New York regulator issues cyber insurance risk framework with implications for insurers and insureds | Hogan Lovells – JDSupra

The Framework identifies best practices that property/casualty insurers “should employ” to manage cyber insurance risk and raises a number of issues relevant to multiple stakeholders including policyholders who rely on insurance as part of their cyber risk management strategy.

At its core the Framework is designed to address systemic risk to cyber insurers. But while NYDFS states that the Framework is directed to cyber insurers, those insurers that do not write cyber policies should assess and apply the Framework as relevant to “silent risk” they carry from non-cyber policies that may provide coverage for cybersecurity-related losses. 

To provide context for the new Framework, NYDFS identifies the need to address systemic risk in light of several key factors: 

NYDFS further expresses concern that absent insurers’ being able to adequately assess cyber risk, insureds could use cyber insurance in lieu of developing appropriate cybersecurity practices, which could increase cyber risks and negatively impact insurers’ business. 

Notably, as to ransomware, NYDFS added its voice to the government entities advising against making ransom payments. 

The Framework contains seven elements regarding insurer best practices for managing cyber insurance risk:

Each of these elements is important, but we call particular attention to elements 3, 4, and 7. 

Regarding #3, DFS notes that evaluating systemic risk is an urgent issue in today’s marketplace, where businesses increasingly rely on a handful of providers for authentication, cloud services, and other important functions. The Framework document references the recent SolarWinds attack as an example of a vendor supply chain issue having a widespread impact.  It also expresses concern about the possibility of an incident at a major cloud provider. While cyber insurers are unlikely to view the Framework as requiring that businesses adopt specific technologies to mitigate systemic risk, it will likely result in cyber insurers increasing their oversight and potentially focusing on new issues such as vendor diversification, to limit outsized impacts that might result from an incident at a larger vendor.  

Regarding #4, the call to rigorously measure insured risk may result in more robust technical evaluations when businesses seek to acquire or renew cyber insurance policies. Given the importance of cyber insurance coverage to sophisticated businesses as part of overall risk management, the Framework and its corresponding effect on the underwriting processes of cyber insurers may, effectively, force organizations to orient their cyber assessment and risk management programs to the expectations of cyber insurers to a greater degree than exists today. 

Regarding #7, the call to require via cyber insurance policies that insureds notify law enforcement of incidents may similarly shift practices. Today, a decision to inform and potentially engage with law enforcement in the aftermath of a cyber incident is informed by multiple considerations and many cyber incidents do not necessarily result in law enforcement interactions. Were cyber insurance coverage conditioned on such disclosure, however, it is reasonable to expect that businesses will become more inclined to disclose incidents to law enforcement, resulting in an increase in visibility of such incidents to both law enforcement agencies as well as regulators.

The Framework is likely to have a significant influence on the development of cyber insurance coverage and enterprise risk management going forward. Other recent actions by NYDFS include the first enforcement action, announced last year, under its groundbreaking 2017 cybersecurity regulation. We expect NYDFS to continue to take a leadership role in cybersecurity regulation and policy.