New York Regulator Issues Guidance for Insurers Writing Cyber Policies in the State

The New York State Department of Financial Services (DFS) has issued new guidance for New York-regulated property/casualty insurers that write cyber insurance. This serves as the first guidance the regulator has issued on cyber insurance in particular.

“Cybersecurity is the biggest risk for government and industry, bar none,” said DFS Superintendent Linda Lacewell in a press release issued by her office.

As part of the guidance, called the Cyber Insurance Risk Framework, DFS is calling on regulated insurers to establish a formal strategy, approved by the insurer’s board or other governing entity, for measuring cyber risk based on the insurer’s size, resources and geographic distribution, among other factors.

In particular, insurers are urged to take measures to manage and eliminate exposure to silent cyber risk, which occurs when cyber exposures exist within a traditional property and liability policy that does not specifically include or exclude cyber risk.

Regulated insurers are also encouraged to evaluate their systemic risk, including the impact of cyber events on third party service providers, and recruit and hire cybersecurity expertise. The framework calls for more of a partnership between insurers and their insureds as well, asking insurers to not only educate insureds and insurance producers about the value of cybersecurity, but also assess gaps and vulnerabilities in their insureds’ cybersecurity and require that insureds notify law enforcement in the event of a cyber attack.

Cyber insurance is a relatively new area of insurance for most insurers, with the first cyber insurance policy — called an Internet Security Liability Policy — launched nearly 25 years ago in 1997. However, DFS says the industry has grown rapidly since then. In 2019, the U.S. cyber insurance market was $3.15 billion, and it is estimated that by 2025, it will be more than $20 billion, according to DFS.

“From the rise of ransomware to the recently revealed SolarWinds-based cyber-espionage campaign, it is clear that cybersecurity is now critically important to almost every aspect of modern life — from consumer protection to national security,” Lacewell stated in the guidance.

DFS’ most recent Cyber Insurance Risk Framework comes after the regulator has had an ongoing dialogue with the insurance industry and experts on cyber insurance through meetings with insurers, insurance producers, cyber experts and insurance regulators across the U.S. and Europe, according to DFS’ release.

This is the latest move by DFS to build on its cybersecurity efforts for the insurance industry, following its cybersecurity regulation that took effect in March 2017, as well as the 2019 establishment of a new cybersecurity division at DFS to oversee all aspects of its cybersecurity regulation and policy.

“Insurers play a critical role in mitigating and reducing the risks of cybercrime,” Lacewell said in the guidance. “We commend the progress many insurers have made in managing their cyber insurance risk to date and look forward to continuing to work with the industry to address challenges in the cyber insurance market.”