Looking for a temperature/gut check and maybe life advice

Word. That seems like a pretty reasonable timeline from my experience, though I know some orgs wouldn't be happy waiting a month between CVE disclosure and notification.

Assuming a traditional insurer (wasn't their fault notification was delayed), if the insured had an incident on 10/1, would it likely have been covered, rejected because they exploited a month-old vulnerability, or require a judge or something to figure out?

I guess I'm used to many of these factors being fairly obvious from police reports. Had right-of-way per the cop? Covered. Left on red while drunk? Not covered.

As long as they didn't lie on their application and purchased the right coverage, it would likely be covered regardless of when the insurer discovered the vulnerability, unless stated otherwise, or if there was some stipulation in the policy that excluded coverage for discovered vulnerabilities after policy inception (I haven't personally ran across such an exclusion)

An IBM report talks about the cost impact of involving law enforcement in ransomware, and I've read that cyber can cover costs related to forensics - but is there any routine "we need a copy of the police report" kind of requirement for filing a claim?

The claim teams at the carriers usually take care of that, luckily. For example, it is common practice to notify the FBI when making a ransomware claim or if the organization experiences a large data breach. I know there are laws around data breaches regarding timely customer notifications, but I'd have to look up the specifics. - Again, the insurer usually works with the proper authorities on the companies behalf, assuming they have the right coverage and proper limits. Which begs the question - what is a proper limit?

I guess that's what I'm getting at - things could be 100% at the time it was signed, but someone in Marketing signs up for a new email marketing tool, and it's no longer true.

I guess I'm thinking back to various situations at non-tech companies where people did something innocent like move a piece of equipment or prop a door open and got scolded with something like "I know it's BS, but our insurance said so".

I think that would go back to the warranties I mentioned. If you warranty that multi factor will be on everything, it better be on and remain on everything, including the new email marketing tool. Another example - if you're an excavator, your insurer might require that you collect and file certificates of insurance from all of your subcontractors, failure to do that to protect the insurer means you didn't hold up your end of the warranty agreement.

The people who whine about "It's BS, but our insurance said so" are what we call a moral hazard in our industry.

Or a months-long back-and-forth between a few guys in a volunteer org (who were all insurance/financial advisors at their real jobs) about whether we had to hire a professional snow removal company or if the volunteer with a landscaping company could swing by in the morning on his usual route (as he offered to do). He's not covered under WC in his own truck! He is if he signs in briefly! Doesn't he have his own WC? But then he's a different class of employee if this is outside his volunteer duties! Let's just pay him then! He can't volunteer AND work here! Is it his truck, or his company's? etc, etc, etc.

Maybe that's why I overthink this stuff haha

Pretty common scenario haha

Interesting. It seems this might be a major contributor to any "insurance companies are suddenly asking more questions" trend?

I think the world and economy going down in flames is the biggest contributor of that. I see more questions on all lines of coverage, not just cyber.

Is there any public information on the application/warranty process, or insight on how they arrive at the requirements/questions they do? I assume some high-level guidance comes from govt/[tech]industry, but would it be NAIC or maybe some underwriters' association who has better insurance industry research/reports/guidelines? (Found this linked in the NAIC report)

Many commercial policies get written on ISO (Insurance Services Office) forms. That's what's considered "standard". Many carriers may combine ISO forms with proprietary in house forms, or choose to go fully in house. Cyber policies seem to be mostly proprietary, which adds to the complexity. Certain carriers will use different terms for the same coverage, and the legalese within the policies varies.

That being said, there is some standardization, but it's far from perfect at this point. Also, the application/warranty process can vary even within one insurer, depending on the underwriter, region, type of business they're trying to insure, agent they're dealing with, etc.

For example - If there's an agent that has a ton of profitable business with 1 carrier, that carrier is more likely to write something that agent submits than something a not well known agent submits. There is a relationship and level of trust established. If the agent presents it as a good risk, the underwriter is inclined to listen.

If the business is in a field that is a low cyber liability risk, the underwriting should have less scrutiny and the cost will be lower. If they're very low risk, they can probably buy their policy online through and automatic system.

If the business is located in a state with a strict regulatory environment that is more expensive, it will be harder to get coverage and the terms will be more stringent.

You get the idea