Verified policy facts (sourced from 2024-05-01)
{
"exclusions": [
"Betterment — costs of updating, upgrading, enhancing or replacing a Company Computer System beyond its pre-event level, or removing software program errors or vulnerabilities",
"Bodily injury and property damage — physical injury, mental illness, sickness, disease, death, or loss/damage/destruction of tangible property",
"Government entity or public authority — seizure, confiscation or nationalisation of a Company Computer System by order of any government entity or public authority",
"Infrastructure failure — electrical or mechanical failure of infrastructure not under the control of a Company, including electrical power interruption, surge, brownout or blackout, failure of telephone lines, Data transmission lines, or other telecommunications or networking infrastructure (subject to carve-back for Security Failure or Breach of Confidential Information caused by such failure)",
"Internal/staff costs — payroll, fees, benefits, overheads or internal charges of any kind incurred by a Company",
"Patent/trade secret — infringement of patents, loss of rights to secure registration of patents, or misappropriation of trade secrets by or for the benefit of a Company",
"War and terrorism — war (whether declared or not), terrorism (except Cyber Terrorism), invasion, use of military force, civil war, popular or military rising, rebellion or revolution, or any action taken to hinder or defend against any of these events",
"Anti-trust — actual or alleged antitrust violation, restraint of trade, unfair competition or unfair or deceptive business practices, including violation of any consumer protection law",
"Assumed liability, guarantee, warranty — liability assumed under contract or agreement except to the extent it would have attached in absence of such contract (subject to carve-backs for contractual obligations to prevent Security Failure or Breach of Confidential Information, confidentiality agreements, and PCI-DSS obligations)",
"Employment practices liability — wrongful dismissal, discharge or termination, discrimination, harassment, retaliation or other employment-related Claim (subject to carve-back for Breach of Confidential Information in connection with employment)",
"Insured v Insured — Claims brought by or on behalf of an Insured against another Insured (subject to carve-back for unauthorised access/disclosure of Personal Information of Employees, directors, principals, partners or officers)",
"Securities claims — actual or alleged violation of laws relating to ownership, purchase or sale of Securities, or violation of Securities Act 1933, Securities Exchange Act 1934 or similar laws",
"Business conditions — loss of earnings or costs attributable to unfavourable business conditions (Network Interruption Coverage)",
"Liability to third parties — written demand or civil/administrative/arbitral proceedings by Third Parties or penalties paid to Third Parties (Network Interruption Coverage)",
"Trading losses — trading losses, liabilities or changes in trading account value (Network Interruption Coverage)",
"Anti-terrorism legislation — payments that would expose the Insurer to anti-terrorism legislation or regulation under UN resolutions or laws of the EU, USA or UK (Cyber Extortion Coverage)",
"Regulatory or enforcement threat by government entity or public authority (Cyber Extortion Coverage)",
"Intentional infringement of Intellectual Property (Digital Media Content Liability Coverage)",
"Internal messaging services — publication or broadcast of Digital Media on internal instant message systems, intranet, messaging boards or chat rooms",
"Financial data — misleading, deceptive or fraudulent financial data or errors in financial data publicised by the Company",
"Goods, products or services — false advertising, failure to conform to advertised quality/performance, or trademark infringement by goods/products/services in Digital Media",
"Government/regulatory action — government, regulatory, licensing or commission action or investigation (Digital Media Content Liability Coverage)",
"Ownership rights disputes — claims by independent contractors, distributors, licensees, joint venturers or employees over ownership or exercise of rights in Digital Media or services supplied",
"Royalties and other monies — accounting or recovery of profits, royalties, fees or licensing fees ordered to be paid for continued use of Intellectual Property",
"Prior known incidents — policy does not cover Claims made during the Policy Period if prior to commencement of the Policy Period the Insured became aware of facts which might give rise to those Claims"
],
"claims_basis": "Claims-made and notified basis applies to Security and Privacy Liability Coverage and Digital Media Content Liability Coverage — Claims must be first made and notified during the Policy Period. Event Management Coverage responds to Insured Events first discovered/becoming known during the Policy Period. Network Interruption Coverage responds to Insured Events first occurring during the Policy Period.",
