Verified policy facts (sourced from 2023-11-01)
{
"exclusions": [
"Anti-competitive Conduct (5.1): any contravention of any competition or anti-trust law by an insured.",
"Anti-spam Laws (5.2): any contravention of any law prohibiting the sending of unsolicited electronic communications by an insured.",
"Associates (5.3): any claim by, on behalf of, or for the benefit of any insured or any family member (unless the family member is acting without any prior direct or indirect solicitation or co-operation from the insured).",
"Assumed Liability (5.4): any obligation assumed by an insured under any agreement (with carve-outs for Automatic Extension 3.15 (Payment Card Breach Event), liability implied by law, and obligations of confidentiality).",
"Betterment (5.5): any betterment, upgrade or improvement to the insured's systems which was not part of the insured's systems immediately prior to a covered event (does not apply to Automatic Extension 3.19).",
"Bodily Injury (5.6): the death of, or bodily injury or illness to, any person.",
"Deliberate Acts (5.7): any act or failure to act by the policyholder or any subsidiary intended to cause loss, injury or damage, or that a reasonable person would expect to cause loss, injury or damage.",
"Discrimination and Harassment (5.8): any actual or alleged sexual, racial or other harassment; sexual molestation; or discrimination or victimisation on the basis of sex, race, disability, sexual orientation, religious belief, age, or any other kind.",
"Directors and Officers (5.9): any actual or alleged breach by an insured of its duties as a director or secretary of a corporate body.",
"Employment (5.10): any actual or alleged breach by an insured of its obligations as an employer or potential employer, or harassment, bullying or discrimination by an insured against any person.",
"Failure of Infrastructure and Utilities (5.11): any failure, outage in or disruption of internet services, telecommunications services, power, utility services or other services not under the direct operational control of an insured or service provider (service provider excludes internet service providers, telecommunications service providers and utility service providers for this purpose).",
"Failure to Renew Contracts with Service Providers (5.12): any failure by an insured or service provider to renew contracts with service providers or any disruption arising from suspension of services due to acts or omissions of an insured, including suspension or revocation of a domain name from failure to renew.",
"Fraud and Dishonesty (5.13): any actual or alleged reckless, fraudulent, dishonest, malicious or criminal act or omission by an insured or its consultants, sub-contractors or agents, or any wilful breach of any statute, regulation, contract or duty (applies only where established by admission or adjudication).",
"Insolvency (5.14): any bankruptcy, administration, liquidation or insolvency of an insured or any other person, including a service provider.",
"Intellectual Property (5.15): any infringement or alleged infringement of any intellectual property right including copyright, patent, trade mark, design or circuit layout rights; use of software in breach of licence terms; or decline in value of any intellectual property asset as a result of unauthorised access or disclosure (does not apply to media liability events).",
"Internal Costs (5.16): any internal or overhead expenses (including wages, salary, overtime and benefits) of an insured or the cost of an insured's time (does not apply to calculation of business interruption loss).",
"Natural Disasters (5.17): any fire, explosion, lightning strike, wind, water, rain, hail, flood, tsunami, earthquake, landslide, volcanic eruption, Act of God or other natural event however caused.",
"Pollution and Radioactive Contamination (5.18): asbestos-related loss; ionising radiation or radioactive contamination from nuclear fuel or waste; radioactive, toxic, explosive or other hazardous properties of any explosive nuclear assembly; actual, alleged or threatened discharge of pollutants; electromagnetic field, electromagnetic radiation or electromagnetism.",
"Professional Indemnity (5.19): any claim arising from or attributable to any negligent act, error or omission, or any breach of contract in the provision of any service or supply of any products by the insured.",
"Prior Known Facts (5.20): any claim arising from facts or circumstances known or ought reasonably to have been known by an insured prior to the insurance period; facts notifiable under any previous policy; pending or prior litigation; or any fact referred to in the proposal or notified under any previous like policy.",
"Property Damage (5.21): the loss or destruction of, or damage to, any tangible property, excluding data and software (does not apply to Automatic Extension 3.19 Hardware Repair or Replacement).",
"Sanctions Limitation (5.22): any claim or loss to the extent that such cover, payment, service, benefit and/or any business or activity of the insured would violate any applicable trade or economic sanctions or any law or any regulation worldwide.",
"Securities (5.23): any actual or alleged violation of any law, regulation or rule relating to the ownership, purchase, sale or offer of, or solicitation of an offer to purchase or sell, securities.",
"Trading Losses (5.24): any trading losses or trading liabilities.",
"Tax (5.25): any taxes incurred by an insured including any penalty tax, costs, interest or fees and expenses in connection with any tax liability.",
"War and Terrorism (5.26): any consequence of war, invasion, acts of foreign enemies, military hostilities, civil war, rebellion, revolution, or insurrection; any act of terrorism; or any action taken in controlling, preventing, suppressing or relating to the foregoing (this exclusion shall not apply to cyber terrorism).",
"Wear and Tear (5.27): any defects in, ordinary wear and tear in relation to, or faulty design or installation of, the hardware components of the insured's systems or external systems."
