecticut General Statutes § 36a-701b mandates that businesses notify affected individuals and the Connecticut Attorney General’s office in the event of a data breach. If a breach occurs due to a failure to patch, the insured may face increased scrutiny regarding their security practices and potential legal action from affected parties, in addition to the denial of insurance coverage. The Connecticut Insurance Department may also investigate the circumstances surrounding the breach to determine if the insured acted responsibly in protecting sensitive data.

The “war exclusion” in cyber insurance policies typically excludes coverage for losses arising from acts of war, including cyber warfare. Determining whether a cyberattack constitutes an act of war can be complex. Insurers may consider factors such as the attribution of the attack to a nation-state, the scale and severity of the attack, the intent behind the attack, and whether the attack is part of a broader military conflict. Legal precedents and international laws, such as the Tallinn Manual on the International Law Applicable to Cyber Warfare, may be considered in making such a determination. However, the application of these laws to cyber warfare is still evolving, and there is no universally accepted definition of cyber warfare. The burden of proof typically falls on the insurer to demonstrate that the war exclusion applies. The Connecticut Insurance Department would likely review such a determination to ensure it is consistent with the policy language and applicable law.

“Betterment” refers to improvements made to a system during restoration that increase its value or functionality beyond its pre-loss condition. Cyber insurance policies often exclude coverage for betterment, meaning the insurer will only pay to restore the system to its original state. If restoring a system to its pre-attack state is impossible or impractical, insurers may negotiate a settlement based on the cost of a reasonable alternative. Coverage for upgrades that enhance security beyond the original system capabilities may be limited or excluded, as this could be considered betterment. However, some policies may offer limited coverage for security enhancements that are necessary to prevent future attacks. The specific terms and conditions of the policy will determine the extent of coverage for betterment. Connecticut law generally requires insurance policies to be interpreted according to their plain meaning, so the policy language regarding betterment will be crucial in determining coverage.

Incident response is a structured approach to managing and mitigating the impact of a cyberattack. Cyber insurance policies often cover the costs associated with incident response services, such as forensic investigation, legal consultation, public relations, and data breach notification. Key components of an effective incident response plan include identification of potential threats, containment of the incident, eradication of the threat, recovery of systems and data, and post-incident analysis. Businesses should ensure that their incident response plan aligns with the requirements of their cyber insurance policy by reviewing the policy language carefully and consulting with their insurance broker or legal counsel. The plan should also comply with relevant laws and regulations, such as Connecticut’s data breach notification law (Connecticut General Statutes § 36a-701b). Failure to have an adequate incident response plan may result in denial of coverage or increased premiums.

Social engineering is a type of cyberattack that relies on manipulating human behavior to gain access to sensitive information or systems. Cyber insurance policies may cover losses resulting from fraudulent transfers initiated by employees who have been tricked into divulging sensitive information or performing unauthorized actions due to social engineering. However, coverage may be subject to certain limitations or exclusions, such as those related to employee dishonesty or failure to follow established security protocols. Businesses can mitigate the risk of social engineering attacks by implementing security awareness training for employees, establishing strong authentication procedures, and implementing internal controls to prevent unauthorized transfers. They should also review their cyber insurance policy carefully to ensure that it provides adequate coverage for social engineering incidents and that they understand the policy’s requirements for reporting and investigating such incidents. The Connecticut Insurance Department may require insurers to provide clear and unambiguous policy language regarding social engineering coverage.

The “prior acts” exclusion in cyber insurance policies typically excludes coverage for incidents that are related to vulnerabilities or security flaws that existed prior to the policy’s effective date, even if the incident is discovered during the policy period. This exclusion can significantly impact coverage for businesses that have pre-existing security weaknesses. To mitigate the risk of having claims denied due to the prior acts exclusion, businesses should conduct a thorough security assessment before purchasing a cyber insurance policy to identify and remediate any known vulnerabilities. They should also disclose any known security incidents or vulnerabilities to the insurer during the application process. Additionally, businesses should carefully review the policy language to understand the scope of the prior acts exclusion and negotiate with the insurer to obtain coverage for pre-existing conditions, if possible. The Connecticut Insurance Department may require insurers to clearly disclose the terms and conditions of the prior acts exclusion to policyholders.

