The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from known vulnerabilities for which a patch or update was available but not implemented by the insured. This exclusion places a significant responsibility on the insured to maintain up-to-date security measures. Under South Dakota law, specifically regarding negligence and duty of care, a failure to apply readily available security patches could be interpreted as a breach of the insured’s duty to protect their own systems and data, potentially impacting their ability to recover losses. South Dakota Codified Laws (SDCL) Title 56 addresses obligations arising from statutes, and while no specific statute mandates patching, a court could argue that industry best practices and reasonable security measures, including patching, are implied obligations. The insured must demonstrate due diligence in vulnerability management, including timely patching, to avoid this exclusion. Failure to do so could lead to denial of coverage and potential legal liability for damages resulting from the unpatched vulnerability.

The South Dakota Personal Information Protection Act (SDCL 39-19) mandates specific notification requirements for businesses experiencing a data breach involving personal information. This Act significantly impacts cyber insurance coverage by creating potential liabilities for non-compliance. A cyber insurance policy may respond to costs associated with compliance with this Act in several ways. First, it may cover the costs of forensic investigations to determine the scope and cause of the breach, as required by the Act. Second, it may cover the costs of notifying affected individuals, including providing credit monitoring services, as mandated by SDCL 39-19-3. Third, it may cover legal expenses and potential settlements or judgments resulting from lawsuits filed by affected individuals or regulatory actions taken by the state. However, policies often have exclusions for penalties and fines, so coverage for direct penalties imposed by the state for non-compliance with SDCL 39-19 may be limited or excluded. The policy’s language regarding “regulatory actions” and “compliance costs” is crucial in determining the extent of coverage.

“Betterment” in cyber insurance refers to improvements made to a system during restoration after a cyber incident that result in the system being more valuable or secure than it was before the incident. For example, if a company’s server is compromised and, during restoration, the company upgrades to a newer, more secure operating system, the upgrade represents betterment. Cyber insurance policies often address betterment by excluding coverage for the incremental cost of the improvement. The rationale is that the insured is receiving a benefit beyond simply being made whole. The policy might cover the cost of restoring the system to its original state but not the additional cost of the upgrade. This can have significant implications for the insured, as they may need to bear the cost of the betterment themselves. Policy language regarding “like kind and quality” or “pre-loss condition” is critical in determining how betterment is handled. Insureds should understand these provisions to avoid unexpected out-of-pocket expenses during the claims process.

“Affirmative” cyber insurance coverage explicitly addresses cyber risks within a dedicated cyber insurance policy. “Silent” cyber coverage refers to the potential for a standard commercial general liability (CGL) policy to respond to cyber-related losses, even if cyber risks are not explicitly mentioned or excluded. The risks of silent cyber for insurers include unintended exposure to cyber losses under policies not designed for such risks, potentially leading to underpricing and inadequate reserves. For insureds, the risk is uncertainty about whether their CGL policy will cover cyber incidents. Affirmative cyber coverage offers clarity and tailored protection, but it comes at an additional cost. In South Dakota, the benefits of affirmative coverage for insurers include better risk management and pricing, while for insureds, it provides comprehensive protection and clear coverage terms. The risks of affirmative coverage are the cost of the premium and the potential for gaps in coverage if the policy is not properly tailored to the insured’s specific needs. The South Dakota Division of Insurance encourages clear policy language to avoid ambiguity regarding cyber coverage.

“Social engineering” refers to the manipulation of individuals to divulge confidential information or perform actions that compromise security. In cyber insurance, social engineering attacks, such as phishing or business email compromise (BEC), can lead to significant financial losses. A cyber insurance policy may cover losses resulting from social engineering, including fraudulent transfer of funds, direct financial losses, and costs associated with investigating and remediating the incident. Coverage often depends on specific policy language and endorsements. To mitigate the risk of social engineering attacks and potentially reduce cyber insurance premiums, an insured can implement several measures. These include employee training programs on identifying and avoiding phishing scams, implementing multi-factor authentication, establishing strict protocols for verifying payment requests, and regularly auditing security controls. Demonstrating a proactive approach to security can make an insured more attractive to insurers and potentially lead to lower premiums. South Dakota law does not specifically address social engineering, but general fraud statutes may apply.