"pci_dss_fines": "Covered under Security and Privacy Liability Coverage Section 1.2 as part of Loss — amounts payable in connection with a PCI-DSS Assessment. PCI-DSS Assessment means a written demand from a payment card association (e.g. MasterCard, Visa, American Express) or bank or servicer processing payment card transactions for a monetary amount (including fraud recovery, operational reimbursement, card reissuance costs and contractual fines and penalties) where the Company has contractually agreed to indemnify such party and the monetary assessment arises out of a Breach of Confidential Information. Coverage applies only where the specific Insured was validated as compliant with PCI-DSS prior to and at the time of the Breach of Confidential Information. Sublimit as specified in Schedule.",
"sublimits_nzd": {},
"deductible_nzd": "As specified in the Schedule — referred to as 'Retention'; no Retention applies to First Response Expenses",
"cyber_extortion": "Covered under Cyber Extortion Coverage Section 1.1. Distinct coverage section from any ransom payment description elsewhere. Loss includes: (i) payment of cash, monetary instrument, Cryptocurrency (including costs to obtain Cryptocurrency) or fair market value of property paid to prevent continuation of or end an Extortion Threat (i.e. the ransom payment itself); and (ii) Cyber Extortion Expenses — reasonable and necessary fees of a firm appointed by the Insurer or approved by the Insurer to conduct investigation into validity, cause and scope of the Extortion Threat, advise on response, contain or resolve disruption to Company Computer System, and assist in negotiating resolution. Extortion Threat covers threats to commit Breach of Confidential Information, intentional attack against Company Computer System (including ransomware), or disclose information about a vulnerability. Payments excluded to extent they would expose Insurer to anti-terrorism legislation (UN, EU, US, UK).",
"data_restoration": "Covered under Event Management Coverage as Data Recovery Expenses — reasonable and necessary fees, costs and expenses to: (i) identify lost, damaged, destroyed, encrypted or corrupted Data; (ii) determine whether such Data can be restored, repaired, recollected or recreated; and (iii) restore, recreate, repair or recollect such Data to substantially the form in which it existed immediately prior to the Insured Event, including cost to restore from backups or recreate from physical records. Bricking Recovery Expenses (if Included) also cover replacement of non-functional hardware where necessary to restore Data, with Insurer's prior written consent. Sublimit as specified in Schedule.",
"territorial_scope": "Not explicitly stated in the provided policy text — the policy references Data Protection Legislation 'in any country' and Regulators 'in any jurisdiction', but a specific territorial scope clause was not found in the extracted text.",
"notification_costs": "Covered under Event Management Coverage as Notification Expenses — reasonable and necessary fees, costs and expenses with Insurer's prior written consent for: (i) investigating and collating information; (ii) preparing notices and notifying Data Subjects whose Personal Information is reasonably believed to have been subject to unauthorised access or disclosure, Third Parties whose Corporate Information is reasonably believed to have been subject to unauthorised access or disclosure, and any relevant Regulator; and (iii) setting up and operating call centres — with regard to any actual or suspected Breach of Confidential Information. Credit Monitoring and ID Monitoring Expenses also covered separately for up to 2 years from activation per Data Subject, within 90 days of notification. Data Protection Legislation defined to include the Privacy Act 2020.",
"regulatory_defence": "Covered under Security and Privacy Liability Coverage Section 1.1 (Data Protection Investigation and Data Protection Fines). Loss for this cover includes Defence Costs and Data Protection Fines. Defence Costs are reasonable and necessary legal fees incurred with prior written consent of the Insurer in relation to investigation, response, defence, appeal or settlement of a Regulatory Investigation. Data Protection Fines means lawfully insurable fines or penalties adjudicated by a Regulator for breach of Data Protection Legislation (including the Privacy Act 2020). Regulatory Investigation means formal or official action, investigation, inquiry or audit by a Regulator arising out of use or suspected misuse of Personal Information or control, collection, storage or processing of Personal Information. Sublimit as specified in Schedule.",
