The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from a cyberattack that exploits a known vulnerability for which a security patch was available but not applied by the insured within a reasonable timeframe. This exclusion highlights the insured’s responsibility to maintain a reasonable level of cybersecurity hygiene. Insurers expect policyholders to promptly install security updates and patches released by software vendors to address known vulnerabilities. Under Tennessee insurance regulations, insurers must clearly define exclusions in their policies (Tennessee Code Annotated § 56-7-101). If a breach occurs due to an unpatched vulnerability, the insurer will investigate whether the insured was aware of the available patch, the timeframe for its application, and the reasons for the delay. If the insurer determines that the insured unreasonably failed to apply the patch, leading directly to the breach, the claim may be denied based on the “failure to patch” exclusion. The burden of proof generally falls on the insurer to demonstrate that the exclusion applies. Policyholders should maintain detailed records of patch management activities to demonstrate compliance with reasonable security practices.

The “War Exclusion” in cyber insurance policies typically excludes coverage for losses arising from acts of war, including cyber warfare. This exclusion is intended to protect insurers from catastrophic losses resulting from large-scale, state-sponsored cyberattacks. Determining whether a cyberattack qualifies as an act of war can be complex and often involves legal and geopolitical considerations. Insurers typically consider several factors when assessing whether the War Exclusion applies. These factors may include attribution (identifying the perpetrator of the attack), the scale and severity of the attack, the target of the attack (e.g., critical infrastructure, government entities), and the geopolitical context in which the attack occurred. Evidence considered may include intelligence reports from government agencies, cybersecurity firm analyses, and public statements by government officials. Tennessee insurance regulations require that policy exclusions be clearly and unambiguously defined (Tennessee Code Annotated § 56-7-101). The insurer bears the burden of proving that the War Exclusion applies. Given the complexities of attribution and the evolving nature of cyber warfare, the application of the War Exclusion in cyber insurance claims can be highly contentious and may require expert legal interpretation.

“Betterment” in cyber insurance refers to improvements or upgrades made to a system during the restoration process following a cyber incident that result in the system being more valuable or secure than it was before the incident. Insurers generally aim to restore the insured to their pre-loss condition, but they typically do not cover the costs of betterment. In situations where restoring a system involves implementing security enhancements or upgrades, insurers may take different approaches. Some policies may explicitly exclude coverage for betterment, while others may allow for coverage of necessary upgrades to meet minimum security standards or regulatory requirements. The insurer may cover the cost of restoring the system to its original state, but not the incremental cost of the upgrades. Tennessee insurance law requires fair and reasonable claims handling practices (Tennessee Code Annotated § 56-8-104). Insurers must clearly explain their position on betterment and provide a reasonable basis for any denial of coverage. Policyholders should carefully review their policy language and discuss any potential betterment issues with their insurer during the claims process. Documentation of pre-incident system configurations and the costs associated with restoration and upgrades is crucial for resolving betterment disputes.

Forensic accounting plays a crucial role in cyber insurance claims involving business interruption losses. Forensic accountants are engaged to independently assess the financial impact of a cyber incident on the insured’s business operations. Their objective is to determine the actual financial losses sustained by the insured as a direct result of the incident. Forensic accountants typically review a wide range of financial records and analyses, including: general ledgers, profit and loss statements, balance sheets, sales records, customer invoices, payroll records, tax returns, bank statements, and contracts. They analyze these records to identify lost revenue, increased expenses, and other financial impacts resulting from the cyber incident. They also assess the insured’s business interruption plan and its effectiveness in mitigating losses. Tennessee insurance regulations require insurers to conduct a thorough and impartial investigation of all claims (Tennessee Code Annotated § 56-8-104). The forensic accountant’s findings provide an objective basis for determining the amount of business interruption losses covered under the policy. Policyholders should cooperate fully with the forensic accountant and provide all necessary documentation to facilitate the claims process.

Contingent Business Interruption (CBI) coverage in cyber insurance extends business interruption coverage to losses resulting from a cyberattack on a third-party vendor or service provider that the insured relies upon for its business operations. This coverage recognizes that a cyber incident affecting a key supplier, customer, or service provider can disrupt the insured’s business even if the insured’s own systems are not directly compromised. Examples of scenarios where a cyberattack on a third-party could trigger CBI coverage include: a ransomware attack on a cloud service provider that hosts the insured’s critical applications, a data breach at a payment processor that disrupts the insured’s ability to process customer payments, or a supply chain attack that compromises a key supplier’s ability to deliver essential components to the insured. Under Tennessee insurance law, CBI coverage is subject to the terms and conditions of the policy (Tennessee Code Annotated § 56-7-101). The policy typically requires a direct causal link between the cyberattack on the third-party and the insured’s business interruption losses. Policyholders should carefully review their policy language to understand the scope of CBI coverage and the requirements for making a claim.

