FROM THE LEGISLATIVE/REGULATORY CORNER

Paul C. Latchford

New York Department of Financial Services (DFS) Issues Circular Letter No. 2 (2021)

Cybersecurity

The New York DFS issued on February 4, 2021 Circular Letter No. 2 (2021) to all authorized property and casualty insurers in New York outlining a “Cyber Risk Framework” that all authorized property and casualty insurers that write cyber insurance should create and employ to substantially and effectively manage their cyber insurance risk. Since the early time frames of the development of the New York Cybersecurity Regulation (23NYCRR500) in 2017, I have provided periodic updates on developments and this represents the latest information.

The DFS released the “Framework” to address the increase in frequency and cost of ransomware attacks as well as the shift that many have made online due to Covid-19. These trends have resulted in a massive increase in cyber risk and increases in the number of instances of cybercrime.

There are two aspects of this “Framework” that are notable for property and casualty insurers. DFS has emphasized the “silent risk” that exists in many non-cyber insurance policies. This relates to the exposure for cyber risks under property and casualty policies that do not explicitly provide coverage for, or exclude, cyber incidents. Property and casualty insurers are encouraged to review policy forms and make sure that they explicitly address whether they provide coverage for cyber incidents. The second key point the Circular Letter discusses is that the DFS recommends against ransom payments. The Circular Letter references an October 2020 guidance by the Office of Foreign Asset Control (OFAC) stressing the national security risk posed by the ransom payments and stating that intermediaries, such as insurers, can be liable for ransom payments made to sanctioned entities. It appears that many cyber insurance policies provide coverage for ransom payments made by the insureds to cyber-criminals.

The Circular Letter/Framework describes specifically seven practices that authorized property/casualty insurers should use to manage their cyber insurance risk. According to the DFS, the incorporation of these practices should be proportionate to each insurer’s size, resources, geographic distribution and other factors. These seven practices are:

  1. Establish a Formal Cyber Insurance Risk Strategy. Senior management and the board of directors should have input and approve of a “formal cyber insurance risk strategy” that “include(s) clear qualitative and quantitative goals for risk, and progress against those goals should be reported” to management regularly. The strategy should incorporate the key practices identified in this Framework.

  2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Silent cyber insurance risk, the Framework explains, is risk that an insurer must cover loss from a traditional insurance policy that does not expressly mention cyber risks. The Framework instructs insurers to make clear in any policy possibly subject to a cyber claim whether the policy specifically includes or excludes cyber-related losses. It also calls for insurers to “take steps to mitigate existing silent risks, such as by purchasing reinsurance”. It is noted that cyber risks have not been quantified or priced into these policies and exposes insurers to unexpected losses.
  1. Evaluate Systemic Risk. Systemic risk includes critical third-party vendors and catastrophic cyber events involving third parties. Insurers should regularly conduct “internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events” and track their impact “across the different kinds of insurance policies they offer as well as across the different industries of their insureds”.
  1. Rigorously Measure Insured Risk. Authorized property/casualty insurers should use a data-driven and comprehensive plan to assess gaps and vulnerabilities in the cybersecurity of their insureds and potential insureds. Insurers should consider gathering information from firsthand sources, such as interviews and reviewing policies, and third-party sources, such as external cyber risk evaluations so their plan is “detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity.”
  1. Educate Insureds and Insurance Producers. Insurers should offer comprehensive information about cybersecurity measures and incentivize the adoption of these measures through insurance pricing policies based on the effectiveness of each insured’s cybersecurity program.
  1. Obtain Cybersecurity Expertise. This includes not only recruitment of those with cybersecurity experience and skills but a commitment by insurers to these employees’ training and development so as to “properly understand and evaluate cyber risk”.
  1. Require Notice to Law Enforcement. Cyber insurance policies should require victims to notify law enforcement in the event of a cyber-incident. “Law Enforcement”, the Framework explains, “often has valuable information that may not be available to private sources and can help victims of a cyber-incident”; can help “recover data and funds that were lost”; can “enhance a victim’s reputation”; and can “warn others of existing cybersecurity threats and deters future cybercrime.”

The Superintendent of DFS felt that this Framework has application beyond just the cyber insurance underwriters. Property Casualty insurers that do not write cyber insurance are exposed by the silent risk. In 2019, the U.S. cyber insurance market was $3.15 billion and it is estimated that by 2025 it will be over $20 billion. These numbers understate insurance coverage of cyber risk as many insurance claims arise from cyber incidents submitted under non-cyber insurance policies.