On February 4, 2021, the New York Department of Financial Services (NY DFS) issued its Cyber Insurance Risk Framework (the Framework) to provide insurance carriers what it deemed an outline of “best practices for managing cyber insurance risk.” While “[t]he Framework applies to all authorized property/casualty insurers that write cyber insurance,” NY DFS also recommends that non-cyber insurers refer to the Framework to evaluate their exposure to “silent” cyber risk.
The Cyber Insurance Framework is broken down into seven parts or requirements. The first requirement serves as an overall principle that insurance carriers develop and implement a “formal insurance risk strategy” for measuring cyber insurance risk. This risk strategy should be reviewed and approved by a carrier’s senior management and board of directors (or other governing body), and set forth “clear qualitative and quantitative goals for risk.” Carriers should measure their adopted risk strategy periodically, punctuated with report to senior management and the board. The risk strategy should incorporate the following six practices:
1. Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Insurance carriers must identify and evaluate their exposure to silent or non-affirmative cyber risks under non-cyber policies, and “take appropriate steps to reduce their exposure.” NY DFS suggests that insurers may eliminate silent cyber risk “by making clear in any policy that could be subject to a cyber-related claim whether or not the policy provides or excludes coverage for cyber-related losses.” The Framework also encourages insurers to purchase reinsurance to help further mitigate exposure.
2. Evaluate Systemic Risk. Supply chain attacks and risk vectors through third-party risk management have dominated the media with sizeable, well know attacks – from the 2014 Target data breach, to NotPetya, and more recently Solar Winds. In the face of these ever-growing attacks, and noting that “systemic risk” has grown through reliance upon third-party vendors in “highly concentrated areas,” like cloud service providers, the Framework states that insurers must “understand the critical third parties used by their insureds and model the effect of a catastrophic cyber event on such critical third parties that may cause simultaneous losses to many of their insureds.”
The Framework advises that insurers “conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events,” and that those stress tests account for both silent and affirmative cyber risks. The stress tests also should measure potential impacts across various industries, policyholder types, and insurance policy forms.
3. Rigorously Measure Insured Risk. In short, the Framework instructs that insurers do a better job knowing the exposure risks of their insureds. The Framework advises that insurers develop and implement a “data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured,” and that such a plan be analyzed against claims data to better evaluate the risks presented. Evaluating an insured’s or potential’s insured’s data privacy and security program is critical, including evaluating information and corporate governance, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party risk management. Data gathered by an insurer during the underwriting process “should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity.” NY DFS notes that third-party external risk assessments and vendors “are also a valuable source of information.”
4. Educate Insureds and Insurance Producers. Insurers “should strive” to educate insurance brokers and insureds about the value of a comprehensive and effective data privacy and security program, and to offer incentives for the development and implementation of such programs through policy pricing, and discounted access to cybersecurity services and risk assessments.
5. Obtain Cybersecurity Expertise. Insurers “need appropriate expertise” to evaluate cyber risks, and should (a) “recruit employees with cybersecurity experience and skills,” and (b) commit to training and developing personnel, “supplemented as necessary with consultants or vendors.”
6. Require Notice to Law Enforcement. The Framework suggests that insurance policies should require policyholders to notify law enforcement upon sustaining a successful cyberattack. NY DFS reasons that involving law enforcement may help recover stolen data and funds, “enhance a victim’s reputation” when its cyber response “is evaluated by its shareholders, regulators, and the public,” and better enable prosecution of attackers to deter future cybercrime.
Additional observations offered in NY DFS’s circular letter announcing the Framework include:
- Citing the October 2020 advisory issued by the Office of Foreign Assets Control (OFAC), NY DFS recommends against making ransom payments in response to ransomware attacks. The agency reasons that ransom payments “fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks.”
- NY DFS opines that “[m]any insurers still have work to do to develop a rigorous and data driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk.”
- Exposure from “silent cyber” claims remains “a significant” problem for insurance carriers.
What this means. NY DFS cites a 180% increase in ransomware insurance claims and labels ransomware attacks as a $20 billion problem. So much like the October 2020 OFAC and Financial Crimes Enforcement Network (FinCEN) advisories, NY DFS’s Cyber Insurance Framework was inspired by ever-growing ransomware attacks. Yet, the timing is curious, to say the least, given that the New York State Legislature currently has three significant privacy and data security bills pending in one or both houses. The Framework itself, moreover, can inspire competing reactions as it signals incoming mandates that hover on the horizon without offering much I substance as to how to accomplish them.
For instance, NY DFS’s suggestion that insurers undertake greater efforts to evaluate policyholders’ cybersecurity programs and retain qualified personnel – noting that both principles may be achieved through use of vendors – is both obvious and eye opening. It’s not like cyber carriers haven’t tried to realize these “best practices,” but the Framework may create new incentives and pre-incident programs. And, while “silent cyber” remains a problem, let’s not forget that courts’ broad interpretation of insurance language have played a role, too.
Perhaps the biggest question implicated by the Framework’s construction and release is: how long will it be before these “best practices” become expectations and standards? This question and development surrounding it are worth watching.