The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from exploits of known vulnerabilities for which a patch was available but not applied by the insured. This exclusion underscores the insured’s responsibility to maintain reasonable security measures, including timely software and hardware updates. Ohio Revised Code does not explicitly address patching requirements, but negligence in maintaining systems, leading to a data breach, could result in liability under general negligence principles or specific data protection laws. For example, if a business fails to apply a critical security patch and a breach occurs exposing personal information, they could face lawsuits from affected individuals or regulatory action from the Ohio Attorney General under consumer protection laws. Insurers will scrutinize patching practices post-breach to determine if the exclusion applies, potentially denying coverage if negligence is evident.

The Ohio Data Protection Act (Ohio Revised Code § 1354.01 et seq.) provides a safe harbor from tort claims related to data breaches for businesses that implement and maintain a qualifying cybersecurity program. This Act significantly impacts cyber insurance underwriting. Insurers may offer more favorable premium rates and coverage terms to organizations demonstrating compliance with the Act’s requirements, as it suggests a lower risk profile. Underwriters will likely assess the robustness of an applicant’s cybersecurity framework, referencing standards like NIST Cybersecurity Framework or CIS Controls, to determine eligibility for preferred rates. Conversely, businesses without a qualifying cybersecurity program may face higher premiums or limited coverage options due to the increased risk of a data breach and subsequent legal liabilities. The Act incentivizes proactive cybersecurity measures, directly influencing the cyber insurance landscape in Ohio.

Business interruption (BI) coverage in cyber insurance policies indemnifies the insured for lost profits and continuing expenses resulting from a covered cyber event that disrupts their operations. Contingent business interruption (CBI) extends this coverage to losses stemming from disruptions at the insured’s suppliers or customers. In a supply chain attack scenario affecting an Ohio business, CBI coverage could be triggered if a cyberattack on a key supplier prevents the insured from receiving necessary materials or services, leading to a business shutdown. To claim CBI losses, the insured must demonstrate a direct causal link between the cyber event at the supplier, the resulting disruption to their own operations, and the quantifiable financial losses incurred. Evidentiary requirements typically include financial records, contracts with suppliers, incident reports, and expert testimony to establish the extent and duration of the business interruption. Insurers will scrutinize these claims to verify the covered peril and the accuracy of the loss calculations.

“Betterment” in cyber insurance refers to improvements made to an insured’s systems during data restoration or system upgrades following a cyberattack, which result in the systems being more valuable or resilient than they were before the incident. Insurance policies often exclude coverage for betterment, arguing that the insured should not receive a windfall benefit from the claim. However, disputes can arise when upgrades are necessary to restore functionality or meet current security standards. For example, if an outdated server needs to be replaced with a newer, more secure model after a ransomware attack, the insurer might argue that the cost difference between the old and new server constitutes betterment and is not covered. The insured, on the other hand, might argue that the upgrade was essential for restoring their business operations and preventing future attacks. Policy language and expert opinions often play a crucial role in resolving these disputes.

Forensic investigation is a critical component of cyber insurance claims, involving the examination of systems and data to determine the cause, scope, and impact of a cyber incident. The insurer typically has the right to conduct or oversee the forensic investigation, while the insured has a duty to cooperate fully. This cooperation includes providing access to systems, data, and personnel. The forensic investigation helps the insurer assess the validity of the claim, determine coverage applicability, and quantify the losses. Legal considerations, such as attorney-client privilege, are paramount during the forensic process. To protect sensitive information and legal strategies, it is advisable to involve legal counsel early in the investigation. Communications between the insured, their attorney, and the forensic investigator may be protected by attorney-client privilege, shielding them from discovery in potential litigation. Maintaining this privilege requires careful documentation and adherence to legal protocols.

The interplay between cyber insurance and regulatory compliance is complex, particularly concerning fines and penalties. While cyber insurance policies often exclude coverage for penalties that are deemed uninsurable under law, the specific wording of the policy and the nature of the penalty are crucial. In the context of HIPAA, a data breach affecting protected health information (PHI) in Ohio can lead to significant fines and penalties imposed by the Department of Health and Human Services (HHS). Whether a cyber insurance policy covers these penalties depends on the policy’s terms and conditions. Some policies may provide coverage for regulatory defense costs but exclude coverage for the penalties themselves. Others may offer limited coverage for penalties if they are considered compensatory rather than punitive. Insureds should carefully review their policy language and consult with legal counsel to understand the extent of coverage for HIPAA-related fines and penalties. Compliance with HIPAA regulations and proactive cybersecurity measures can also influence the insurer’s decision to provide coverage.

