New York State Department of Financial Services Announces "Cyber Insurance Risk Framework"

On February 4, 2021, the New York State Department of Financial Services (DFS) announced a “Cyber Insurance Risk Framework” for property/casualty insurers “that outlines best practices for managing cyber insurance risk.” Insurance Circular Letter No. 2 (2021): Cyber Insurance Risk Framework | Department of Financial Services (ny.gov).

According to DFS, “cyber risk continues to increase for all organizations,” and “cyber insurance plays a key role in managing and reducing cyber risk.” Moreover, “[a]s cyber risk increased, so too has risk in underwriting cyber insurance,” with the “biggest driver” being “an increase in the frequency and cost of ransomware attacks.” DFS “recommends against making ransom payments,” as such payments “fuel the vicious cycle of ransomware.”

DFS noted that “[m]anaging this growing cyber risk is an urgent challenge for insurers.” Acknowledging that “[e]ach insurer’s cyber insurance risk will vary based [on] many factors,” and that “each insurer should take an approach that is proportionate to its risk,” the DFS Framework provides that all authorized property/casualty insurers that write cyber insurance should employ seven practices “to sustainably and effectively manage their cyber insurance risk.”

1. “Establish a Formal Cyber Insurance Risk Strategy” for measuring cyber insurance risk… which “include[s] clear qualitative and quantitative goals for risk, and progress against those goals should be reported to” management regularly basis. 
2. “Manage and Eliminate Exposure to Silent Cyber Insurance Risk,” which is “risk that an insurer must cover loss from a cyber incident under a policy that does not explicitly mention cyber.” The Framework notes that “insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses,” and “also take steps to mitigate existing silent risk, such as by purchasing reinsurance.”
3. “Evaluate Systemic Risk” and “plan for potential losses.” The Framework suggests that insurers “conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events,” and “track the impact of stress test scenarios across the different kinds of insurance policies they offer as well as across the different industries of their insureds.”
4. “Rigorously Measure Insured Risk” by having a “data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured” which is “detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity.”
5. “Educate Insureds and Insurance Producers” about “cybersecurity and reducing the risk of cyber incidents” by striving to “offer more comprehensive information about the value of cybersecurity measures and facilitate the adoption of those measures,” and also by “incentiviz[ing] the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.”
6. “Obtain Cybersecurity Expertise” “to properly understand and evaluate cyber risk.”
7. “Require Notice to Law Enforcement,” specifically, that cyber insurance policies “include a requirement that victims notify law enforcement. According to the Framework, “[l]aw enforcement often has valuable information that may not be available to private sources and can help victims of a cyber incident,” “can help recover data and funds that were lost,” “can enhance a victim’s reputation when its response to a cyber incident is evaluated by its shareholders, regulators, and the public,” and can be used to prosecute the attackers, warn others of existing cybersecurity threats, and deter future cybercrime.”