“Regulatory defense and penalties” coverage in cyber insurance policies typically covers the costs associated with defending against regulatory investigations and paying penalties imposed by government agencies as a result of a data breach or other cyber incident. Covered regulatory investigations may include those conducted by the Connecticut Attorney General’s office, the Department of Consumer Protection, or other state or federal agencies. Potential limitations on coverage for regulatory penalties may include exclusions for penalties that are deemed uninsurable under applicable law, penalties that are based on intentional or willful misconduct, or penalties that exceed a specified policy limit. To ensure adequate protection against regulatory risks, businesses should carefully review the policy language to understand the scope of coverage for regulatory defense and penalties and consult with their insurance broker or legal counsel. They should also ensure that their data privacy practices comply with applicable laws and regulations, such as the Connecticut Identity Theft Protection Act (Connecticut General Statutes § 36a-701b et seq.).

The Connecticut Insurance Department (CID) defines a “cybersecurity event” broadly, encompassing any event that results in unauthorized access to, disruption of, or misuse of an information system or the information stored on it. This definition is crucial because it triggers mandatory reporting requirements for insurers operating in Connecticut. According to Connecticut General Statutes, specifically Section 38a-816dd, insurers are obligated to notify the Insurance Commissioner of a cybersecurity event if it meets certain criteria. The notification must be made as promptly as possible, but no later than three business days from a determination that a cybersecurity event has occurred. The notification to the Commissioner must include several key elements: (1) a detailed description of the cybersecurity event, including the nature and scope of the event; (2) the type of information that was subject to the unauthorized access or disruption; (3) the insurer’s assessment of the potential harm to consumers or the insurer’s operations; (4) the steps the insurer has taken or plans to take to contain and remediate the event; and (5) any other information the Commissioner may require. Failure to comply with these reporting requirements can result in penalties and regulatory action by the CID. The statutes emphasize the importance of timely and accurate reporting to ensure the protection of consumer data and the stability of the insurance market.

The Connecticut Insurance Data Security Law (Connecticut General Statutes § 38a-816aa et seq.) places significant emphasis on “due diligence” when insurers engage third-party service providers who handle nonpublic information. This reflects the understanding that insurers remain responsible for protecting sensitive data even when it is entrusted to external entities. The “due diligence” requirements mandate that insurers conduct a thorough assessment of the service provider’s cybersecurity practices and capabilities before entering into a contract. This assessment should include evaluating the provider’s security policies, procedures, and controls, as well as its history of data breaches or security incidents. Insurers must also consider the provider’s compliance with relevant industry standards and regulations. Furthermore, the law requires that contracts with third-party service providers include specific provisions to ensure ongoing compliance with data security requirements. These provisions must address: (1) the provider’s obligation to implement and maintain appropriate security measures to protect nonpublic information; (2) the provider’s responsibility to notify the insurer promptly of any cybersecurity event affecting the insurer’s data; (3) the provider’s agreement to cooperate with the insurer in investigating and remediating any such event; and (4) the insurer’s right to audit the provider’s security practices to verify compliance. Failure to exercise adequate due diligence and include these contractual provisions can expose insurers to significant legal and financial risks.

The Connecticut Insurance Data Security Law mandates that all Connecticut-domiciled insurers establish and maintain a comprehensive “incident response plan” designed to promptly and effectively address cybersecurity events. This plan is a critical component of an insurer’s overall cybersecurity program. The incident response plan must include specific procedures for: (1) detecting and assessing cybersecurity events; (2) containing and eradicating the event; (3) recovering from the event and restoring normal operations; (4) notifying affected parties, including consumers, regulators, and law enforcement; and (5) documenting the event and the response actions taken. The law also requires that insurers test their incident response plan regularly to ensure its effectiveness. While the specific frequency of testing is not explicitly defined, insurers are expected to conduct testing at least annually, and more frequently if significant changes occur in their IT environment or threat landscape. Testing methods may include tabletop exercises, simulations, and penetration testing. Key stakeholders who must be involved in the development and execution of the incident response plan include: (1) senior management, who are responsible for providing overall direction and support; (2) the chief information security officer (CISO) or equivalent, who is responsible for overseeing the plan’s implementation; (3) IT staff, who are responsible for detecting and responding to cybersecurity events; (4) legal counsel, who are responsible for advising on legal and regulatory requirements; and (5) public relations staff, who are responsible for managing communications with the public and the media.

