The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from known vulnerabilities for which a security patch was available but not applied. To avoid policy rescission, an insured must demonstrate reasonable due diligence in vulnerability management. This includes maintaining a documented patching policy, regularly scanning for vulnerabilities using industry-standard tools (e.g., Nessus, Qualys), prioritizing patching based on risk (e.g., CVSS scores), and promptly applying patches within a reasonable timeframe (often defined in the policy). Legal precedents, while limited specifically to cyber insurance, often draw parallels to general negligence principles. Demonstrating adherence to industry best practices like those outlined by the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST) Cybersecurity Framework can provide strong evidence of due diligence. The Indiana insurance code requires fair claims handling, meaning insurers must clearly demonstrate the causal link between the unpatched vulnerability and the loss.

The “War Exclusion” in cyber insurance policies typically excludes coverage for losses arising from acts of war, including cyber warfare. Classifying a state-sponsored cyberattack as an act of war is complex. Insurers face significant challenges in attribution. To successfully invoke this exclusion, an insurer would need to provide compelling evidence, potentially including intelligence reports, government statements, and technical analysis, demonstrating that the attack was attributable to a nation-state and constituted an act of war. This requires a high burden of proof. The Indiana insurance code requires that policy exclusions be narrowly construed and any ambiguity be resolved in favor of the insured. The insurer must demonstrate a direct causal link between the act of war and the insured’s loss. The difficulty in definitively attributing cyberattacks makes this a contentious area of cyber insurance claims.

“Betterment” in cyber insurance refers to improvements made to a system during restoration that go beyond simply returning it to its pre-incident state. Insurers generally do not cover the cost of betterment. However, determining what constitutes betterment can be complex. For example, if a server needs to be replaced after a ransomware attack, the insurer might only cover the cost of a server with similar specifications to the original, even if a more secure or efficient model is now available. Disputes can arise when upgrades are necessary to mitigate the vulnerabilities that led to the initial incident. Insureds may argue that these upgrades are essential for restoring the system to a reasonably secure state, while insurers may view them as betterment. Clear policy language and open communication are crucial to resolving these disputes. The Indiana insurance code requires insurers to act in good faith and fairly assess claims, considering the specific circumstances of each case.

The “failure to maintain” exclusion in cyber insurance policies typically excludes coverage for losses resulting from a failure to adequately maintain systems and networks. This exclusion is designed to prevent coverage for losses that arise from negligence or a lack of basic security practices. To demonstrate adequate maintenance, an organization should maintain comprehensive documentation, including: regular security audits and penetration testing reports, vulnerability scan results and remediation plans, patch management records, firewall and intrusion detection/prevention system logs, employee security awareness training records, and incident response plans. This documentation serves as evidence that the organization took reasonable steps to protect its systems and networks. In the event of a cyber incident, this documentation can be used to support a claim by demonstrating that the organization met its maintenance obligations under the policy. The Indiana insurance code requires insurers to consider all relevant evidence when evaluating a claim, and this documentation would be considered relevant evidence of the insured’s maintenance practices.

“Moral hazard” in cyber insurance refers to the risk that an insured party, protected from the full financial consequences of a cyber incident, may take less care to prevent such incidents from occurring. Insurers mitigate moral hazard through various means. Policy terms often include deductibles and coinsurance, requiring the insured to bear a portion of the loss. Underwriting practices involve assessing the insured’s security posture and risk management practices before issuing a policy, and pricing premiums accordingly. Claims handling procedures include thorough investigations to determine the cause of the incident and verify that the insured complied with policy requirements. Insurers may also require insureds to implement specific security controls as a condition of coverage. The Indiana insurance code allows insurers to establish reasonable underwriting standards and policy terms to manage risk, including the risk of moral hazard.