],
"claims_basis": "This is partly a claims made and notified policy and partly a discovery policy. Covers: (a) claims first made or commenced against an insured and reported to us during the insurance period, resulting from covered events which first occurred after the retroactive date; and (b) covered events first discovered and reported to us as soon as practicable during the insurance period.",
"pci_dss_fines": "Covered under Automatic Extension 3.15 (Payment Card Breach Event): all fines, penalties and other amounts which the insured is legally obliged to pay to the insured's acquiring bank or payment processor as a direct result of a payment card breach event. Payment card breach event (definition 6.38) includes unintentional or unauthorised disclosure of payment card data and breach of any Payment Card Industry Digital Security Standard. Sub-limit as specified in the schedule. Exclusion 5.4 (Assumed Liability) does not apply to Automatic Extension 3.15.",
"sublimits_nzd": {},
"deductible_nzd": "Deductible means the amount stated in the schedule; deductible is inclusive of defence costs unless otherwise specified in the schedule",
"cyber_extortion": "Covered under Automatic Extension 3.7 (Cyber Extortion): (a) reasonable fees, costs and expenses to engage an approved provider to advise on whether and how to respond to a cyber extortion demand; and (b) monies paid with our prior written consent and which payment is legally permitted in satisfaction of a cyber extortion demand. Cyber extortion demand (definition 6.12) means a demand by a third party for payment to terminate an existing cyber event or data breach event or to prevent or avoid a threatened cyber event or data breach event. Distinct from ransom payment in that it encompasses both consultant/advisory fees and the actual ransom payment. Sanctions exclusion (5.22) applies.",
"data_restoration": "Covered under Automatic Extension 3.18 (Restoration Costs): reasonable fees, costs and expenses necessarily incurred to engage an approved provider to restore, repair and/or replace data and software that have been lost, corrupted or damaged as a result of a cyber event or data breach event, including the cost of purchasing replacement licenses for software where necessary. Sub-limit as specified in the schedule.",
"territorial_scope": "Unless otherwise stated in the schedule, cover extends to the conduct of an insured anywhere in the world (General Condition 8.8) and to loss with respect to a claim brought and maintained anywhere in the world (General Condition 8.9), subject to General Condition 8.9 (Jurisdictional Limitation) and Exclusion 5.22 (Sanctions Limitation) which excludes any claim or loss to the extent it would violate any applicable trade or economic sanctions or any law or regulation worldwide.",
"notification_costs": "Covered under Automatic Extension 3.14: reasonable fees, costs and expenses necessarily incurred to engage an approved provider to (a) notify any government authority, affected individual or other person or entity of a cyber event, data breach event or media liability event; (b) facilitate inbound communications from affected individuals including arranging a call centre; and (c) place any public notice, announcement, disclosure or public apology about a cyber event, data breach event or media liability event — whether or not such measures are required by law. Data protection law definition references Privacy Act 2020 (NZ) and EU GDPR. Sub-limit as specified in the schedule.",
"regulatory_defence": "Covered under Insuring Clause 2.2 (Liability): loss arising from any claim resulting from a cyber event, data breach event or media liability event, where claim includes a regulatory investigation (definition 6.6(c)). Automatic Extension 3.10 (Enforceable Undertaking Expenses) covers costs of implementing compliance systems, legal fees, and charitable donations required as a condition of an enforceable undertaking accepted by a governmental, regulatory or law enforcement body as a result of a regulatory investigation. Automatic Extension 3.12 (Legal Representation Costs) covers legal advice and representation in relation to a regulatory investigation, in addition to the limit of liability. Loss definition (6.33) includes fines and penalties. Sub-limits as specified in the schedule.",