The “war exclusion” in cyber insurance policies typically excludes coverage for losses resulting from acts of war, insurrection, or similar events. The interpretation of this exclusion has become increasingly complex in the context of state-sponsored cyberattacks, as it can be challenging to attribute an attack to a specific nation-state and to determine whether the attack constitutes an act of war. Traditional definitions of war, involving armed conflict between nations, may not easily apply to cyberattacks. Potential challenges in determining whether a cyberattack qualifies as an act of war include the difficulty of attribution, the lack of clear international legal standards for cyber warfare, and the potential for deniability by state actors. Insurers and insureds may disagree on whether a particular cyberattack falls within the war exclusion, leading to coverage disputes. Courts may need to consider factors such as the intent of the attacker, the severity of the attack, and the involvement of state actors in determining whether the exclusion applies. The South Dakota Division of Insurance encourages clear policy language to address these evolving risks.

“First-party” coverage in cyber insurance protects the insured against direct losses they incur as a result of a cyber incident. Examples include costs for data recovery, business interruption losses, forensic investigations, notification expenses, and public relations expenses. “Third-party” coverage, on the other hand, protects the insured against claims made by third parties who have been harmed as a result of the insured’s cyber incident. Examples include legal defense costs, settlements, and judgments resulting from lawsuits alleging negligence, privacy violations, or data breaches. Understanding these distinctions is crucial when selecting a cyber insurance policy in South Dakota because it allows the insured to tailor the policy to their specific risks and needs. A business that handles sensitive customer data, for example, may need robust third-party coverage to protect against potential lawsuits. A business that relies heavily on its IT systems may need strong first-party coverage to cover business interruption losses. Carefully evaluating the policy’s definitions of first-party and third-party coverage and ensuring that the policy adequately addresses the insured’s specific risks is essential for effective cyber risk management.

The principle of “reasonable security” under SDCL 22-40-1 significantly impacts cyber insurance underwriting. It requires entities to implement and maintain reasonable security measures to protect personal information from unauthorized access, use, modification, or disclosure. Insurers must assess an applicant’s security posture to determine the risk of a data breach and appropriately price the policy. Due diligence steps should include: reviewing the applicant’s written information security program (WISP) to ensure it aligns with industry best practices (e.g., NIST Cybersecurity Framework, ISO 27001); evaluating the applicant’s data encryption practices, access controls, and vulnerability management program; assessing the applicant’s employee training programs on cybersecurity awareness; and verifying the applicant’s incident response plan. Insurers should also consider the size and nature of the applicant’s business, the type of personal information they collect and store, and the potential impact of a data breach. Failure to demonstrate reasonable security measures can lead to higher premiums or denial of coverage. The South Dakota Division of Insurance may also consider these factors when evaluating an insurer’s underwriting practices.

The interplay between SDCL 22-40-1 and cyber insurance coverage is crucial. SDCL 22-40-1 defines “personal information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements: social security number, driver’s license number or other state identification number, or an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. A “breach of security” is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity. Cyber insurance policies typically cover costs associated with data breach response, including notification expenses, credit monitoring services, legal fees, and potential regulatory fines. A claim is triggered when a “breach of security” occurs as defined by SDCL 22-40-1, and the compromised data falls within the policy’s definition of “personal information.” Insurers will scrutinize the incident to determine if it meets both the statutory and policy definitions. For example, if only encrypted data is accessed, it may not constitute a “breach of security” under SDCL 22-40-1 if the encryption key was not also compromised, potentially impacting claim eligibility. The specific wording of the policy and the interpretation of SDCL 22-40-1 are critical in determining coverage.

SDCL 58-33 prohibits unfair trade practices in the insurance industry, including misrepresentation and false advertising. This has significant implications for the marketing and sale of cyber insurance. Insurers must accurately represent the scope of coverage, including any limitations or exclusions. A common exclusion in cyber policies relates to acts of war or terrorism. Insurers must clearly and conspicuously disclose the definition of “war” or “terrorism” used in the policy and explain how these events could trigger the exclusion. Ambiguous language or failure to adequately disclose the exclusion could be considered a misrepresentation under SDCL 58-33. For example, if a policy excludes coverage for cyberattacks attributed to a nation-state, the insurer must clearly define what constitutes attribution and the level of evidence required. Failure to do so could lead to disputes and potential regulatory action by the South Dakota Division of Insurance. Insurers must ensure their marketing materials and policy documents are transparent and avoid misleading consumers about the extent of coverage.

