Against the backdrop of the disruptions associated with the Covid-19 pandemic and SolarWinds cyber-espionage campaign, NYDFS has released guidance for insurers that underwrite cyber insurance policies and which contains a number of provisions expected to impact companies applying for or renewing cyber insurance coverage, not the least of which is a specific recommendation that insurers require insureds to report cybersecurity incidents to law enforcement. Although not technically a part of the seven-pronged Cyber Insurance Risk Framework, the NYDFS guidance includes a specific recommendation against making ransom payments in response to ransomware cybersecurity incidents.
The guidance sets forth a Cyber Insurance Risk Framework (the “Framework”) that provides best practices for managing cyber insurance risk amid NYDFS concerns that insurers are not able to accurately measure cyber risk, which may pose both systemic and “silent” risks to the financial sector. The guidance offers the extensive impact of the SolarWinds compromise as an example of systemic risk and both the SolarWinds compromise and the 2017 NotPetya incident as an example of silent risk, in which insurers incur losses from cyber incidents where coverage for cyber incidents is unclear or not explicit in the terms of the policy. NYDFS continues to be concerned that this silent risk remains a significant problem for many insurers.
The Framework clarifies NYDFS expectations that insurers that underwrite cyber insurance policies will develop “a rigorous and data[-]driven approach” to managing cyber risk and that insurers’ decisions regarding the offer and pricing of cyber insurance for specific organizations “should be based on a careful assessment of that organization’s risk.” NYDFS acknowledged that insurers’ risk varies by size, resources, geography, market share, and insureds, so each insurer should take an appropriately tailored, risk-based approach in adopting the following best practices:
- Establish a Formal Cyber Insurance Risk Strategy – This strategy should be directed by senior management and approved at the highest levels of the company (e.g., the Board), and include “clear qualitative and quantitative goals for risk” that are tracked against performance and reported to senior management and the Board on a regular basis. This strategy should include the remaining six best practices from the Framework.
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk – Evaluate and mitigate exposure to silent risk in the short term and eliminate silent risk in the long term by revising the terms of policies going forward and purchasing re-insurance in the interim.
- Evaluate Systemic Risk – Conduct internal stress testing based on low probability, catastrophic cyber events that consider both silent and affirmative risk and include stress testing scenarios that consider specific risks to the products offered and variations across industries of insureds. The lessons learned and potential losses identified should be incorporated into the overall Cyber Insurance Risk Strategy.
- Rigorously Measure Insured Risk – Insurers should assess in detail the insured’s cybersecurity program, including through interviews, surveys, and relevant third-party or external risk evaluations, and then compare that information to an insureds claim history to identify gaps in cybersecurity controls that may bear on the insurer’s risk determinations. We note that the topics listed as a baseline for scoping the assessment loosely track the provisions of the NYDFS Cybersecurity Requirements (23 NYCRR 500).
- Educate Insureds and Insurance Producers – Insurers should provide comprehensive information and resources that educate and incentivize insureds to adopt robust cybersecurity programs but also communicate the limitations of cyber insurance policies to insureds. NYDFS recommends that insurers “incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.”
- Obtain Cybersecurity Expertise – Insurers should recruit, train, and develop their workforce to understand and evaluate cyber risk, and supplement with consultants as appropriate.
- Require Notice to Law Enforcement – Cyber insurance policies should require breached entities to notify law enforcement given the public interest, crime deterrence, the potential for law enforcement to assist the victim insured, and to enhance the insured’s reputation for well-handled incident response. Approximately 36% of respondents to an NYDFS survey already require their insureds to notify law enforcement of a cyber incident.
Although the Framework applies to all authorized property and casualty insurers that write cyber insurance, the NYDFS guidance states that even insurers that do not write cyber insurance should evaluate their exposure to “silent” risk and take appropriate steps to reduce that exposure.
NYDFS did not specify a timeline for the adoption of the best practices articulated in the Framework, but it would be prudent for regulated entities to consider these expectations particularly in the context of examination preparation and NYDFS’ recent and active outreach to its regulated entities in response to cybersecurity threats relevant to the financial sector.
Similarly, companies that may be applying for or renewing cyber insurance policies may wish to consider their relative preparedness for increased diligence at the underwriting phase, including scrutiny of any silent risk involved in current coverage as well as recent security enhancements and their relations to past claims data. Companies also may wish to internally review and assess their approach the payment of ransomware, including security and technical measures implemented to decrease the risk of successful ransomware attacks or related service disruptions. Companies likewise may wish to internally review and assess their approach to incident reporting to law enforcement.