Quantifying business interruption losses in cyber insurance claims is challenging, especially with cloud-based services and complex supply chains. Traditional methods may not accurately capture the ripple effects of a cyber incident. Methodologies used include: analyzing historical revenue data, projecting future revenue based on pre-incident trends, assessing the impact on specific business functions, and calculating extra expenses incurred to mitigate the disruption. Documentation required includes: financial statements, sales records, customer contracts, supply chain agreements, incident response logs, and expert reports. Insurers often engage forensic accountants to assist in quantifying these losses. The Indiana insurance code requires insurers to fairly and accurately assess business interruption losses, considering all available evidence. The complexity of modern business operations necessitates a thorough and nuanced approach to quantifying these losses.

The “social engineering” exclusion in cyber insurance policies typically excludes coverage for losses resulting from fraudulent transfers induced by deceiving employees through social engineering tactics (e.g., phishing, pretexting). Differentiating between employee negligence and social engineering attacks can be challenging. Insurers often consider factors such as the sophistication of the attack, the employee’s training, and the organization’s security controls. To minimize the risk of claim denial, organizations should implement robust security awareness training programs, multi-factor authentication, and strong internal controls for financial transactions. They should also document these measures and maintain records of employee training. In the event of a social engineering attack, the organization should promptly report the incident to the insurer and cooperate fully with the investigation. The Indiana insurance code requires insurers to conduct a reasonable investigation before denying a claim, and the organization’s security measures will be a key factor in the insurer’s assessment.

The “failure to implement reasonable cybersecurity measures” is a common basis for denying cyber insurance claims. In Indiana, while there isn’t a single statute defining “reasonable cybersecurity measures” universally, insurers often rely on industry standards like the NIST Cybersecurity Framework, CIS Controls, or ISO 27001. The burden of proof generally falls on the insurer to demonstrate that the insured’s security practices were demonstrably deficient and directly contributed to the loss. The NAIC’s Cybersecurity Model Law (Insurance Data Security Model Law #668) provides a framework for states to establish cybersecurity standards for insurers and other regulated entities. While Indiana has not adopted this model law verbatim, its principles influence the interpretation of “reasonable measures.” The model law emphasizes risk assessment, development of a written information security program, and incident response planning. An Indiana insurer denying a claim based on inadequate security would likely need to show that the insured’s practices fell short of these generally accepted principles, even if not explicitly mandated by Indiana law. The Indiana Department of Insurance would likely consider the NAIC model law as persuasive authority in evaluating the reasonableness of the insurer’s denial.

Vicarious liability, where one party is held liable for the actions of another, is crucial in cyber insurance when breaches stem from third-party vendors. In Indiana, the insured’s policy will typically outline their responsibilities regarding vendor security. This often includes due diligence in selecting vendors, contractual requirements for security measures, and ongoing monitoring of vendor compliance. If a breach originates from a vendor, the insured may still be liable to third parties whose data was compromised, triggering the cyber insurance policy. However, the insurer may raise defenses based on the insured’s failure to adequately manage vendor risk. For example, if the insured failed to conduct reasonable due diligence on the vendor’s security practices, or if the contract with the vendor did not include adequate security requirements, the insurer might argue that the insured’s negligence contributed to the loss, potentially limiting or excluding coverage. The insurer might also pursue subrogation against the negligent vendor to recover claim payments. Indiana law generally follows common law principles of agency and negligence in determining vicarious liability.

The “War Exclusion” clause in cyber insurance policies typically excludes coverage for losses arising from acts of war, including cyber warfare. The increasing prevalence of state-sponsored cyberattacks raises complex issues regarding the applicability of this exclusion. A key challenge is “attribution” – definitively identifying the perpetrator of the attack as a nation-state. Invoking the War Exclusion requires substantial evidence. Insurers cannot simply assert that an attack is state-sponsored; they must provide credible evidence linking the attack to a specific nation-state. This evidence may include technical analysis of the malware used, intelligence reports from government agencies, and patterns of activity consistent with known state-sponsored actors. However, attribution is often difficult and contested. In Indiana, courts would likely scrutinize the evidence presented by the insurer to ensure it meets a high standard of proof. The burden of proof rests on the insurer to demonstrate that the War Exclusion applies. Ambiguity in the policy language or the evidence presented would likely be construed against the insurer. The Indiana Department of Insurance may also investigate the insurer’s claim denial to ensure it is justified and not an attempt to avoid legitimate claims.