"social_engineering": "Not explicitly described as a standalone 'social engineering' or 'invoice manipulation' coverage in this policy wording. Cyber Crime Coverage is referenced in the Table of Contents but the full text of that section was not included in the provided policy text. No sublimit or call-back verification condition could be confirmed from the available text.",
"aggregate_limit_nzd": "As specified in the Schedule — the buyer selects the applicable Limit of Liability for each Coverage Section and an overall aggregate as set out in the Schedule",
"pr_crisis_management": "Covered under Event Management Coverage as Reputation Protection Expenses — reasonable and necessary fees of a Public Relations Advisor providing Reputation Protection Services, being advice and support (including advice concerning media strategy and independent public relations services, and the design and management of a communications strategy) to mitigate or prevent the potential adverse effect of, or reputational damage from, media reporting of an Insured Event. Public Relations Advisor must be appointed by the Insurer or Response Advisor, or approved by the Insurer in advance. Under First Response Cover (if Included), the Public Relations Advisor may be appointed if considered necessary by the First Response Advisor or Insurer.",
"waiting_period_hours": "As specified in the Schedule — the Insured Event must exceed the 'Waiting Hours Period' specified in the Schedule before Network Interruption Coverage applies",
"business_interruption": "Covered under Network Interruption Coverage. Triggers include: Security Failure (if Security Failure Cover is Included), System Failure (if System Failure Cover is Included), Voluntary Shutdown (if Voluntary Shutdown Cover is Included), Regulatory Shutdown (if Regulatory Shutdown Cover is Included), OSP Security Failure (if OSP Security Failure Cover is Included), and OSP System Failure (if OSP System Failure Cover is Included). Coverage applies where the Material Interruption exceeds the Waiting Hours Period specified in the Schedule. Indemnity period: Network Loss is payable during the Insured Event (capped at 120 days) plus the 90 days following resolution. Network Loss is calculated on either a Net Profit and Continuing Fixed Costs basis (Option 1) or a Gross Profits basis (Option 2), plus Increased Costs of Working. OSP coverage excludes public utilities, internet service providers and securities exchanges.",
"forensic_investigation": "Covered under Event Management Coverage as IT Expenses — reasonable and necessary fees of an IT Specialist providing IT Services, including: substantiating whether an Insured Event has occurred, how it occurred and whether it is still occurring; identifying compromised Data; establishing the extent to which Confidential Information may have been compromised; containing and resolving an Insured Event and making recommendations to prevent recurrence. IT Specialist must be appointed by the Insurer or Response Advisor, or approved by the Insurer in advance. Under Cyber Extortion Coverage, Cyber Extortion Expenses cover investigation to determine validity, cause and scope of an Extortion Threat. Under Network Interruption Coverage, Loss Preparation Costs (if Included) cover reasonable professional fees of a third-party forensic accounting firm to establish, prove, verify or quantify Network Loss.",
"ransom_payment_covered": "Covered under Cyber Extortion Coverage Section 1.1. Loss includes 'any payment of cash, monetary instrument, Cryptocurrency (including the costs to obtain such Cryptocurrency) or the fair market value of any property which a Company has paid, to prevent continuation of, or end, an Extortion Threat.' Prior written consent of the Insurer is required for appointment of consultants. Payment is excluded to the extent it would expose the Insurer to any applicable anti-terrorism legislation or regulation under United Nations resolutions, and laws or regulations of the European Union, or the United States of America or the United Kingdom.",
"retroactive_date_rules": "Event Management Coverage: covers Insured Events which occurred or the Company's Responsible Officer reasonably believes occurred before or during the Policy Period, provided the Responsible Officer first becomes aware during the Policy Period. Network Interruption Coverage: covers Insured Events which first occur during the Policy Period. Security and Privacy Liability Coverage (Cyber Liability): covers Claims first made and notified during the Policy Period arising from Security Failure or Breach of Confidential Information which occurred or occurs prior to or during the Policy Period. Digital Media Content Liability: Wrongful Acts must occur on or after the Retroactive Date (as specified in Schedule) and prior to the end of the Policy Period. Specific Retroactive Date to be stated in Schedule."
}