Against the backdrop of the disruptions associated with the Covid-19 pandemic and SolarWinds cyber-espionage campaign, NYDFS has released guidance for insurers that underwrite cyber insurance policies and which contains a number of provisions expected to impact companies applying for or renewing cyber insurance coverage, not the least of which is a specific recommendation that insurers require insureds to report cybersecurity incidents to law enforcement. Although not technically a part of the seven-pronged Cyber Insurance Risk Framework, the NYDFS guidance includes a specific recommendation against making ransom payments in response to ransomware cybersecurity incidents.
The guidance sets forth a Cyber Insurance Risk Framework (the “Framework”) that provides best practices for managing cyber insurance risk amid NYDFS concerns that insurers are not able to accurately measure cyber risk, which may pose both systemic and “silent” risks to the financial sector. The guidance offers the extensive impact of the SolarWinds compromise as an example of systemic risk and both the SolarWinds compromise and the 2017 NotPetya incident as an example of silent risk, in which insurers incur losses from cyber incidents where coverage for cyber incidents is unclear or not explicit in the terms of the policy. NYDFS continues to be concerned that this silent risk remains a significant problem for many insurers.
The Framework clarifies NYDFS expectations that insurers that underwrite cyber insurance policies will develop “a rigorous and data[-]driven approach” to managing cyber risk and that insurers’ decisions regarding the offer and pricing of cyber insurance for specific organizations “should be based on a careful assessment of that organization’s risk.” NYDFS acknowledged that insurers’ risk varies by size, resources, geography, market share, and insureds, so each insurer should take an appropriately tailored, risk-based approach in adopting the following best practices:
Although the Framework applies to all authorized property and casualty insurers that write cyber insurance, the NYDFS guidance states that even insurers that do not write cyber insurance should evaluate their exposure to “silent” risk and take appropriate steps to reduce that exposure.
NYDFS did not specify a timeline for the adoption of the best practices articulated in the Framework, but it would be prudent for regulated entities to consider these expectations particularly in the context of examination preparation and NYDFS’ recent and active outreach to its regulated entities in response to cybersecurity threats relevant to the financial sector.
Similarly, companies that may be applying for or renewing cyber insurance policies may wish to consider their relative preparedness for increased diligence at the underwriting phase, including scrutiny of any silent risk involved in current coverage as well as recent security enhancements and their relations to past claims data. Companies also may wish to internally review and assess their approach the payment of ransomware, including security and technical measures implemented to decrease the risk of successful ransomware attacks or related service disruptions. Companies likewise may wish to internally review and assess their approach to incident reporting to law enforcement.