The New York Department of Financial Services’ recently issued Cyber Insurance Framework provides best practices for managing cyber insurance risk. We spoke with two experts, David Lineman, CEO of Information Shield, and Joshua Mooney, partner at Kennedys Law, about its implications for the insurance industry.
Let’s start with the New York Department of Financial Services’ cyber regulations that went into effect in 2019. In a nutshell, what are they?
JM: They were the first of their kind, requiring cybersecurity programs based on risk assessments and certification of compliance. They regulate organizations in the New York banking, insurance and financial services sectors. In essence, they require that every organization has a comprehensive cybersecurity program based on periodic risk assessments that identify and evaluate vulnerabilities, threat vectors, and other risks that the company faces due to its industry and the nature of its business, and the data that it collects or otherwise is responsible for. Insurance carriers and brokers conducting business in New York must comply with them. It’s also noteworthy that the NAIC’s Model Law on Insurance Data Security borrowed heavily from these regulations.
What’s the new NY DFS Cyber Insurance Framework and why was it created?
DL: After studying hundreds of data breaches, the NY DFS concluded that several areas of cyber risk have potential for massive claim exposure. The Framework helps insured companies adopt systemic controls to identify and reduce this risk across their portfolio.
What are key cyber risk areas they found?
DL: These fall into two primary categories. “Silent” (non-affirmative) risk is buried in the insurance policies themselves. Breach data and claims data show that policy coverage does not always clearly map to real events. For example, some clients may have thought that they were covered for ransomware payments, but found they weren’t. In other words, neither the insurer nor the insured had a concrete idea of which loss events were covered. The idea is to close this gap.
The second type is direct “systematic cyber risk,” such as ransomware. A 2020 DFS survey revealed that from early 2018 to late 2019, the number of insurance claims from ransomware increased by 180%, and the average cost of ransomware claims rose by 150%. Most breaches can be prevented by key security practices, but insurers have no way to easily verify that covered clients are following them.
What are the main goals of the Framework and how do they align with other governmental agency advisories?
JM: Ultimately, the cyber regulations were passed with the realization that the banking, financial services and insurance industries are components of critical infrastructure and should be protected against catastrophic incidents. The Framework continues with that theme and is geared toward the stability of the insurance industry. Its issuance undoubtedly was motivated by increased risk exposures, the spiraling cost and changing nature of ransomware attacks, and the widespread effects of recent (and notorious) supply chain attacks in NotPetya and Solar Winds. They are more or less “best practices” right now, but how long will it be before they become expectations and standards for duty of care and regulatory compliance? That is something to watch.
Among other recommendations, the Framework requests that carriers identify and quantify affirmative and non-affirmative cyber exposures in their underwriting. Other governmental and non-governmental agencies are making similar requests or demands. For instance, the Bermuda Monetary Authority now (beginning January 2022) requires disclosures from insurers about how they’re managing affirmative and non-affirmative cyber exposures, and clarification as to whether a policy provides cyber coverage. The London Market has made a similar proposal to have carriers specify whether their policies provide cyber coverage. In short, given the ever-expanding scope and severity of cyber risk and, at least here in the U.S., liberal policy construction by courts, there is real concern.
How are the NY DFS cyber regulations different from the NY SHIELD Act?
JM: The NY SHIELD Act is a statute that applies to any person or business owning or licensing computerized data that includes “private information” of a NY resident, including employers. It requires such persons and businesses to have a data security program that includes reasonable administrative, technical and physical safeguards. The statute also provides examples of reasonable safeguards. The NY DFS cyber regulations were promulgated by DFS and specifically apply only to organizations in the banking, insurance, and financial services industries. (Separate regulations also apply to credit reporting agencies.) They govern a broader swath of information, including critical business information, require annual certification of compliance with DFS, and are subject to enforcement by DFS. Thematically, I would argue that the SHIELD Act is more about consumer protection; whereas the NY DFS regulations are to help preserve and protect critical infrastructure, although there is a consumer protection purpose in them, too. Incidentally, having a cybersecurity program that complies with the NY DFS Cyber Regulations serves as a basis of having a compliance program under the SHIELD Act.
Is the Framework meaningful outside of New York?
DL: This Framework is not an official regulation in any state. The first similar state-based regulation was the NYS-DFS CRM 500, and that called for specific cyber security controls for insurance companies. This same approach has been adopted in other states as a de facto standard. Recognizing the need, the NY DFS has tried to get ahead of the curve and provide a model framework for the entire industry.
What does this new guidance mean for insurers and what are the key provisions?
JM: The Framework requests insurance carriers, both cyber and non-cyber, to develop and implement a “formal insurance risk strategy” for measuring cyber insurance risk. This risk strategy should involve senior management and a carrier’s board, if any. The risk strategy also should incorporate six practices:
- Manage and eliminate exposure to silent cyber insurance risk.
- Evaluate systemic risk such as supply chain attacks and risk vectors through third parties; “conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events”
- Rigorously measure insured risk by evaluating policyholder’s cyber hygiene
- Educate insureds and insurance producers on cyber risk and incentivize cybersecurity through pricing, discounted access to services, or other means.
- Obtain cybersecurity expertise
- Require notice to law enforcement in policies
Citing the October 2020 advisory issued by the Office of Foreign Assets Control (OFAC), the Framework also recommends against making ransom payments in response to ransomware attacks. Carriers can look to cyber counsel and consultants to help them implement these recommendations.
What does this new guidance mean for insureds?
DL: Insureds will have to demonstrate to insurers that they’re following key cyber security practices. This is a difficult process, since there is no current standard for one company to demonstrate cyber maturity to another, let alone share this information in a secure manner. Much validation is still done manually with spreadsheets and inconsistent processes.
What are some immediate steps that insurers should take?
DL: Insurers should update their internal cyber governance controls to line up with the Framework, which may be viewed as a standard of care for cyber insurance risk management. In truth, most of these key pillars are common sense and would be part of any reasonable cyber risk program. Second, insurers should measure the cyber maturity and key dependencies of their entire client portfolio.
What are some immediate steps that insureds should take?
DL: If you’re in business today, you must be prepared to demonstrate to regulators, customers, and insurers that your company is cyber secure—that’s simply the cost of doing business today. Insureds must accept insurers will want data about program maturity, and likely even specific controls, such as those that protect against ransomware. Each company must understand their own security posture and be prepared to remediate gaps.
Insureds should also start looking for incentives to take advantage of good cyber practices. As per the NY DFS, insurers should incentivize better cybersecurity measures by pricing policies based on the effectiveness of cybersecurity programs. In short, more information shared between insurers and insureds will lower cyber risk and hopefully lead to improved policies with better premiums.
We want to thank Mr. Mooney and Mr. Lineman for their respective insights here. Cyber insurers and brokers have been paying attention to NYDFS’ Cybersecurity Regulation, Part 500 of Title 23 because it directly impacts their company but also many of their cyber-insured policyholders are in the financial services sector.
Moreover, there have been enforcement actions taken against companies with allegations of anemic cybersecurity practices that resulted in data breach incidents exposing sensitive customer information. Given the rise of ransomware, we can expect more enforcement, which can include significant monetary penalties of $1000 “per violation” (legal experts have interpreted that to mean each customer record exposed).
The more recent 2021 Cyber Insurance Framework further demonstrates the importance of cyber risk insurance coverage and the guidance is recognition that the NY regulators intend to be proactive in ensuring that the financial services sector can reasonably manage emerging cyber risk.