Claims-Made vs. Occurrence in Cyber Liability

In the world of insurance, the "trigger" is the specific event or set of circumstances that must occur for a policy to respond to a loss. When preparing for the complete Cyber Liability exam guide, candidates must distinguish between the two primary trigger formats: Occurrence and Claims-Made.

While traditional General Liability (GL) policies often use an occurrence trigger, the cyber insurance market almost exclusively utilizes the claims-made format. This distinction is critical because cyber incidents often involve a significant time lag between the initial breach and its eventual discovery. Understanding how these triggers function—and how they impact coverage continuity—is essential for any specialty insurance professional.

A Claims-Made policy triggers coverage based on two conditions: the claim must be made against the insured during the policy period, and the incident must be reported to the carrier during that same period (or a specified grace period). In cyber insurance, this is the preferred model because it provides insurers with greater certainty regarding their loss reserves.

Key components of the claims-made structure include:

• Retroactive Date: This is a date set at the inception of the first policy. The policy will not cover any wrongful acts that occurred before this date, even if the claim is made during the current policy period.
• Claim Reporting: Most cyber policies require "prompt" reporting. Under a claims-made-and-reported form, failing to report the claim before the policy expires (or within a short window thereafter) can result in a total denial of coverage.
• Continuity: To maintain coverage for past acts, an insured must maintain a continuous string of claims-made policies with the same retroactive date.

Because claims-made policies stop covering incidents the moment the policy is cancelled or not renewed, the Extended Reporting Period (ERP), often called "Tail Coverage," is a vital provision. The ERP allows the insured to report claims for a specified time after the policy ends, provided the underlying wrongful act occurred after the retroactive date but before the policy expiration.

There are generally two types of ERPs:

• Basic ERP: A short, automatic window (often thirty to sixty days) provided at no extra cost to report claims that occurred at the very end of the policy term.
• Supplemental ERP: An optional endorsement that extends the reporting window for several years. This is typically purchased when a business is sold, closes, or moves to a carrier that will not honor the previous retroactive date.

The Occurrence trigger is based on when the injury happens. In a traditional slip-and-fall case, the date of injury is clear. In cyber, the "injury" (data exfiltration) might happen on one date, but the "damage" (identity theft or business interruption) might manifest much later. If cyber used occurrence triggers, an insurer might be liable for claims decades later if the breach started during their policy period.

Insurers utilize claims-made forms in cyber for the following reasons:

• Pricing Accuracy: Insurers can price the risk based on the current threat landscape rather than trying to predict cyber-attack methods decades into the future.
• Aggregate Limits: It allows for clearer management of aggregate limits within a single policy year.
• Discovery Lag: Since hackers often sit on networks for months before acting, the claims-made trigger ensures the policy in place at the time of discovery and claim is the one that responds.

For those studying for the specialty exam, practicing with practice Cyber Liability questions will help reinforce how these triggers apply to complex claim scenarios.