"social_engineering": "Covered under Optional Extension 4.2 (Social Engineering and Cyber Fraud) — only if indicated in the schedule. Social engineering (definition 6.50) means impersonation of an insured person, client/customer, or contractual counterparty by a third party causing an insured person to instruct a financial institution to transfer money or assets. Covers: business interruption loss from cyber fraud event; direct financial loss from cyber fraud event (provided not recoverable from any financial institution or other source); loss and defence costs from claims arising from cyber fraud event; and push-payment fraud expenses. No explicit call-back verification requirement stated in the wording. Sub-limit as specified in the schedule.",
"aggregate_limit_nzd": "Indemnity limit as specified in the schedule; total liability will not exceed the indemnity limit inclusive of all covered amounts in the aggregate for all covered events and all claims for all insureds",
"pr_crisis_management": "Covered under Automatic Extension 3.17 (Public Relations Costs): reasonable fees, costs and expenses incurred to engage an approved provider to provide advice and support as reasonably necessary to protect, or mitigate any damage to, the insured's reputation from a cyber event, data breach event or media liability event. Approved provider must be engaged with prior written consent of us or the incident response manager. Sub-limit as specified in the schedule.",
"waiting_period_hours": "Waiting period means the number of hours or days stated in the schedule from the commencement of a system outage",
"business_interruption": "Covered under Insuring Clause 2.3 for system outage caused by a cyber event; extended under Automatic Extension 3.2 for system or human error; extended under Automatic Extension 3.3 for reputational damage (from discovery until 30 days after end of system outage); Optional Extension 4.1 covers contingent business interruption loss from system outage of external systems caused by a contingent business interruption event; Optional Extension 4.2 covers business interruption loss as a direct result of a cyber fraud event. Business interruption loss is calculated on a net profit/loss before taxes basis less actual income earned and cost savings, plus reasonable mitigation costs. System outage period commences at end of waiting period and ends when system outage ends, not exceeding maximum system outage period in the schedule. Waiting period and maximum system outage period are as stated in the schedule.",
"forensic_investigation": "Covered under response costs definition (Section 6.46(b)): reasonable fees, costs and expenses incurred to engage an approved provider to investigate the cause, scope and extent of any cyber event, data breach event or media liability event. Approved providers must be engaged with prior written consent of us or the incident response manager (definition 6.2). Insured must only engage approved providers (Claim Condition 7.4); insurer is not liable for costs of non-approved providers.",
"ransom_payment_covered": "We agree to indemnify the insured for all monies paid by the insured with our prior written consent and which payment is legally permitted in satisfaction of a cyber extortion demand (Automatic Extension 3.7(b)). Sanctions exclusion applies: no payment where it would violate any applicable trade or economic sanctions or any law or any regulation worldwide (Exclusion 5.22).",
"retroactive_date_rules": "Policy covers claims resulting from covered events which first occurred after the retroactive date (Section 1(b)). Retroactive date means the date specified in the schedule but no earlier than the commencement of the insured's business (definition 6.47). Automatic Extension 3.5 (Continuous Cover) provides cover notwithstanding Exclusion 5.20 (Prior Known Facts) where DUAL was the continuous cyber liability insurer and conditions i–vi are met; in such cases DUAL has discretion to apply the terms of the policy in force when the insured first became aware or the current policy terms."
}