“Social Engineering” coverage in cyber insurance policies provides protection against losses resulting from fraudulent schemes that manipulate individuals into divulging confidential information or transferring funds. These schemes often involve impersonating trusted individuals, such as executives or vendors, to deceive employees into taking actions that benefit the fraudsters. Types of fraudulent schemes typically covered under this provision include: phishing attacks, business email compromise (BEC), and invoice manipulation. In a BEC attack, for example, a fraudster might impersonate a CEO and instruct an employee to transfer funds to a fraudulent account. Social engineering coverage can help cover the financial losses resulting from such fraudulent transfers. To mitigate the risk of social engineering losses, insureds should implement robust security awareness training programs for employees, implement multi-factor authentication for critical systems, verify payment requests and fund transfer instructions through multiple channels, and establish clear protocols for handling sensitive information. Tennessee insurance regulations emphasize the importance of risk management and loss prevention (Tennessee Code Annotated § 56-8-104). Insurers may offer premium discounts to policyholders who implement effective security measures to reduce their risk of social engineering losses.

“Notification Costs” coverage in cyber insurance policies provides reimbursement for expenses associated with notifying affected individuals and regulatory agencies following a data breach. These expenses can include: forensic investigations to determine the scope of the breach, legal advice to ensure compliance with notification laws, costs of preparing and sending notification letters or emails, credit monitoring services for affected individuals, and public relations services to manage the reputational impact of the breach. Under Tennessee’s data breach notification law (Tennessee Code Annotated § 47-18-2101 et seq.), businesses that experience a data breach involving personal information are required to notify affected Tennessee residents within a reasonable timeframe. The notification must include specific information about the breach, the type of personal information compromised, and steps individuals can take to protect themselves from identity theft. Cyber insurance policies with notification costs coverage can help insureds comply with these legal requirements and mitigate the financial impact of a data breach. Insurers may require policyholders to follow specific notification procedures and use approved vendors for notification services. Policyholders should consult with legal counsel to ensure compliance with all applicable data breach notification laws.

The TDCI defines a “cybersecurity event” broadly, encompassing any event that results in unauthorized access to, disruption of, or misuse of an information system or the information stored on it. This definition is crucial because it triggers specific notification requirements for insurers. Tennessee law, particularly Title 56 of the Tennessee Code, mandates that insurers offering cyber insurance policies must notify the TDCI within a specified timeframe (often 72 hours) upon the discovery of a cybersecurity event that has a reasonable likelihood of materially harming consumers or the insurer’s operations. The notification must include a detailed description of the event, the type of information compromised (if any), the insurer’s response plan, and any steps taken to mitigate the damage. Failure to comply with these notification requirements can result in penalties, including fines and potential suspension of the insurer’s license to operate in Tennessee. The TDCI’s focus is on ensuring transparency and prompt action to protect consumers and the stability of the insurance market.

Tennessee law requires insurers to implement and maintain “reasonable security measures” to protect consumer data from unauthorized access, use, or disclosure. This standard, while not explicitly defined with a prescriptive checklist, is generally interpreted to align with industry best practices and regulatory guidance, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the NAIC Insurance Data Security Model Law. Examples of specific security controls that would likely satisfy this standard include: (1) Implementing a comprehensive information security program with documented policies and procedures; (2) Conducting regular risk assessments to identify and address vulnerabilities; (3) Employing strong access controls, including multi-factor authentication and role-based access; (4) Encrypting sensitive data both in transit and at rest; (5) Implementing intrusion detection and prevention systems; (6) Providing regular cybersecurity awareness training to employees; (7) Maintaining a robust incident response plan; and (8) Overseeing third-party service providers to ensure they also maintain adequate security measures. The TDCI expects insurers to demonstrate a proactive and risk-based approach to cybersecurity, continuously adapting their security controls to address evolving threats.

An insurer in Tennessee that experiences a data breach due to a failure to patch a known vulnerability faces significant legal and financial ramifications. Tennessee’s data breach notification law (Tennessee Code Annotated § 47-18-2101 et seq.) requires businesses, including insurers, to notify affected individuals and the TDCI in the event of a data breach involving personally identifiable information (PII). Failure to provide timely and accurate notification can result in civil penalties. Furthermore, the TDCI has the authority to investigate data breaches and take enforcement actions against insurers that fail to maintain reasonable security measures, as required by Tennessee insurance regulations. This could include fines, cease and desist orders, and even suspension or revocation of the insurer’s license. Financially, the insurer could face significant costs associated with data breach response, including forensic investigations, notification expenses, credit monitoring services for affected individuals, and potential litigation from consumers or other parties. The insurer may also experience reputational damage, leading to loss of customers and market share. The TDCI will likely consider the insurer’s failure to patch a known vulnerability as evidence of negligence and a failure to implement reasonable security measures, increasing the likelihood of severe penalties.