Risk management principles are central to cyber insurance underwriting. Insurers assess an applicant’s risk management maturity to determine the likelihood and potential impact of a cyber incident. Frameworks like the NIST Cybersecurity Framework provide a structured approach to risk management, encompassing identification, protection, detection, response, and recovery. Insurers should require documentation demonstrating an applicant’s adherence to these principles. This includes: a documented risk assessment identifying critical assets, vulnerabilities, and threats; a written information security program (WISP) outlining security policies and procedures; evidence of regular vulnerability scanning and penetration testing; documentation of security awareness training for employees; an incident response plan detailing procedures for handling cyber incidents; and business continuity and disaster recovery plans. The level of documentation required should be commensurate with the size and complexity of the applicant’s business. Insurers may also use questionnaires, interviews, and independent security audits to assess risk management maturity. A robust risk management program can lead to lower premiums and broader coverage terms.

Failure to adequately assess and price cyber risks can expose an insurer to significant legal and financial ramifications in South Dakota. Underinsurance occurs when policyholders have insufficient coverage to address potential losses, while adverse selection arises when the insured population disproportionately consists of high-risk entities. SDCL 58-33, regarding unfair trade practices, could be invoked if an insurer’s pricing is deemed unfairly discriminatory or if it misrepresents the scope of coverage. Furthermore, SDCL 58-6-33 addresses the solvency requirements for insurance companies. A poorly managed cyber insurance portfolio with widespread underinsurance or adverse selection could threaten an insurer’s solvency if a major cyber event triggers numerous claims exceeding available reserves. The South Dakota Division of Insurance has the authority to conduct financial examinations (SDCL 58-3-1) and take corrective action if an insurer’s financial condition is deemed unsound. This could include requiring the insurer to increase its reserves, restrict its underwriting activities, or even face liquidation. Prudent risk management and actuarial analysis are essential to avoid these consequences.

Vicarious liability holds a business responsible for the actions of its agents or contractors. In the context of cyber insurance, a South Dakota business could be held liable for a data breach caused by a third-party vendor if the vendor was acting on behalf of the business and the breach involved the business’s data. This is especially relevant given the increasing reliance on cloud services and other outsourced IT functions. A cyber insurance policy should address this risk by including coverage for liabilities arising from the actions of third-party vendors. This coverage may be subject to certain conditions, such as requiring the business to have conducted due diligence on the vendor’s security practices and to have a contract in place that holds the vendor liable for breaches caused by their negligence. The policy should also define the scope of coverage for vendor-related incidents, including notification costs, legal fees, and potential regulatory fines. Businesses should carefully review their cyber insurance policies to ensure they adequately address the risk of vicarious liability arising from third-party relationships. Insurers may require businesses to provide evidence of their vendor risk management program as part of the underwriting process.

Cyber insurance policies typically include both first-party and third-party coverage components. First-party coverage protects the insured business against its own direct losses resulting from a cyber incident. Third-party coverage protects the insured business against claims made by others (e.g., customers, vendors) who have been harmed by the cyber incident. In the event of a ransomware attack affecting a South Dakota-based business: First-party coverage might include: business interruption losses (lost profits due to downtime), data recovery costs (expenses to restore encrypted data from backups or pay a ransom), forensic investigation costs (expenses to determine the cause and extent of the attack), notification costs (expenses to notify affected customers as required by SDCL 22-40-1), and public relations expenses (costs to manage the business’s reputation). Third-party coverage might include: legal defense costs (expenses to defend against lawsuits filed by customers or other third parties), settlement or judgment costs (payments to compensate third parties for their losses), and regulatory fines and penalties (if the business is found to have violated privacy laws). The specific coverage terms and conditions will vary depending on the policy.