On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1

Background

According to NYDFS, the department released this Framework now due to the increase in frequency and cost of ransomware attacks as well as the shift that many have made online due to COVID-19 — two trends that have resulted in a massive increase in cyber risk around the world, with associated increases in concrete instances of cybercrime. In the accompanying press release, NYDFS Superintendent Linda A. Lacewell stated that cybersecurity is the biggest risk for government and private organizations and described how the Framework is based on “extensive dialogue with industry and experts.”

The Framework

While acknowledging that “[e]ach insurer’s cyber insurance risk will vary based [on] many factors,” the Framework nonetheless describes seven practices that authorized property/casualty insurers should use to manage their cyber insurance risk. According to NYDFS, the incorporation of these practices should be proportionate to each insurer’s size, resources, geographic distribution, and other factors. Insurers should:

  1. Establish a Formal Cyber Insurance Risk Strategy. Senior management and the board of directions should have input and approve of a “formal cyber insurance risk strategy” that “include[s] clear qualitative and quantitative goals for risk, and progress against those goals should be reported” to management regularly.
  2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Silent cyber insurance risk, the Framework explains, is risk that an insurer must cover loss from a traditional insurance policy that does not expressly mention cyber risks. The Framework instructs insurers to make clear in any policy possibly subject to a cyber claim whether the policy specifically includes or excludes cyber-related losses. It also calls for insurers to “take steps to mitigate existing silent risk, such as by purchasing reinsurance.”
  3. Evaluate Systemic Risk. Systemic risk includes critical third-party vendors and catastrophic cyber events involving third parties, such as NotPetya and SolarWinds. Insurers should regularly conduct “internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events” and track their impact “across the different kinds of insurance policies they offer as well as across the different industries of their insureds.”
  4. Rigorously Measure Insured Risk. Authorized property/casualty insurers should use a data-driven and comprehensive plan to assess gaps and vulnerabilities in the cybersecurity of their insureds and potential insureds. Insurers should consider gathering information from firsthand sources, such as interviews and reviewing policies, and third-party sources, such as external cyber risk evaluations so their plan is “detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity.”
  5. Educate Insureds and Insurance Producers. Insurers should offer comprehensive information about cybersecurity measures and incentivize the adoption of these measures through insurance pricing policies based on the effectiveness of each insured’s cybersecurity program.
  6. Obtain Cybersecurity Expertise. This includes not only recruitment of those with cybersecurity experience and skills but a commitment by insurers to these employees’ training and development so as to “properly understand and evaluate cyber risk.”
  7. Require Notice to Law Enforcement. Cyber insurance policies should require victims to notify law enforcement in the event of a cyberincident. “[L]aw enforcement,” the Framework explains, “often has valuable information that may not be as available to private sources and can help victims of a cyber-incident”; can help “recover data and funds that were lost”; can “enhance a victim’s reputation”; and can “warn others of existing cybersecurity threats, and deter future cybercrime.” Moreover, the Framework observes, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) will consider an insurer’s decision to contact law enforcement as a mitigating factor in the event that sanctions are issued. (We addressed OFAC’s recently issued advisory highlighting the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands in this October 2020 client alert.) Based on NYDFS’s survey, 36% of insurers already require their cyber insurance insureds to notify law enforcement of a cyberincident.

As NYDFS notes in its press materials, the department’s goal in promulgating this Framework is “to facilitate the continued growth of a sustainable and sound cyber insurance market.” Managing cyber risk is an urgent challenge for insurers, not only in light of the overall rising costs of cybercrime but also because cyberthreats pose unique challenges. Insurers must account for the systemic risk “that occurs when a widespread cyberincident damages many insureds at the same time,” as illustrated by the recent SolarWinds supply chain compromise; moreover, many insurance policies “do not explicitly grant or exclude cyber coverage — so-called ‘non-affirmative’ or ‘silent’ risk,” which creates uncertainty and the potential for massive, unintended losses to insurers. The NYDFS Framework is designed to encourage insurers to address these issues and thereby help mitigate and reduce the risks and costs of cybercrime.

The Framework is the most recent move by the NYDFS concerning cybersecurity. In 2017, NYDFS put into effect a first-of-its-kind cybersecurity regulation (23 NYCRR 500) that, among other things, requires all entities and persons regulated by the NYDFS to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems and their customers’ nonpublic personal information and sets minimum standards for compliance related to the assessment of cybersecurity risks, the prevention and detection of security events, and postbreach management. Thereafter, in 2019, the department created a Cybersecurity Division to focus specifically on protecting industries and consumers from cyberthreats. Implementation of the NYDFS cybersecurity regulation is now in full swing, with the department having filed its first public statement of charges thereunder in July 2020, as described in our August 2020 client alert.