The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses arising from vulnerabilities that were known but not addressed with available security patches. Under South Carolina law, while there isn’t a specific statute mandating patching, the general duty of care to protect sensitive data (as outlined in data breach notification laws and potentially negligence claims) implies a need for reasonable security measures, including timely patching. Insurers will scrutinize the company’s vulnerability management program, looking for evidence of regular vulnerability scanning, risk assessment based on severity and exploitability, a defined patching schedule, and documentation of exceptions or compensating controls when patches cannot be immediately applied. They will assess if the unpatched vulnerability was known for a reasonable period before the incident, considering industry best practices and the specific threat landscape. A weak or non-existent program significantly increases the likelihood of claim denial.

The South Carolina Information Security Breach Notification Act (48-39-110) defines “personal information” broadly, including an individual’s name in conjunction with Social Security number, driver’s license number, financial account number, or credit/debit card number. This definition directly impacts cyber insurance claims because it determines what types of data breaches trigger coverage. The Act also mandates a specific notification timeline to affected individuals and the South Carolina Attorney General. This timeline influences the insurer’s responsibilities by requiring prompt action to investigate the breach, determine the scope of affected data, and provide necessary notifications. Delays in notification due to inadequate incident response plans or internal processes can lead to increased regulatory scrutiny, fines, and reputational damage, potentially impacting the insurer’s exposure and the policyholder’s compliance with the policy’s conditions. Failure to comply with the notification timeline could also be grounds for denial of coverage.

“War exclusions” in cyber insurance policies typically exclude coverage for losses resulting from acts of war, including cyberattacks. Determining whether a cyberattack qualifies as an act of war is complex and often involves legal interpretation. Insurers would consider several factors, including attribution (identifying the attacker and their affiliation with a nation-state), the scale and severity of the attack, the intent behind the attack (e.g., disruption of critical infrastructure, espionage, or economic damage), and whether the attack was part of a broader military conflict. The involvement of a nation-state is a key factor, but proving state sponsorship can be challenging. The lack of a formal declaration of war does not necessarily preclude the application of the exclusion. The insurer would likely consult with legal experts and intelligence analysts to assess the evidence and determine whether the attack meets the threshold for a war exclusion.

“Betterment” refers to improvements made during data restoration or system upgrades that enhance security beyond the pre-incident state. Cyber insurance policies often exclude coverage for betterment, arguing that the insured is receiving a benefit beyond mere restoration. However, some policies may offer limited coverage for security enhancements that are deemed necessary to prevent future incidents. The key is to distinguish between upgrades that are essential for restoring functionality and those that provide a significant security advantage. For example, upgrading to a newer operating system with enhanced security features might be considered betterment, while implementing basic security patches to address known vulnerabilities would likely be covered. The policy language and the specific circumstances of the incident will determine the extent to which betterment costs are covered. Policyholders should negotiate with insurers to clarify the scope of coverage for security enhancements.

“Due diligence” refers to the reasonable steps a business takes to protect its systems and data from cyber threats. Insurers expect businesses to demonstrate due diligence in implementing and maintaining appropriate security controls. These controls may include firewalls, intrusion detection systems, anti-virus software, regular security audits, employee training, incident response plans, and data encryption. A lack of due diligence can significantly affect the validity of a claim. If an insurer determines that a business failed to implement reasonable security measures, it may deny coverage based on policy exclusions or misrepresentation of risk. For example, if a business claims to have implemented multi-factor authentication but has not done so, the insurer may deny a claim resulting from a compromised account. Demonstrating a proactive approach to cybersecurity is crucial for obtaining and maintaining cyber insurance coverage and ensuring that claims are paid.

