New York Regulator Issues Cyber Insurance Guidelines

Mar 17, 2021 Published Article

From the rise of ransomware attacks to the recent SolarWinds-based cyber espionage campaign that struck at the very heart of the U.S. Government, it is apparent that cybersecurity is more critical than ever. COVID-19 and the remote workplace has only served to embolden cyber criminals, and cyber risk now permeates nearly every aspect of modern life from health care data to national security.

Cyber insurance plays a critical role in managing cyber risk, and businesses increasingly rely on such coverage to minimize cyber losses. Because of surging cybercrime, it is estimated that the cyber insurance market will increase from $3.15 billion in 2019 to $20 billion by 2025. Having a robust cyber insurance market and ample available coverage is vital to U.S. businesses.

In recognition of this reality, the New York Department of Financial Services recently issued the first guidance by a U.S. regulator on cyber insurance—a Cyber Insurance Risk Framework. A key premise of the Framework is to drive improved cybersecurity and cyber risk management, thereby reducing cyberattacks and ensuring that cyber insurance premiums do not spiral out of control. The Framework recognizes the importance of ensuring a healthy cyber insurance market, and applies to all property/casualty insurers that write cyber insurance.

The Framework recommends seven key practices to minimize cyber risk to businesses and decrease the risk to insurers that underwrite and issue cyber insurance policies:

  1. Establish a formal cyber insurance risk strategy directed and approved by senior management and the board of directors or the governing body of a business.
  2. Manage and eliminate exposure to silent cyber insurance risk—risk that an insurer must cover a cyber incident under a policy that does not specifically mention cyber.
  3. Evaluate systemic risk—understand critical third parties such as cloud services and managed services providers used by insureds and the impact they have on cyber risk.
  4. Rigorously measure insured risk by a data-driven, comprehensive plan for assessing the cyber risk of each insured and understanding their cybersecurity programs and any potential gaps, including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response plans, third-party security policies and past claims/cyberattacks.
  5. Educate insureds and insurance producers—insurers should offer comprehensive information about the value of cybersecurity and incentivize the adoption of strong cybersecurity measures by pricing policies accordingly.
  6. Obtain cybersecurity expertise to understand and evaluate cyber risk.
  7. Require notice to law enforcement of cyber incidents.

The Framework recognizes the challenges faced by insurance carriers in underwriting cyber policies of insurance due to unknown risk and rising costs of cyber losses and the fact that businesses play a critical role in reducing the risks of cybercrime. Expect that companies will no longer be able use cyber insurance as a substitute for improving cyber security and that insureds will be required to evaluate and improve their cybersecurity measures and shoulder the burden of reducing risks from cyberattacks. Also expect that cyber insurance carriers will scrutinize cyber risks and cyber security measures much more carefully when determining what coverage, if any, to provide at what price.

Understanding the coverages available and purchasing cyber coverage that is best for your business can help protect your company in the event of a cyberattack or data breach. If your company needs assistance understanding insurance coverage available under traditional policies or cyber policies of insurance, Newmeyer Dillion’s Cybersecurity Team can help.  To discuss further, contact Anne Kelley, Esq. (925.988.3223) located at the Walnut Creek location or Jeffrey Dennis, Esq. (949.271.7316) located at the Newport Beach location.