New York Adopts Cybersecurity Framework for Insurers

On February 4, 2021, the New York State Department of Financial Services (NYDFS) released a Cyber Insurance Risk Framework (the Framework) to assist property and casualty insurers in managing their cyber insurance risk. The Framework comes on the heels of an increased demand for cyber insurance coverage from businesses to protect against the growing and ever-changing threat posed by cyberattacks. To help issuers effectively manage the increased risk associated with issuing cyber insurance policies, the Framework recommends that insurers adopt seven “best practices,” which are discussed in this post.

1. Establish a Formal Cyber Insurance Risk Strategy. Insurers should adopt “a formal strategy for measuring cyber insurance risk that is directed and approved by senior management and the board of directors, or the governing body if there is no board.” The strategy should identify “clear qualitative and quantitative goals for risk” and ensure that progress is “reported to senior management and the board, or the governing body if there is no board, on a regular basis.” The strategy should address the six additional best practices identified below.
2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Insurers often face the risk of having to cover a cyber-related loss even when the policy at issue does not explicitly cover, or is silent about, such a loss. Insurers should “eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses.” Insurers should also take additional measures to address this risk, including by purchasing reinsurance.
3. Evaluate Systemic Risk. Insurers should “evaluate systemic risk and plan for potential losses.” In particular, insurers should take into account the systemic risk associated with increased reliance on third-party vendors by businesses “that may cause simultaneous losses to many of their insureds.” Insurers should also “conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events” which “account[] for both silent and affirmative risk” and potential “scenarios across the different kinds of insurance policies they offer as well as across the different industries of their insureds.” An insurer’s cyber risk strategy should incorporate any issues identified in such stress tests.
4. Rigorously Measure Insured Risk. Insurers offering cyber insurance coverage should adopt “a data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured.” The insurer’s plan should include “gathering information regarding the [insured’s] cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies.” The information gathered “should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity.” Insurers are also encouraged to incorporate “[t]hird-party sources, such as external cyber risk evaluations.” The insurer should then compare this information “with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls.”
5. Educate Insureds and Insurance Providers. Insurers are encouraged “to strive to offer more comprehensive information about the value of cybersecurity measures and facilitate the adoption of those measures.” In addition, it is recommended that insurers “incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” In particular, the Framework “commend[s]” insurers that “offer their insureds guidance, discounted access to cybersecurity services, and even cybersecurity assessments and recommendations for improvement.” Lastly, insurers are advised to “encourage and assist with the education of insurance producers who should have a better understanding of potential cyber exposures, types and scope of cyber coverage offered, and monetary limits in cyber insurance policies.”
6. Obtain Cybersecurity Expertise. Insurers that offer cyber insurance coverage should hire employees with cybersecurity expertise and provide these employees with training to ensure their continued development in this area.
7. Require Notice to Law Enforcement. Insurers should include a requirement in cyber security insurance policies that the insured notify law enforcement of a cyber-related incident.

Providers of cyber risk insurance policies should continually evaluate and refine their approach to managing risk, especially in light of the increased threat of cyberattacks. As insurers undertake these efforts, they should work to incorporate the best practices identified by NYDFS. Doing so will not only help insurers effectively manage risk but will also help them avoid unwanted scrutiny from regulators, such as NYDFS.