New York regulator leads the way on cyber-related risks

The New York Department of Financial Services (NY DFS), the state’s leading financial regulatory office, has created a Cyber Insurance Risk Framework for all property and casualty insurers authorized to operate in New York[i]. This call for stronger guidelines on cyber regulation is the result of multiple industry factors, including increased risk due to remote work during the COVID-19 era, the advent and growth of ransomware, and the recently revealed SolarWinds cyberattack.

This is the first such guidance offered to the industry by a U.S. regulator and reflects DFS Superintendent Linda Lacewell’s view that “cybersecurity is now critically important to almost every aspect of modern life – from consumer protection to national security” and that “cyber insurance plays a key role in managing and reducing cyber risk.“[ii]

This is not the DFS’s first foray into cyber regulation — in 2017, the department was also the first state insurance regulator to promote a cybersecurity regulation[iii] for financial services, designed to protect customer information held by insurers, banks, and other financial service providers. Continued into 2019, the DFS then created a separate Cybersecurity Division to lead the department’s regulatory efforts in this area.

Under the latest announcement, the DFS is focused on the growing market for cybersecurity insurance[iv], highlighting critical issues like data extortion and silent-cyber risks. As part of the recommended guidance, the office has compiled the collective insights into a comprehensive best practices plan, allowing insurers to manage their cyber insurance risk more effectively.

While several of the best practices only impact insurers and will have little direct impact on insureds, others will clearly affect the interaction between insurers and their commercial customers:

What does “silent-cyber” mean? Silent, or non affirmative, cyber insurance risk is the chance that an insurer might be required to cover loss from a cyber incident under an insurance policy that does not explicitly mention cyber. The DFS urges that all insurers assess their potential exposures, even those that do not explicitly offer cyber insurance, as this type of risk often impacts general liability and product liability, errors and omissions, and burglary and theft policies.

To mitigate against this risk, the DFS suggests making the cyber coverage explicitly clear in any policy that could be subject to a cyber claim. Insurers are also urged to buy reinsurance for this risk while they endeavor to identify and eliminate it, a process the DFS recognizes will take some time.

It is important that insurers offering cyber insurance regularly evaluate systemic risk, including the risk posed by any critical third-party business vendors. This evaluation should include stress testing based on realistic, catastrophic cyber events (such as the 2017 NotPetya or the 2020 SolarWinds attacks) to ensure all opportunities for coverage have been explored.

Insurers that offer cyber insurance should have a data-driven, comprehensive plan for auditing cyber risk. This process includes gathering information on cybersecurity programs and researching topics like corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security policies. 

The DFS urges insurers to offer comprehensive information about the value of cybersecurity measures and to incentivize the adoption of better cybersecurity plans by pricing policies based on the effectiveness of each insured’s cybersecurity program.  Insurers should also educate insurance producers about potential cyber exposures, the types and scope of cyber coverage offered, and monetary limits in cyber insurance policies.

It is strongly recommended that cyber insurance policies include a requirement that victims notify law enforcement of a cyber event, a practice that some insurers currently follow and one that the department considers to be beneficial to the victim-insured and the public. 

As global threats continue to grow, the issue of cyber insurance will undoubtedly be an increasingly important one for U.S. regulators. With the release of the Cyber Insurance Risk Framework, the NY DFS has signaled its intention to lead the charge in fostering the growth of a robust cyber insurance market.

Not only must insurers take account of the framework’s requirements, including those related to ransomware payments, but commercial insureds and their risk managers and brokers should also review the framework as they assess their cyber insurance needs.

Exactly how this framework will impact the development of cyber insurance coverage and the market for this critical product remain to be seen, but the need to stay on top of this evolving matter is imperative for nearly all businesses.

[i] NYS DFS Insurance Circular Letter No. 2 (2021).

[ii] https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02

[iii] 23 NYCRR Part 500.

[iv] According to the National Association of Insurance Commissioners (NAIC), the U.S. cyber insurance market was $3.15 billion in 2019. It is estimated that by 2025, it will be more than $20 billion.