The cyber insurance market size is currently valued in the billions, and this does not include insurance policies that do not explicitly mention cyber incidents but may nevertheless cover them. With this in mind, policyholders and insurance carriers should be aware of the recently released Cyber Insurance Framework (the “Framework”) issued by the New York Department of Financial Services (NYDFS). The first of its kind, the Framework lays out formal strategies for measuring and managing cyber risks.
Recent events have highlighted the cybersecurity risks insurance carriers face. The Framework cites the COVID-19 pandemic, the SolarWinds hack, and a rise in ransomware attacks as examples of increased cyber risk for all organizations.
The Framework’s Best Practices
The Framework lists seven best practices to employ to best protect economic interests:
- Establish a formal cyber insurance risk strategy – Notably, this requirement requires approval by the senior management and the board of directors (or other governing body if there is no board of directors).
- Manage and eliminate exposure to silent cyber insurance risk – This practice may include rewriting standard policies to explicitly state whether cyber incidents will be covered and purchasing reinsurance for contracts that include silent cyber insurance risks.
- Evaluate systemic risk – One noteworthy aspect of this practice is understanding which third-party vendors are used across multiple insureds and determining the potential effect a catastrophic cyber incident on the third-party vendor could have on the insureds
- Rigorously measure insured risk
- Educate policyholders and insurance producers – The NYDFS recommends incentivizing policyholder cyber hygiene through providing pricing policies, cybersecurity assessments, recommendations for improvement, and general cybersecurity guidance.
- Obtain cybersecurity expertise
- Require notice to law enforcement
The Framework emphasizes the importance of measuring risk, noting that current cyber exposure may be significantly underestimated relative to the premiums being charged. Systemic risk — such as vulnerabilities in software common across policyholders or attacks coordinated by state-sponsored groups — can lead to large, correlated losses (for example, the SolarWinds cyber incident). Additionally, silent cyber risks — losses from cyber incidents in policies that do not explicitly grant cyber coverage — create uncertainty and represent cyber risks that might not have been measured as such before now.
The Framework does not provide guidance on how to “rigorously measure” risks other than to have a data-driven plan that includes, but is not limited to, information on policyholder corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, incident response, third-party vendors, and open-source software components. (The NYDFS has previously emphasized the importance of third parties, identifying them as a consistent weak link in cybersecurity efforts, as has the Office of the Comptroller of the Currency.) As the cyber insurance market matures, we can expect to see more standardized assessments of cyber hygiene, such as the Cybersecurity Maturity Model Certification (CMMC) and the Basic Assessment currently being implemented by the Department of Defense for contractors in its supply chain.
Other aspects of the Framework focus on managing risks by educating policyholders about cybersecurity and providing guidance about best practices. Cybersecurity education can strengthen security throughout the system, thereby lowering the overall cyber insurance risk that policyholders and their insurance carriers face. Additionally, the Framework recommends that insurance carriers themselves should stay educated by recruiting and training cybersecurity experts and committing to the development of sophisticated vendors.
The Framework also recommends that policies should require that victims notify law enforcement as a condition of coverage. Many businesses hesitate to call law enforcement, even when they are the victims of cybercrime, because of worries they will be blamed for the cyber incident, despite complying with cybersecurity best practices. In addition, some businesses have expressed concern that law enforcement may limit options for responding to attacks because of official stances against paying ransoms, for example.
Against these potential considerations, the NYDFS emphasizes that law enforcement agencies are a pool of knowledge from assisting throughout various incident responses. On top of helping a victim now, what is learned in an incident response can be used to help the next potential victim or even to prevent attacks.
The NYDFS has been a leader in cybersecurity regulation, specifically, since its cybersecurity regulation for financial services took effect in 2017 and its Cybersecurity Division was created in 2019. This is particularly relevant since the Framework is the first guidance of this type released by a U.S. regulatory agency. As such, we expect the NYDFS will continue its dialogue with the insurance industry, leading to more comprehensive guidance.