New York Regulator Issues Guidance for Insurers Writing Cyber Policies in the State

February 4, 2021 by

The New York State Department of Financial Services (DFS) has issued new guidance spelling out best practices for New York-regulated property/casualty insurers that write cyber insurance. This serves as the first guidance the regulator has issued on cyber insurance in particular.

“Cybersecurity is the biggest risk for government and industry, bar none,” said DFS Superintendent Linda Lacewell in a press release issued by her office. “Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions. After extensive dialogue with industry and experts, we are issuing guidance to foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face.”

As part of the guidance, called the Cyber Insurance Risk Framework, DFS is calling on regulated insurers to establish a formal strategy, approved by the insurer’s board or other governing entity, for measuring cyber insurance risk based on the insurer’s size, resources and geographic distribution, among other factors.

In particular, insurers are urged to take measures to manage and eliminate exposure to silent cyber insurance risk, which occurs when cyber exposures exist within a traditional property and liability policy that does not specifically include or exclude cyber risk.

“Because silent risk can reside in many different types of policies, even insurers that write little or no cyber insurance need to measure and manage silent risk in their non-cyber insurance policies,” Lacewell stated in the guidance.

Regulated insurers are also encouraged to evaluate their systemic risk, including the impact of cyber events on third party service providers, and recruit and hire cybersecurity expertise. The framework calls for more of a partnership between insurers and their insureds as well, asking insurers to not only educate insureds and insurance producers about the value of cybersecurity, but also assess gaps and vulnerabilities in their insureds’ cybersecurity and require that insureds notify law enforcement in the event of a cyber attack.

Cyber insurance is a relatively new area of insurance for most insurers, with the first cyber insurance policy – called an Internet Security Liability Policy – launched less than 30 years ago in 1997. However, DFS says the industry has grown rapidly since then. In 2019, the U.S. cyber insurance market was $3.15 billion, and it is estimated that by 2025, it will be more than $20 billion, according to DFS.

“From the rise of ransomware to the recently revealed SolarWinds-based cyber-espionage campaign, it is clear that cybersecurity is now critically important to almost every aspect of modern life – from consumer protection to national security,” Lacewell stated in the guidance.

Lacewell, in a December interview for Insurance Journal’s Insuring Cyber Podcast, discussed how the shift online due to the COVID-19 pandemic has led to new vulnerabilities that cybercriminals are exploiting. One particular example of this exploitation is the rapid rise in ransomware attacks.

New York State Department of Financial Services (DFS) Superintendent Linda Lacewell spoke with Elizabeth Blosfield during the most recent episode of the Insuring Cyber Podcast about how she has always seen New York as a leader in cybersecurity and innovation.

After being confirmed to her post as DFS Superintendent in 2019, this is a legacy she aims to further.

“When I came into DFS…it quickly became apparent to me that the waves of innovation are crashing on the shores of everything that we regulate,” she says.

[/sidebar]

“I think the insurance industry has really stepped up,” Lacewell said. “They went to work from home very rapidly, which shows that their emergency plans were robust, and they rolled it out very quickly and appear to have done so without much in the way of the issue. With that being said, the bad actors out there globally are hard at work themselves. The increase in ransomware attacks has become the center of gravity when it comes to cyber crime and cybersecurity, and it’s causing billions of dollars in damages across the board.”

Indeed, ransomware attacks have continued to increase in both cost and frequency, with a 2020 survey by DFS finding that from early 2018 to late 2019, the number of insurance claims arising from ransomware increased by 180% and the average cost of a ransomware claim rose by 150%.

What’s more, DFS said the number of ransomware attacks reported to the regulator almost doubled in 2020 from the previous year. With this in mind, it recommends against making ransom payments, which it says can fuel the cycle of ransomware as cyber criminals use them to fund even more sophisticated attacks. Federal entities, including the Federal Bureau of Investigation (FBI) and the the U.S. Treasury, have recently issued similar warnings against making ransom payments.

DFS’ most recent Cyber Insurance Risk Framework comes after the regulator has had an ongoing dialogue with the insurance industry and experts on cyber insurance, including through meetings with insurers, insurance producers, cyber experts and insurance regulators across the U.S. and Europe, according to DFS’ release.

This is the latest move by DFS to build on its cybersecurity efforts for insurance consumers and the insurance industry, following DFS’ cybersecurity regulation that first took effect in March 2017 and was rolled out over two years, as well as the 2019 establishment of a new cybersecurity division at DFS to oversee all aspects of its cybersecurity regulation and policy.

“Insurers play a critical role in mitigating and reducing the risks of cybercrime,” Lacewell said in the guidance. “We commend the progress many insurers have made in managing their cyber insurance risk to date and look forward to continuing to work with the industry to address challenges in the cyber insurance market.”