Insurers Beware: Potential Impacts of New York’s Cyber Insurance Risk Framework
New York remains extremely active in the cybersecurity and data protection arena.
During its current legislative session, New York is considering a proposed privacy bill that would greatly enhance consumer privacy rights, increase business obligations and create new litigation/enforcement exposure.
Meanwhile, the New York Department of Financial Services (NYDFS) has recently filed its first Cybersecurity Regulation enforcement actions, has required regulated entities to formally notify the NYDFS if they were directly impacted by the SolarWinds incident and has issued the nation’s first Cyber Insurance Risk Framework.
The Framework applies directly to all property/casualty insurers registered with the NYDFS. The stated goals of the framework are to facilitate the continued growth of a sustainable and sound cyber insurance market by outlining best practices for managing cyber insurance risks.
Not only are insurers writing cyber insurance obligated to follow the framework’s guidance, but all insurers need to evaluate their silent risk – or the risk that an insurer must cover losses from a cyber incident under a policy that does not explicitly grant or exclude cyber coverage – and take steps to reduce that exposure.
The framework also advises cyber insurers that the NYDFS recommends against making ransomware payments and reminds insurers to be mindful of their obligations to report demands for ransom payments by cybercriminals as explained in recent advisories issued by FinCEN and OFAC.
The framework comes as the cyber insurance market is exploding. In 2019, the cyber insurance market was $3.15 billion, and it is estimated that by 2025, it will be more than $20 billion. At the same time, organizations are facing increased cyber risk as cyber crime is becoming more common, more sophisticated and more costly.
With this in mind, NYDFS’ Cyber Insurance Risk Framework requires all insurers to sustainably and effectively manage their cyber insurance risk.
While noting that each insurer’s risk will vary based on many factors including size, resources, geographic distribution, market share and industries served, the framework requires all insurers to review their best practices and take an approach proportionate to their risk. Specifically, the framework identifies the following best practices:
- Establish a formal strategy for measuring cyber risk. The strategy should be directed and approved by senior management and the board/governing body and should include clear qualitative and quantitative goals for risk.
- Manage and eliminate exposure to silent cyber insurance risk. Insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses. Because this process may take time, insurers should mitigate existing silent risk, such as by purchasing reinsurance.
- Evaluate systematic risk. Insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses. This evaluation should include stress testing based on realistic catastrophic cyber events.
- Rigorously measure insured risk. Insurers should have a data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured. This process should include gathering information on the insured’s cybersecurity program and assessing a multitude of topics like incident response planning, third-party security policies, vulnerability management and corporate governance and controls.
- Educate insureds and insurance producers. Insurers should offer comprehensive information about the value of cybersecurity measures and facilitate the adoption of those measures. Insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program. Insurers should also educate insurance producers to have a better understanding of potential cyber exposures, types and scope of cyber coverage offered and monetary limits in cyber insurance policies.
- Obtain cybersecurity expertise. Insurers should recruit employees with cybersecurity experience and skills and commit to their training and development, supplemented as necessary with consultants or vendors.
- Require notice to law enforcement. Cyber insurance policies should include a requirement that victims notify law enforcement when a cyber attack occurs.
All insurers must pay attention to the framework’s requirements, including those related to ransomware payments.
The framework has the potential to alter numerous aspects of cyber insurance coverage, including the areas identified as a prime concern for insurers for years. Several areas that may be impacted by the framework include:
- Heightened urgency of cyber risk assessments. Most insurers have already started the process of assessing cyber risk under their current policies. The framework will likely require insurers to ramp up those efforts to ensure their policies meet the goals and objectives of the framework, including evaluating systematic risks, silent risks and using data-driven analytics to assess the risks of each insured/potential insured.
- Increased scope for cyber risk assessments. As noted above, the framework discusses at length silent risk. Insurers must review their existing coverages to determine when and where silent risks exist, assessing those risks, considering whether reinsurance products are appropriate to mitigate those risks and taking steps to eliminate the risks from future policies.
- Additional focus on third-party vendors. Many insurers have consistently identified third-party vendors of insureds as weak links in cybersecurity programs. As insurers implement the framework’s best practices, they will need to increase the scrutiny applied to third-party vendors. Insurers will need to assess the potential exposure from these relationships, including when and under what circumstances losses relating to third-parties are covered, what the potential exposure from those third-parties is and how to mitigate such exposure.
- Increased standardization in cyber assessments. Another likely change to result from the framework is insurers conducting more standardized assessments of insured’s/potential insured’s cyber preparedness. For example, the framework requires assessment of numerous policies and practices, including incident response planning, third-party security policies, vulnerability management and corporate governance and controls. Insurers may develop standardized assessments to collect data on these topics to ensure that appropriate data is collected for each relationship and that this data is consistently evaluated to manage risk.
- Additional specifics contained in cyber policies. Many insurers will need to review their current cyber policies and revise them to augment the specifications surrounding covered events, sublimits and exclusions. As insureds become more fluent in reviewing cyber coverage, they will be better prepared to understand potential gaps or limits in that coverage. Examples include whether property damage or bodily injury resulting from a cyber attack is covered, whether coverage extends to personal devices used for a busines purpose or whether vendor business interruptions are covered. As issues such as these gain more attention, insurers will need to be more specific as to any gaps in policies and whether they offer additional coverages to fill these gaps.
- Creation of additional training and education programs. To comply with the framework, insurers will need to offer insureds additional education on well-managed cybersecurity programs and opportunities for insureds to receive training on cyber risk management. Insurers will also need to consider how to incentivize their insureds to take advantage of these offerings. Along the same lines, insurers will need to hire additional cybersecurity expertise and consider making these individuals available for consultation with their insureds.
- Increased specification around law enforcement reporting. As insurers implement the framework’s guidance around notice to law enforcement, they will need to consider how this will impact other policy requirements. For example, many policies require insureds to provide timely notice of an incident. Often, reporting to law enforcement can result in delays in reporting a claim to an insurer. Policies should be modified to address these issues on the front end.
Chances are that many insurers have already started implementing the practices identified in the framework. But as cyber crime continues to grow at an exponential rate, the pressure is on insurers to properly assess and evaluate cyber risk and current market demands from insureds.
Much like their insureds, insurers must be proactive in establishing a formal strategy for measuring cyber risk and minimizing potential exposure. By implementing the objectives in the framework, insurers will remain competitive within the marketplace while helping their insureds establish sound cybersecurity measures to mitigate potential losses from cyber threats.