“Vicarious liability” refers to the legal responsibility a company may have for the actions of its third-party vendors or contractors. If a vendor’s negligence or malicious actions lead to a cyber incident affecting the company’s data or systems, the company may be held liable. Cyber insurance policies may or may not cover losses arising from vicarious liability, depending on the policy language. To mitigate this risk, companies should conduct thorough due diligence on their vendors, including assessing their security practices and insurance coverage. Contracts with vendors should include clear security requirements, indemnification clauses, and provisions for data breach notification. Companies should also implement strong access controls to limit vendor access to only the data and systems necessary for their work. Reviewing the cyber insurance policy to ensure it covers vicarious liability and obtaining vendor-specific endorsements may also be necessary.

The “social engineering” exclusion typically excludes coverage for losses resulting from the intentional transfer of funds or data based on deception, such as phishing or business email compromise (BEC). Insurers often view these incidents as preventable through employee training and robust authentication procedures. To avoid a claim denial, a company must demonstrate that it exercised reasonable care to prevent social engineering attacks. This includes implementing regular employee training on identifying and avoiding phishing scams, establishing strong authentication protocols (e.g., multi-factor authentication), verifying payment requests through multiple channels, and implementing technical controls to detect and block suspicious emails. Documenting these measures and demonstrating a proactive approach to security awareness can help a company successfully argue that it took reasonable steps to prevent the incident and that the exclusion should not apply.

The principle of utmost good faith, or uberrimae fidei, is a cornerstone of insurance contracts, demanding honesty and transparency from both parties. In South Carolina, this principle is implicitly embedded within the state’s insurance regulations, even if not explicitly codified in cyber insurance-specific statutes. For the insured, this means full and accurate disclosure of all material facts relevant to the risk being insured, including existing security vulnerabilities, past breaches, and compliance with cybersecurity frameworks. Failure to disclose such information can render the policy voidable by the insurer. Conversely, the insurer must also act in good faith, fairly investigating claims and providing clear and honest communication. A breach of this duty by the insurer could lead to claims of bad faith, potentially resulting in extra-contractual damages beyond the policy limits, as established in South Carolina case law regarding unfair claim settlement practices. South Carolina Code of Laws Title 38 addresses insurance regulations, and while not specific to cyber, the general principles apply.

South Carolina’s data breach notification law, outlined in S.C. Code Ann. § 39-1-110, mandates that businesses notify affected individuals and the Attorney General in the event of a security breach involving personal information. Cyber insurance policies often include coverage for the costs associated with this notification process. Covered elements typically encompass legal review to determine notification obligations, forensic investigation to assess the scope of the breach, preparation and mailing of notification letters, establishment of a call center to handle inquiries, and potentially credit monitoring services for affected individuals. However, exclusions may apply. For instance, some policies might exclude notification costs if the breach was caused by a known vulnerability that the insured failed to patch, or if the insured was not in compliance with industry-standard security practices. Furthermore, the policy may specify a maximum limit for notification expenses, requiring the insured to bear any costs exceeding that limit. The specific terms and conditions of the cyber insurance policy dictate the extent of coverage for notification costs, and it is crucial to carefully review these provisions in conjunction with South Carolina’s data breach notification requirements.

Even with cyber insurance, a South Carolina business that neglects reasonable cybersecurity measures faces significant legal and financial repercussions following a data breach. While the cyber insurance policy may cover certain losses, the insurer could deny coverage or reduce the payout if the breach resulted from the insured’s failure to implement basic security controls. Many cyber insurance policies contain clauses requiring the insured to maintain a certain level of cybersecurity hygiene, such as implementing firewalls, intrusion detection systems, and regularly patching software vulnerabilities. Failure to do so could be deemed a breach of contract, allowing the insurer to avoid liability. Furthermore, the business could face lawsuits from affected individuals under negligence theories, alleging that the business failed to adequately protect their personal information. South Carolina law recognizes a duty of care to protect sensitive data, and a failure to implement reasonable security measures could constitute a breach of that duty. The business could also face regulatory fines and penalties under laws like HIPAA (if dealing with protected health information) or other applicable regulations, which are often not covered by cyber insurance policies.

