The New York Department of Financial Services (DFS) has issued a Cyber Insurance Risk Framework (the “Framework”) of best practices for carriers. The first of its kind, the Framework tells carriers to establish formal strategies for measuring and managing cyber risks. It applies to all insurance carriers — not only those who write cyber policies, but also those who may be exposed to silent cyber risks — referring to potential cyber-related losses under traditional, as opposed to cyber specific, property and liability policies.
Risks for Carriers
The introduction to the Framework cites the COVID-19 pandemic, the SolarWinds hack, and a rise in ransomware attacks as examples of increased cyber risk for all organizations. Cyber insurance helps businesses manage these risks and can also lead to better cybersecurity with premium pricing incentives for good cyber hygiene. DFS warns, however, that unless carriers assess risks accurately, the availability of cyber insurance could allow policyholders to rely on insurance rather than on strong security.
So that the cyber insurance market can best protect economic interests, the Framework lists six best practices that carriers “should employ.” Specifically, carriers should establish a “formal cyber insurance risk strategy” incorporating each of the following practices:
- Manage and eliminate exposure to silent cyber insurance risk;
- Evaluate systemic risk;
- Rigorously measure policyholder risk;
- Educate policyholders and insurance producers;
- Obtain cybersecurity expertise; and
- Require notice to law enforcement.
While the Framework is not a step-by-step guide or a mandate with the force of law, it does explain how a carrier can “take an approach that is proportionate to its risk.”
The Framework emphasizes the importance of measuring risk and notes at the outset that current cyber exposure may be vastly underestimated in comparison to the premiums being charged. Systemic risk — such as vulnerabilities in software common across policyholders or attacks coordinated by state-sponsored groups — can lead to large, correlated losses. Additionally, silent cyber risks — losses from cyber incidents in policies that do not affirmatively grant cyber coverage — create uncertainty and represent cyber risks that might not have been measured as such before now.
Though the Framework identifies significant risk of loss, it is short on guidance for exactly how to “rigorously measure” risks other than suggestions about the application process and the importance of obtaining clear information about the policyholder’s third-party vendors and open-source software components. (DFS has emphasized the importance of third parties before, identifying them as a consistent weak link in cybersecurity efforts, as has the Office of the Comptroller of the Currency.) As the cyber insurance market matures, we can expect to see more standardized assessments of cyber hygiene, such as the Cybersecurity Maturity Model Certification (CMMC) and the Basic Assessment currently being implemented by the Department of Defense for contractors in its supply chain.
Other aspects of the Framework focus on managing risks. Carriers should educate their policyholders about cybersecurity, teaching about good practices. This is consistent with the function of the cyber insurance market as strengthening security. It also lowers the overall cyber insurance risk in the system. Additionally, carriers should themselves stay educated by recruiting and training cybersecurity experts and committing to the development of sophisticated vendors.
The Framework also recommends that policies should require that victims notify law enforcement as a condition of coverage. Many businesses hesitate to call law enforcement, even when they are the victims of cybercrime. Because some attacks can be prevented by good cyber hygiene, there is “victim blaming” to some extent, which keeps business from reporting to law enforcement. In addition, some have expressed concern that law enforcement may limit options for responding to attacks — because of official stances against paying ransoms, for example.
Against these potential downsides, DFS emphasizes that law enforcement agencies are a pool of knowledge across incidents. On top of helping a victim now, what is learned in an incident can be used to help the next potential victim or even to prevent attacks.
DFS has never been afraid to move first on new issues facing policyholders and carriers. Specifically, DFS has led the way on cybersecurity regulation at least since its Regulation 500 took effect in 2017. We expect DFS will continue its dialogue with the industry, leading to more comprehensive and specific guidance. Bradley will report on new developments.