“Social engineering” coverage in a cyber insurance policy addresses losses resulting from fraudulent schemes where employees are manipulated into transferring funds or divulging sensitive information. This differs from traditional crime insurance, which typically covers losses from physical theft or embezzlement. Social engineering coverage specifically targets scams that exploit human psychology rather than technical vulnerabilities. To mitigate the risk of social engineering fraud and improve the chances of a successful insurance claim, an Ohio-based business should implement robust internal controls, including mandatory employee training on recognizing and reporting phishing emails and other social engineering tactics. They should also establish multi-factor authentication for financial transactions, verify payment requests through multiple channels, and maintain a clear separation of duties. In the event of a social engineering incident, the business should immediately notify law enforcement, the insurance company, and a forensic investigator to preserve evidence and assess the extent of the loss. Documenting these preventative and responsive measures will strengthen their claim and demonstrate a commitment to cybersecurity best practices.

The principle of “reasonable security,” while not explicitly defined in a single section of the Ohio Revised Code, is implied through various data protection and privacy regulations, such as those pertaining to the safeguarding of personal information (e.g., ORC 1349.19 regarding data breach notification). This principle significantly influences cyber insurance underwriting by requiring applicants to demonstrate they have implemented security measures commensurate with the sensitivity of the data they handle and the potential risks they face. Insurers assess an applicant’s adherence to “reasonable security” by scrutinizing their security policies, procedures, and technical controls. Documentation typically required includes: a comprehensive information security policy outlining security objectives and responsibilities; evidence of regular risk assessments and vulnerability scans; details of implemented security controls such as firewalls, intrusion detection systems, and encryption; employee training programs on cybersecurity awareness; incident response plans; and third-party vendor risk management processes. Furthermore, documentation demonstrating compliance with industry standards like NIST Cybersecurity Framework or ISO 27001 can strengthen an applicant’s case. Failure to demonstrate reasonable security can lead to higher premiums, coverage limitations, or even policy denial.

Ohio Revised Code 1349.19 mandates that businesses notify affected individuals and the Ohio Attorney General’s Office of a data breach involving personal information. The “claims-made” nature of cyber insurance policies means that coverage is triggered only if the claim is first made against the insured during the policy period, and the breach occurred after the policy’s retroactive date (if any). The timing of breach discovery and notification is crucial. If a breach occurs before the policy period but is discovered and reported during the policy period, coverage may be denied if the policy requires the breach itself to occur during the policy period. Similarly, delays in notifying the insurer after discovering a breach can jeopardize coverage, as policies typically require prompt notification. To ensure compliance and maximize policy benefits, insureds should: (1) Immediately investigate any suspected breach; (2) Notify the insurer as soon as a breach is confirmed or reasonably suspected, even if the full extent is unknown; (3) Comply with all requirements of ORC 1349.19 regarding notification to affected individuals and the Attorney General; (4) Document all steps taken in the investigation and remediation process; and (5) Cooperate fully with the insurer’s investigation. Failure to adhere to these steps could result in denial of coverage based on late notice or failure to comply with policy conditions.

The Ohio Consumer Sales Practices Act (CSPA) prohibits unfair, deceptive, and unconscionable acts or practices in consumer transactions. A data breach that leads to identity theft or financial harm to Ohio consumers could potentially trigger violations of the CSPA if the breached entity failed to adequately protect consumer data, constituting a deceptive or unfair practice. Cyber insurance policies may respond to claims arising from CSPA violations following a data breach, but coverage is not guaranteed and depends on the policy’s specific terms and conditions. Key considerations include: (1) Whether the policy covers regulatory investigations and penalties; (2) Whether the policy covers consumer lawsuits alleging violations of consumer protection laws; (3) Whether the policy contains exclusions for intentional or criminal acts, which could apply if the data breach resulted from gross negligence or willful misconduct; and (4) The policy’s definition of “loss,” which may or may not include fines and penalties imposed under the CSPA. An insurer might argue that CSPA penalties are uninsurable as a matter of public policy, particularly if they are punitive in nature. However, the policy may cover the costs of defending against CSPA claims, even if it does not cover the penalties themselves. Insureds should carefully review their policy language and consult with legal counsel to determine the extent of coverage for CSPA-related claims.

