Insurers Beware: Potential Impacts of New York’s Cyber Insurance Risk Framework

New York remains extremely active in the cybersecurity and data protection arena.

During its current legislative session, New York is considering a proposed privacy bill that would greatly enhance consumer privacy rights, increase business obligations and create new litigation/enforcement exposure.

Meanwhile, the New York Department of Financial Services (NYDFS) has recently filed its first Cybersecurity Regulation enforcement actions, has required regulated entities to formally notify the NYDFS if they were directly impacted by the SolarWinds incident and has issued the nation’s first Cyber Insurance Risk Framework.

The Framework applies directly to all property/casualty insurers registered with the NYDFS. The stated goals of the framework are to facilitate the continued growth of a sustainable and sound cyber insurance market by outlining best practices for managing cyber insurance risks.

Not only are insurers writing cyber insurance obligated to follow the framework’s guidance, but all insurers need to evaluate their silent risk – or the risk that an insurer must cover losses from a cyber incident under a policy that does not explicitly grant or exclude cyber coverage – and take steps to reduce that exposure.

The framework also advises cyber insurers that the NYDFS recommends against making ransomware payments and reminds insurers to be mindful of their obligations to report demands for ransom payments by cybercriminals as explained in recent advisories issued by FinCEN and OFAC.

The framework comes as the cyber insurance market is exploding. In 2019, the cyber insurance market was $3.15 billion, and it is estimated that by 2025, it will be more than $20 billion. At the same time, organizations are facing increased cyber risk as cyber crime is becoming more common, more sophisticated and more costly.

Cyber Insurance Risk Framework

With this in mind, NYDFS’ Cyber Insurance Risk Framework requires all insurers to sustainably and effectively manage their cyber insurance risk.

While noting that each insurer’s risk will vary based on many factors including size, resources, geographic distribution, market share and industries served, the framework requires all insurers to review their best practices and take an approach proportionate to their risk. Specifically, the framework identifies the following best practices:

Potential Impacts for Insurers

All insurers must pay attention to the framework’s requirements, including those related to ransomware payments.

The framework has the potential to alter numerous aspects of cyber insurance coverage, including the areas identified as a prime concern for insurers for years. Several areas that may be impacted by the framework include:

Chances are that many insurers have already started implementing the practices identified in the framework. But as cyber crime continues to grow at an exponential rate, the pressure is on insurers to properly assess and evaluate cyber risk and current market demands from insureds.

Much like their insureds, insurers must be proactive in establishing a formal strategy for measuring cyber risk and minimizing potential exposure. By implementing the objectives in the framework, insurers will remain competitive within the marketplace while helping their insureds establish sound cybersecurity measures to mitigate potential losses from cyber threats.