Superintendent Linda A. Lacewell today announced the New York State Department of Financial Services (DFS) issued a new Cyber Insurance Risk Framework. The Framework outlines industry best practices for New York-regulated property/casualty insurers that write cyber insurance to effectively manage their cyber insurance risk. The Framework is the first guidance by a U.S. regulator on cyber insurance.
“Cybersecurity is the biggest risk for government and industry, bar none. Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions,” said Superintendent Lacewell. “After extensive dialogue with industry and experts, we are issuing guidance to foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face.”
The risk and cost associated with cybercrime have continued to increase dramatically, driven in large part by the increasing frequency and severity of ransomware attacks. Ransom payments fuel the vicious cycle of ransomware, as cybercriminals use ransom to fund ever more frequent and sophisticated ransomware attacks. Ransom payments also do not guarantee that an organization will get its data back or that criminals will not use that stolen data in the future. For these reasons, law enforcement authorities, including the Federal Bureau of Investigation (FBI), recommend against ransom payments and DFS concurs.
The growing risk makes cyber insurance protection more important than ever, while at the same time creating new challenges for insurers managing that risk. DFS advises New York-regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity. The strategy should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, and other factors. Insurers are encouraged to incorporate the following best practices into their risk strategy:
- Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents;
- Evaluate systemic risk, including the impact of catastrophic cyber events on third party service providers like the recently discovered SolarWinds supply chain attack;
- Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity;
- Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance;
- Obtain cybersecurity expertise through strategic recruiting and hiring practices; and
- Require notice to law enforcement in the event of a cyber attack.
The Framework is a result of DFS’s ongoing dialogue with the insurance industry and experts on cyber insurance, including meetings with insurers, insurance producers, cyber experts, and insurance regulators across the U.S. and Europe. Building on DFS’s longstanding work fostering a strong and resilient insurance market that protects New Yorkers, the Framework furthers DFS’s commitment to improving cybersecurity for consumers and the industry. DFS’s first-in-the-nation Cybersecurity Regulation took effect in March 2017. In 2019, DFS was also the first financial services regulator to create a Cybersecurity Division to oversee all aspects of its cybersecurity regulation and policy.
A full copy of the Framework is available on the DFS website.
Questions regarding the Framework should be directed to CyberInsurance@dfs.ny.gov.