DFS Provides Framework for Cybersecurity RiskFebruary 18, 2021 | Shari Claire Lewis | |
On February 4, 2021, New York’s Department of Financial Services (DFS) issued Insurance Circular Letter No. 2, which builds on the robust cybersecurity regulation provided in its 2017 Cybersecurity Regulation (23 NYCRR 500). The Letter discusses the current state of the cyber insurance industry and provides a seven-part Cyber Insurance Risk Framework which may assist insurers to assess and control cyber risk. Many of the Framework’s tools may also be useful to other types of businesses.
According to the Letter, cyber insurance plays a key role in managing and reducing cyber risk. Although a relatively new area of insurance, the market is projected to grow from $3.15 billion to over $20 billion by 2025. Additionally, insurance coverage for cyber incidences is frequently sought under non-cyber policies. This results in what is referred to as “non-affirmative” or “silent risks” that insurers may not consider when underwriting non-cyber policies. For this reason, DFS opines that the amount of premium dollars paid for cyber insurance may not correlate with insurers’ cyber risk, which DFS believes has been grossly underestimated. DFS therefore recommends that even insurers that write little or no cyber insurance policies measure and manage the silent risk in their non-cyber insurance policies.
Ransomware is among the primary, but by no means only, risk driving cyber losses in recent years. The number of ransomware claims reported to DFS doubled in 2020. Nevertheless, in accord with recent law enforcement positions, DFS recommends against making ransom payments, as such payments not only fuel future ransomware attacks but may also, under certain circumstances, expose the victim of the attack to liability for making payments to sanctioned entities.
DFS’ Cyber Insurance Risk Framework sets forth seven specific practices that insurers are encouraged to implement. Moreover, as noted in the italics below each recommended practice, other types of organizations and entities may also benefit from similar actions to increase their cybersecurity and reduce their cyber insurance premiums.
- Establish a Formal Cyber Insurance Strategy
An insurer’s strategy should include a defined process to measure the cyber risk and “clear qualitative and quantitative goals for risk.” The formal strategy should be controlled and periodically assessed by the highest levels of the insurer’s management.
Other Entities – Responsibility for cybersecurity practices should likewise be entrusted to the top-level management, who will be responsible to oversee the members of the organization’s cyber team in the creation of a formal cybersecurity strategy, its rollout, and enforcement.
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk
Insurers should evaluate whether they are exposed to silent or non-affirmative cyber risks that could result in unexpected coverage for a cyber incident under a policy that does not explicitly mention cyber coverage and for which there was no premium paid. Silent risk has resulted in coverage under a variety of combined-coverage and standalone non-cyber policies, such as errors and omissions, burglary and theft, general liability, and product liability. Ultimately, over time, insurers should eliminate the silent risk by adding specific language to every policy to expressly include or exclude cyber liability coverage.
Other Entities – The converse of silent risk should be considered by entities who may mistakenly believe they will be able to find coverage for a cyber event under traditional non-cyber policies. The better practice is for the entity to procure cyber insurance coverage, which will also provide a panoply of first-party and third-party benefits in the event of a cyber incident.
- Evaluate Systemic Risk
Insurers must evaluate cyber risk, not just as to each insured’s individual exposure, but also broader risks to the cyber environment, such as malware attacks that infect many entities at the same time or disable widely used, mission-critical vendors like cloud services providers on whom entities rely. The recent SolarWinds trojan is an example of a systemic risk. To evaluate the systemic risk, insurers should consider whether their insureds’ reliance on third party vendors, such as cloud services and managed service providers, may create a real, albeit unlikely risk of a catastrophic event that could inflict tremendous losses on insurers. Insurers should also engage in internal stress testing that accounts for both silent and affirmative risk in the event of catastrophic cyber event.
Other Entities – Each entity should consider the cyber environment in which it engages, including the necessity and terms under which it will interact with vendors and the vendors’ security practices and obligations to the entity in the event of a cyber event.
- Rigorously Measure Insured Risk
Cyber insurers should employ a “data-driven, comprehensive plan” to assess the potential cyber risk of each insured. DFS recommends a robust multi-stage plan to gather information regarding the insured’s cybersecurity program, including governance, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security practices.
Other Entities – Each entity should likewise create and follow a data-driven comprehensive plan to assess and manage its cyber risk. Carriers may require such a plan from the entity as a condition to providing cyber insurance coverage.
- Educate Insureds and Insurance Producers
DFS emphasizes the important role that cyber insurers have in educating their insureds about cybersecurity to help reduce the risk of cyber incidents. It is recommended that insurers offer information and assistance in risk mitigation and provide financial incentives to insureds for adopting better cyber practices. Insurers should also educate insurance producers to ensure that the need for, benefits of, and limitations to cyber insurance are understood and accurately conveyed to potential insureds.
Other Entities – Knowledge is power! Entities should take advantage of the educational resources offered to them by insurers, industry organizations, and vendors. Entities should retain qualified insurance brokers and legal counsel who are familiar with cybersecurity insurance and can advise entities about how to prepare for and respond to a cyber event.
- Obtain Cybersecurity Expertise
Insurers offering cyber insurance should recruit and train employees for work with cybersecurity insurance, including retention of suitable consultants or vendors.
Other Entities — Entities should employ in-house or outside IT staff who understand the technology that the entity relies on and the constantly evolving cybersecurity risk. Although in-depth technology information is essential to work performed by IT staff, it is important that every employee, from the C-Suite down, have a general understanding about cybersecurity risk and their own responsibility to mitigate it.
- Require Notice to Law Enforcement
DFS recommends that cyber insurance policies include a requirement that victims notify law enforcement of a cyber event. Reporting the event is beneficial to both the victim, who may receive some direct benefit from law enforcement’s involvement, and the public, as the information may be useful to deter or thwart similar events in the future.
Other Entities – Every entity should have a rapid-response plan, which should detail to whom an event should be reported based on the nature and scope of the event, and the data that was involved. The plan should identify the personnel who will report the event to the entity’s cyber insurer, law enforcement, and legal counsel. Entities should also familiarize themselves with any requirements that are imposed on them due to their industry sector.
The Industry Letter reasonably states that the Framework is intended to assist insurers to more accurately assess and plan for cyber risk. The proposed improvement of the cyber insurance market may, in turn, reduce insurance premiums by identifying and eliminating cyber risks. Those efforts will, in turn, benefit consumers who entrust their sensitive data to the insured organizations.
- Shari Claire Lewis