The New York Department of Financial Services (DFS) has issued a Cyber Insurance Risk Framework (the board”) best practices for operators. The first of its kind, the Framework instructs operators to establish formal strategies to measure and manage cyber risks. It applies to all insurers – not just those who write cyber policies, but also those who may be exposed to quiet cyber risks – referring to potential cyber related losses in traditional policies, as opposed to specific property and liability policies cybernetics.
Risks for carriers
The introduction to the Framework cites the Pandid-19 pandemic, a SolarWinds Hack, and an increase in ransomware attacks as examples of increased cyber risk for all organizations. Cyber insurance helps companies manage these risks and can also lead to better cybersecurity with premium price incentives for good cyber hygiene. DFS warns, however, that unless operators accurately assess risks, the availability of cyber insurance it can allow policyholders to trust insurance instead of strong security.
In order for the cyber insurance market to better protect economic interests, the Framework lists six best practices that operators “should employ”. Specifically, operators must establish a “formal cybersecurity risk strategy” incorporating each of the following practices:
- Manage and eliminate exposure to cyber insurance silent risk;
- Assess systemic risk;
- Strictly measure the insured’s risk;
- Educate policyholders and insurance producers;
- Get experience in cybersecurity; and
- Require notification to law enforcement authorities.
Although the Framework is not a step-by-step guide or a lawful mandate, it explains how a carrier can “adopt an approach that is commensurate with its risk”.
The Framework emphasizes the importance of measuring risk and notes from the outset that current cyber exposure may be greatly underestimated compared to premiums charged. Systemic risks – such as vulnerabilities in software common among policyholders or attacks coordinated by state-sponsored groups – can lead to large correlated losses. In addition, silent cyber risks – losses from cyber incidents on policies that do not provide affirmative cyber coverage – create uncertainty and represent cyber risks that might not have been measured as such before.
Although the Framework identifies significant risk of loss, it is short on guidance on exactly how to “accurately measure” the risks in addition to suggestions on the application process and the importance of obtaining clear information about the insured’s third party suppliers and open source software components. . (DFS emphasized the importance of third parties before, identifying them as a consistent weak link in cybersecurity efforts, as well as the Coin Controller Office.) As the cyber insurance market matures, we can expect to see more standardized cyber hygiene assessments, such as the Cybersecurity maturity model certification (CMMC) and the Basic Evaluation at the moment being implemented Department of Defense for contractors in its supply chain.
Other aspects of the Framework focus on risk management. Operators must educate their policyholders about cybersecurity, teaching about good practices. This is consistent with the cyber insurance market’s role in strengthening security. It also reduces the overall risk of cyber insurance in the system. In addition, operators themselves must stay informed by recruiting and training cybersecurity experts and committing to the development of sophisticated suppliers.
The Framework also recommends that policies require victims to notify law enforcement as a condition of coverage. Many companies are hesitant to call law enforcement authorities, even when they are victims of cybercrime. Since some attacks can be prevented by good cyber hygiene, to some extent there is “victim’s fault”, which prevents companies from reporting to the authorities. In addition, some have expressed concern that law enforcement may limit options for responding to attacks – because of official positions against paying ransoms, for example.
Against these potential disadvantages, DFS emphasizes that law enforcement agencies are a body of knowledge about incidents. In addition to helping a victim now, what is learned in an incident can be used to help the next potential victim or even to prevent attacks.
DFS was never afraid to move on new problems facing insured and carriers. Specifically, DFS has led the way in cybersecurity regulation, at least since its inception. Regulation 500 had effect in 2017. We hope that DFS will continue its dialogue with the industry, leading to more comprehensive and specific guidance. Bradley will report on new developments.