The Connecticut Insurance Department (CID) has broad authority to impose penalties and enforcement actions on insurers found to be in violation of the Connecticut Insurance Data Security Law. These penalties are designed to deter non-compliance and ensure the protection of consumer data. Potential penalties and enforcement actions include: (1) monetary fines, which can be substantial depending on the severity and scope of the violation; (2) cease and desist orders, which require the insurer to immediately stop engaging in the prohibited conduct; (3) suspension or revocation of the insurer’s license to operate in Connecticut; (4) requirements for the insurer to implement specific corrective actions, such as enhancing its cybersecurity program or providing credit monitoring services to affected consumers; and (5) referral of the matter to law enforcement for criminal prosecution in cases of egregious misconduct. When assessing the severity of a violation and determining the appropriate penalty, the CID considers several factors, including: (1) the nature and extent of the harm caused by the violation; (2) the insurer’s level of culpability, including whether the violation was intentional or negligent; (3) the insurer’s history of prior violations; (4) the insurer’s cooperation with the CID’s investigation; and (5) the insurer’s financial condition and ability to pay a penalty. The CID aims to impose penalties that are proportionate to the severity of the violation and that are sufficient to deter future misconduct.

The Connecticut Insurance Data Security Law mandates that insurers conduct regular “risk assessments” to identify and evaluate potential threats and vulnerabilities to their information systems and the nonpublic information they hold. This risk assessment is a cornerstone of an effective cybersecurity program. The risk assessment must address a wide range of potential threats and vulnerabilities, including: (1) internal threats, such as employee negligence or malicious insiders; (2) external threats, such as hackers, malware, and phishing attacks; (3) physical threats, such as theft, fire, and natural disasters; (4) vulnerabilities in the insurer’s IT infrastructure, such as outdated software, weak passwords, and unpatched systems; and (5) vulnerabilities in the insurer’s business processes, such as inadequate data security policies and procedures. The risk assessment must also evaluate the potential impact of each identified threat and vulnerability, considering factors such as the confidentiality, integrity, and availability of the affected information. This evaluation should help insurers prioritize their security efforts and allocate resources effectively. While the law does not specify a precise frequency for updating the risk assessment, it requires that insurers conduct assessments “periodically.” Best practices suggest that insurers should update their risk assessment at least annually, and more frequently if significant changes occur in their IT environment, threat landscape, or business operations.

The Connecticut Insurance Data Security Law recognizes the sensitive nature of information shared with the Connecticut Insurance Department (CID) during a cybersecurity event investigation and includes provisions to protect its confidentiality. This is crucial to encourage insurers to cooperate fully with the CID without fear of exposing sensitive information to competitors or the public. Specifically, the law provides that information submitted to the CID in connection with a cybersecurity event investigation is confidential and is not subject to public disclosure under the Connecticut Freedom of Information Act. This protection extends to information such as incident reports, risk assessments, and remediation plans. However, there are some exceptions to this confidentiality protection. The CID may disclose information to other state, federal, or international regulatory agencies or law enforcement authorities if it determines that such disclosure is necessary to protect the public interest. The CID may also disclose information in aggregate or anonymized form for statistical or research purposes. Furthermore, the law includes provisions to prevent the unauthorized disclosure of confidential information by CID employees or agents. Any person who knowingly and willfully discloses confidential information in violation of the law is subject to penalties, including fines and imprisonment. These legal protections are designed to ensure that sensitive information shared with the CID remains confidential and is used only for legitimate regulatory purposes.

The Connecticut Insurance Data Security Law places a strong emphasis on “oversight and governance” within an insurer’s cybersecurity program, recognizing that effective cybersecurity requires leadership and accountability at the highest levels of the organization. The law mandates that the board of directors or senior management of an insurer must oversee the development, implementation, and maintenance of the insurer’s cybersecurity program. This oversight includes: (1) establishing clear cybersecurity policies and procedures; (2) allocating sufficient resources to support the cybersecurity program; (3) monitoring the program’s effectiveness and making necessary adjustments; and (4) ensuring that employees receive adequate cybersecurity training. The board of directors or senior management is also responsible for ensuring that the insurer complies with all applicable cybersecurity laws and regulations, including the Connecticut Insurance Data Security Law. This includes: (1) conducting regular risk assessments; (2) implementing appropriate security controls; (3) developing and testing an incident response plan; and (4) reporting cybersecurity events to the Connecticut Insurance Department (CID) as required. Furthermore, the law requires that the board of directors or senior management be informed of significant cybersecurity risks and incidents. This ensures that they are aware of the potential threats facing the insurer and can take appropriate action to mitigate those risks. By assigning clear roles and responsibilities to the board of directors or senior management, the Connecticut Insurance Data Security Law promotes a culture of cybersecurity awareness and accountability throughout the organization.