In the context of cyber insurance, “betterment” refers to improvements made to a system during the restoration process following a cyberattack that result in the system being more valuable or resilient than it was before the incident. Insurers generally aim to indemnify the insured for their actual losses, not to provide them with a windfall. Therefore, cyber insurance policies often contain provisions addressing betterment. Typically, policies will cover the cost of restoring the system to its pre-attack state, but may exclude coverage for upgrades or enhancements that go beyond that. However, some policies may allow for limited coverage of betterment if it is deemed necessary to prevent future attacks or to comply with updated security standards. For example, if a system was running outdated software with known vulnerabilities, the policy might cover the cost of upgrading to a more secure version. However, the insurer may impose limitations on the amount of betterment coverage available, or require the insured to share in the cost of the upgrade. The specific terms of the policy dictate the extent to which betterment is covered, and it is essential to carefully review these provisions. South Carolina law generally follows the principle of indemnity in insurance contracts, meaning the insured should be restored to their pre-loss condition, but not enriched.

Cyber insurance policies address social engineering and phishing attacks with varying degrees of coverage, often depending on specific policy provisions. These attacks, which manipulate employees into divulging sensitive information or transferring funds to fraudulent accounts, are a common source of cyber insurance claims. Key policy provisions include those related to “computer fraud,” “funds transfer fraud,” and “social engineering fraud.” Computer fraud typically covers losses resulting from unauthorized access to a computer system, while funds transfer fraud specifically addresses fraudulent transfers initiated through a computer system. Social engineering fraud coverage is often a separate endorsement and provides coverage for losses resulting from the intentional deception of an employee. To improve the chances of a successful claim, a South Carolina business should implement robust internal controls, including multi-factor authentication, employee training on phishing awareness, and verification procedures for fund transfers. They should also promptly report the incident to law enforcement and the insurer, and cooperate fully with the insurer’s investigation. The burden of proof often rests on the insured to demonstrate that the loss resulted directly from the covered social engineering or phishing attack and that they took reasonable steps to prevent the loss. South Carolina law recognizes the enforceability of insurance contracts, and the specific policy language will govern the extent of coverage.

The “war exclusion” clause in cyber insurance policies is a significant concern for South Carolina businesses, as it can potentially deny coverage for cyberattacks deemed to be acts of war. This exclusion typically excludes coverage for losses resulting from war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, or military or usurped power. The definition of “war” in these policies is often broad and can be subject to interpretation. In the context of state-sponsored cyberattacks, the key question is whether the attack can be attributed to a nation-state and whether it constitutes an act of war. Factors considered may include the attacker’s identity, the target of the attack, the severity of the damage, and the political context. For example, a cyberattack targeting critical infrastructure in South Carolina, demonstrably launched by a foreign government with the intent to disrupt essential services, might be considered an act of war and fall under the exclusion. However, the application of the war exclusion to cyberattacks is a complex and evolving area of law, and there is considerable debate about its scope. Businesses should carefully review the war exclusion clause in their cyber insurance policies and seek legal advice to understand its potential implications. South Carolina courts would likely interpret the clause based on its plain meaning and the specific facts of the case.

Cyber insurance policies are typically written on a “claims-made” basis, meaning that the policy covers claims that are first made against the insured during the policy period, regardless of when the incident giving rise to the claim occurred. This differs from “occurrence-based” coverage, which covers incidents that occur during the policy period, regardless of when the claim is made. A “retroactive date” in a claims-made cyber insurance policy limits coverage to incidents that occur on or after that date. This means that if an incident occurred before the retroactive date, even if the claim is made during the policy period, it will not be covered. When switching cyber insurance providers, a South Carolina business should take several steps to ensure continuous coverage. First, they should obtain “prior acts” coverage from the new insurer, which covers incidents that occurred before the new policy’s effective date but are first reported during the policy period. Alternatively, they can purchase an “extended reporting period” (ERP) from the old insurer, which allows them to report claims for a specified period after the policy expires, even if the incident occurred during the policy period. Careful coordination between the old and new policies is essential to avoid gaps in coverage. South Carolina law recognizes the validity of both claims-made and occurrence-based insurance policies, and the specific terms of the policy will govern the scope of coverage.