The EU’s General Data Protection Regulation (GDPR) has significant implications for Ohio-based businesses that process the personal data of EU citizens, regardless of where the processing occurs. GDPR imposes strict requirements for data protection, including data security, data breach notification, and individual rights. Violations can result in substantial fines, up to 4% of annual global turnover or €20 million, whichever is higher. Cyber insurance policies can be structured to address GDPR-related liabilities, but careful consideration is needed to ensure adequate coverage. Key policy features include: (1) Coverage for GDPR fines and penalties (subject to insurability under applicable law); (2) Coverage for data breach notification costs, including costs of notifying EU data protection authorities and affected individuals; (3) Coverage for legal defense costs associated with GDPR investigations and lawsuits; (4) Coverage for business interruption losses resulting from a GDPR violation; and (5) Coverage for costs of complying with GDPR’s data subject rights, such as the right to be forgotten. Insurers may offer specific GDPR endorsements or enhancements to their cyber policies to address these risks. Ohio businesses should ensure their policies clearly define “personal data” to include the types of data covered by GDPR and that the policy’s territorial scope extends to cover liabilities arising from GDPR violations, even if the business has no physical presence in the EU.

“Betterment” in cyber insurance refers to improvements or upgrades made to a system during restoration after a covered loss, such as a ransomware attack, that result in the system being in a better condition than it was before the incident. Insurers generally aim to indemnify the insured for the actual loss sustained, meaning they will cover the cost of restoring the system to its pre-loss state, but not necessarily to a better state. When system upgrades or improvements are implemented during restoration, insurers typically address betterment in one of several ways: (1) They may exclude coverage for the cost of the betterment, only covering the cost of restoring the system to its original configuration; (2) They may require the insured to bear a portion of the cost of the betterment, reflecting the increased value or functionality of the restored system; or (3) In some cases, they may cover the full cost of the betterment if it is deemed necessary to prevent future similar incidents or if it is more cost-effective than restoring the system to its original state. Policy provisions addressing betterment may include exclusions for improvements or upgrades, co-insurance provisions requiring the insured to share in the cost of betterment, or provisions allowing the insurer to determine the reasonable cost of restoration, taking into account any betterment. Insureds should carefully review their policy language to understand how betterment will be handled in the event of a claim.

“War exclusions” in cyber insurance policies are intended to exclude coverage for losses arising from acts of war, including cyberattacks that are considered acts of war. These exclusions are often broadly worded and can be subject to interpretation, leading to disputes over coverage in the context of state-sponsored cyberattacks. Insurers typically define “war” or “act of war” in these exclusions by referencing traditional notions of armed conflict between nations, but the application to cyberattacks is complex. Factors considered when determining whether a cyberattack qualifies as an excluded event include: (1) Attribution: Identifying the perpetrator of the attack, particularly whether it was a nation-state or a non-state actor acting on behalf of a nation-state; (2) Intent: Determining the intent of the attack, whether it was intended to cause widespread damage or disruption, or whether it was primarily for espionage or theft; (3) Scale and Scope: Assessing the scale and scope of the attack, including the number of systems affected and the severity of the damage; and (4) Government Declaration: Whether a government has officially declared the cyberattack to be an act of war. The difficulty in attributing cyberattacks and the lack of clear international legal standards for defining cyber warfare make the application of war exclusions in cyber insurance policies highly uncertain. Insureds should carefully review the wording of war exclusions in their policies and seek clarification from their insurers regarding the scope of the exclusion.

Vicarious liability in cyber insurance refers to the legal responsibility an insured may have for the actions of a third party, such as a vendor or contractor, who causes a cyber incident while acting on behalf of the insured. This is particularly relevant when third parties have access to the insured’s systems or data. An insured can be held liable for a third party’s negligence or intentional misconduct if that conduct leads to a data breach, system compromise, or other covered loss. To mitigate the risk of vicarious liability, insurers typically expect insureds to perform thorough due diligence on their third-party vendors and contractors. This includes: (1) Conducting background checks and security assessments of potential vendors; (2) Requiring vendors to maintain adequate cybersecurity controls and comply with industry standards; (3) Including contractual provisions that hold vendors liable for cyber incidents caused by their negligence or misconduct; (4) Requiring vendors to maintain adequate cyber insurance coverage; (5) Implementing access controls to limit vendor access to only the systems and data necessary for their work; and (6) Regularly monitoring vendor compliance with security requirements. Failure to perform adequate due diligence on third-party vendors can lead to coverage disputes, with insurers arguing that the insured failed to take reasonable steps to prevent the loss. Insureds should document their due diligence efforts to demonstrate compliance with policy requirements and mitigate the risk of coverage denial.