The “Betterment” exclusion in cyber insurance policies generally excludes coverage for improvements or upgrades made to a system during recovery that go beyond restoring it to its original state. The rationale is that the insured should not receive a windfall by having the insurer pay for enhancements that provide a benefit beyond simply returning the system to its pre-incident condition. Consider a ransomware attack in Indiana that encrypts a company’s outdated servers. The company decides to not only restore the servers but also upgrade them to a more secure and modern architecture. The cyber insurance policy might cover the cost of restoring the servers to their original state, including data recovery and incident response. However, the “Betterment” exclusion would likely apply to the incremental cost of upgrading the servers. The insurer would argue that the upgrade provides a benefit to the insured beyond simply restoring what was lost, and therefore, the insured should bear that additional cost. Determining the exact cost attributable to “Betterment” can be complex and may require expert analysis.

Indiana’s data breach notification law (IC 4-1-11) requires businesses to notify affected individuals and the Indiana Attorney General’s office of a data breach involving personal information. A failure to comply with this law can have significant implications for a cyber insurance claim. If a company experiences a data breach and fails to provide timely and accurate notification as required by IC 4-1-11, it could face regulatory penalties and lawsuits from affected individuals. These costs could potentially be covered by a cyber insurance policy, subject to the policy’s terms and conditions. However, the insurer may argue that the insured’s failure to comply with the law constitutes a breach of the policy’s “duty to cooperate” or “reasonable care” provisions. The insurer might argue that the delayed notification exacerbated the damages and increased the insurer’s exposure. In some cases, a material violation of IC 4-1-11 could provide grounds for the insurer to deny coverage for the breach-related costs.

Cyber insurance policies typically provide both “first-party” and “third-party” coverage. First-party coverage protects the insured against direct losses they incur as a result of a cyber incident. Examples for an Indiana-based business include: **Data recovery costs:** Expenses to restore data lost or corrupted in a ransomware attack. **Business interruption losses:** Lost profits due to system downtime caused by a cyberattack. **Incident response costs:** Fees for forensic investigation, legal counsel, and public relations services. **Notification costs:** Expenses associated with notifying affected individuals of a data breach, as required by Indiana law (IC 4-1-11). **Extortion payments:** Ransom paid to cybercriminals in a ransomware attack (subject to policy limits and conditions). Third-party coverage protects the insured against claims made by third parties who have been harmed by a cyber incident. Examples include: **Liability for data breach:** Lawsuits from customers whose personal information was compromised in a data breach. **Regulatory fines and penalties:** Fines imposed by government agencies for violations of privacy laws. **Defense costs:** Legal expenses incurred in defending against third-party claims.

“Affirmative” cyber coverage refers to policies specifically designed to cover cyber risks, with explicit terms and conditions addressing cyber-related losses. “Silent” cyber coverage, on the other hand, refers to the potential for traditional insurance policies (e.g., Commercial General Liability, Property) to respond to cyber-related losses, even though they do not explicitly address cyber risks. This arises when the policy language is ambiguous or silent on whether cyber events are covered. The ambiguity of “silent” cyber coverage can lead to disputes. For example, if a manufacturing company in Indiana suffers property damage due to a cyberattack on its industrial control systems, the company might seek coverage under its property insurance policy. The insurer might argue that the policy was not intended to cover cyber risks, while the insured might argue that the policy covers physical damage regardless of the cause. To address this ambiguity, insurers are increasingly incorporating explicit cyber exclusions or endorsements into traditional policies to clarify whether cyber risks are covered. The Indiana Department of Insurance encourages insurers to clearly define their cyber coverage to avoid disputes and ensure that businesses have adequate protection against cyber risks.