FROM THE LEGISLATIVE/REGULATORY CORNER
Paul C. Latchford
New York Department of Financial Services (DFS) Issues Circular Letter No. 2 (2021)
Cybersecurity
The
New York DFS issued on February 4, 2021 Circular Letter No. 2 (2021) to
all authorized property and casualty insurers in New York outlining a
“Cyber Risk Framework” that all authorized property and casualty
insurers that write cyber insurance should create and employ to
substantially and effectively manage their cyber insurance risk. Since
the early time frames of the development of the New York Cybersecurity
Regulation (23NYCRR500) in 2017, I have provided periodic updates on
developments and this represents the latest information.
The DFS
released the “Framework” to address the increase in frequency and cost
of ransomware attacks as well as the shift that many have made online
due to Covid-19. These trends have resulted in a massive increase in
cyber risk and increases in the number of instances of cybercrime.
There
are two aspects of this “Framework” that are notable for property and
casualty insurers. DFS has emphasized the “silent risk” that exists in
many non-cyber insurance policies. This relates to the exposure for
cyber risks under property and casualty policies that do not explicitly
provide coverage for, or exclude, cyber incidents. Property and casualty
insurers are encouraged to review policy forms and make sure that they
explicitly address whether they provide coverage for cyber incidents.
The second key point the Circular Letter discusses is that the DFS
recommends against ransom payments. The Circular Letter references an
October 2020 guidance by the Office of Foreign Asset Control (OFAC)
stressing the national security risk posed by the ransom payments and
stating that intermediaries, such as insurers, can be liable for ransom
payments made to sanctioned entities. It appears that many cyber
insurance policies provide coverage for ransom payments made by the
insureds to cyber-criminals.
The Circular Letter/Framework
describes specifically seven practices that authorized property/casualty
insurers should use to manage their cyber insurance risk. According to
the DFS, the incorporation of these practices should be proportionate to
each insurer’s size, resources, geographic distribution and other
factors. These seven practices are:
- Establish a Formal Cyber Insurance Risk Strategy. Senior
management and the board of directors should have input and approve of a
“formal cyber insurance risk strategy” that “include(s) clear
qualitative and quantitative goals for risk, and progress against those
goals should be reported” to management regularly. The strategy should
incorporate the key practices identified in this Framework.
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Silent
cyber insurance risk, the Framework explains, is risk that an insurer
must cover loss from a traditional insurance policy that does not
expressly mention cyber risks. The Framework instructs insurers to make
clear in any policy possibly subject to a cyber claim whether the policy
specifically includes or excludes cyber-related losses. It also calls
for insurers to “take steps to mitigate existing silent risks, such as
by purchasing reinsurance”. It is noted that cyber risks have not been
quantified or priced into these policies and exposes insurers to
unexpected losses.
- Evaluate Systemic Risk. Systemic
risk includes critical third-party vendors and catastrophic cyber
events involving third parties. Insurers should regularly conduct
“internal cybersecurity stress tests based on unlikely but realistic
catastrophic cyber events” and track their impact “across the different
kinds of insurance policies they offer as well as across the different
industries of their insureds”.
- Rigorously Measure Insured Risk.
Authorized property/casualty insurers should use a data-driven and
comprehensive plan to assess gaps and vulnerabilities in the
cybersecurity of their insureds and potential insureds. Insurers should
consider gathering information from firsthand sources, such as
interviews and reviewing policies, and third-party sources, such as
external cyber risk evaluations so their plan is “detailed enough for
the insurer to make a rigorous assessment of potential gaps and
vulnerabilities in the insured’s cybersecurity.”
- Educate Insureds and Insurance Producers.
Insurers should offer comprehensive information about cybersecurity
measures and incentivize the adoption of these measures through
insurance pricing policies based on the effectiveness of each insured’s
cybersecurity program.
- Obtain Cybersecurity Expertise. This
includes not only recruitment of those with cybersecurity experience
and skills but a commitment by insurers to these employees’ training and
development so as to “properly understand and evaluate cyber risk”.
- Require Notice to Law Enforcement.
Cyber insurance policies should require victims to notify law
enforcement in the event of a cyber-incident. “Law Enforcement”, the
Framework explains, “often has valuable information that may not be
available to private sources and can help victims of a cyber-incident”;
can help “recover data and funds that were lost”; can “enhance a
victim’s reputation”; and can “warn others of existing cybersecurity
threats and deters future cybercrime.”
The Superintendent of
DFS felt that this Framework has application beyond just the cyber
insurance underwriters. Property Casualty insurers that do not write
cyber insurance are exposed by the silent risk. In 2019, the U.S. cyber
insurance market was $3.15 billion and it is estimated that by 2025 it
will be over $20 billion. These numbers understate insurance coverage of
cyber risk as many insurance claims arise from cyber incidents
submitted under non-cyber insurance policies.