“Affirmative cyber coverage” refers to insurance policies that explicitly cover cyber-related risks, such as data breaches, network intrusions, and cyber extortion. These policies clearly define the scope of coverage, exclusions, and limitations related to cyber events. In contrast, “silent cyber coverage” refers to the potential for cyber-related losses to be covered under traditional insurance policies (e.g., property, general liability) that do not explicitly address cyber risks. This can occur when a cyber event triggers a loss that arguably falls within the scope of the traditional policy’s coverage, even though the policy was not designed to cover cyber risks. Regulatory concerns associated with silent cyber coverage stem from the uncertainty and ambiguity it creates for both insurers and policyholders. Insurers may underestimate their exposure to cyber risks if they do not adequately assess the potential for cyber-related losses to be covered under their traditional policies. Policyholders, on the other hand, may be uncertain about the extent to which their traditional policies will cover cyber losses. This lack of clarity can lead to disputes and litigation. The TDCI, along with other state insurance regulators, is actively working to address the issue of silent cyber by encouraging insurers to clarify their policy language and explicitly address cyber risks, either through affirmative cyber coverage or clear exclusions.

The Tennessee Insurance Guaranty Association (TIGA) provides a safety net for policyholders in the event that an insurance company becomes insolvent and is unable to pay claims. TIGA is funded by assessments on solvent insurance companies operating in Tennessee. In the context of cyber insurance, TIGA would step in to cover covered claims under cyber insurance policies issued by an insolvent insurer, subject to certain limitations. These limitations typically include a maximum claim amount per policyholder (e.g., \$500,000) and may exclude certain types of claims, such as those related to punitive damages or claims made by affiliated entities of the insolvent insurer. It’s important to note that TIGA’s coverage is not unlimited and is designed to protect policyholders from undue hardship in the event of an insurer insolvency. The specific limitations on TIGA’s coverage are outlined in Tennessee law (Tennessee Code Annotated § 56-12-101 et seq.) and TIGA’s plan of operation. Policyholders with cyber insurance policies should be aware of these limitations and consider purchasing coverage from financially stable insurers to minimize the risk of loss due to insurer insolvency.

Tennessee Code Annotated § 56-8-104 outlines unfair methods of competition and unfair or deceptive acts or practices in the business of insurance. This law applies directly to the marketing and sale of cyber insurance policies in Tennessee. Several specific misrepresentations or omissions could lead to regulatory action by the TDCI. Examples include: (1) Misrepresenting the scope of coverage provided by the policy, such as exaggerating the types of cyber events covered or failing to disclose material exclusions or limitations; (2) Making false or misleading statements about the insurer’s financial stability or ability to pay claims; (3) Failing to disclose material facts about the policy, such as the deductible, premium, or claims process; (4) Using deceptive or misleading advertising to promote the policy; (5) Failing to provide a clear and accurate explanation of the policy’s terms and conditions; and (6) Making false or disparaging statements about competing cyber insurance policies or insurers. The TDCI has the authority to investigate complaints of unfair trade practices and take enforcement actions against insurers that violate § 56-8-104, including issuing cease and desist orders, imposing fines, and suspending or revoking the insurer’s license. Insurers must ensure that their marketing and sales materials are accurate, truthful, and not misleading to avoid regulatory scrutiny.

Insurance professionals in Tennessee have an ethical obligation to act in the best interests of their clients when advising them on the purchase of cyber insurance. This obligation is rooted in the principles of fiduciary duty and professional responsibility. When advising clients who may not fully understand the complexities of cyber risk or the specific terms and conditions of a cyber insurance policy, insurance professionals must take extra care to ensure that the client is making an informed decision. This includes: (1) Providing a clear and understandable explanation of cyber risk and the potential impact on the client’s business; (2) Assessing the client’s specific needs and vulnerabilities to determine the appropriate level of coverage; (3) Explaining the key terms and conditions of the policy, including coverage limits, exclusions, and deductibles; (4) Avoiding the use of technical jargon or overly complex language; (5) Disclosing any potential conflicts of interest; (6) Recommending the most suitable policy for the client’s needs, even if it is not the most profitable option for the insurance professional; and (7) Documenting the advice provided to the client and the reasons for recommending a particular policy. Failure to act ethically can result in disciplinary action by the TDCI, including fines, suspension, or revocation of the insurance professional’s license. Moreover, it can damage the insurance professional’s reputation and erode client trust.