In February of 2021, the New York State Department of Financial Services released a new framework for regulated property and casualty insurance companies to help manage the cyber insurance risk within their portfolio. Now, unless you’re a New-York regulated property and casualty insurer, you may think this new framework does not impact you, as a cyber insurance buyer. While it’s true that there is no direct impact, you are likely to see an indirect impact on your insurance program.
The NYDFS framework provides six categories where insurance companies should be focused on cyber risk:
- Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents.
- Evaluate systemic risk, including the impact of catastrophic cyber events on third-party service providers like the recently discovered SolarWinds supply chain attack.
- Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity.
- Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance.
- Obtain cybersecurity expertise through strategic recruiting and hiring practices.
- Require notice to law enforcement in the event of a cyber attack.
If you’ve been following the Cyber Dan Insights on Youtube or our Cyber Notebook, you probably recognize a lot of these themes. I would even argue that cyber insurance carriers have already implemented many of these controls, but for the sake of a thought exercise, let’s go through three key outcomes you can expect to see from the cyber insurance market if this new framework is followed.
Silent Cyber and Aggregation Risk
Silent Cyber is going away and insurance carriers are much more aware of where systemic risk exists within their portfolio. Property insurance programs or cargo insurance programs no longer include coverage for a cyber event just because the policy language was silent. As a buyer of insurance, you’ve likely seen exclusions pop up in some of your traditional insurance policies, explicitly stating that cyber events are not covered.
In today’s insurance market, you’ve got to be specific about the cyber risks your company faces and how you want to insure those risks through a dedicated cyber insurance policy.
Focus on Cybersecurity Controls
Further, cyber insurers are being encouraged by this framework to hire dedicated cybersecurity expertise, use a data-driven approach to assessing cybersecurity and the risks presented, and educating customers about the benefits of cybersecurity practices. Again, much of this is already happening at insurance carriers, and I expect you’ll start to see more outputs of this investment in the near future. Cyber insurance carriers are in a unique position to be able to define best practices from a security standpoint, and provide data on losses tied to having specific controls in place.
Engaging Law Enforcement
Finally, the framework suggests a requirement that all cyber insurance claims require a notice to law enforcement. As I’ve detailed in a blog post previously, engaging the FBI or other law enforcement is now considered a best practice and can actually be viewed favorably if you find yourself needing to pay the ransom during a ransomware incident.
Subscribe to the Woodruff Sawyer Youtube Channel for more Cyber Dan Insights.
Related Blog Posts
Learn more about the constant evolution of social engineering attacks, how insurance responds to attacks, coverage requirements, and best practices for reducing your risk.