As we've seen over the years in recent guidance from regulatory agencies, state and federal government governments, cyber risk continues to be a clear and present threat for the financial services industry.
We’ve seen a handful of alerts about phishing campaigns from the Financial Industry Regulatory Authority and news of a new enforcement group to combat cyber threats from Securities and Exchange Commission. This month, the New York Department of Financial Services (NYDFS) has a new framework designed to help New York-regulated property/casualty insurers.
To help address cyber risk, NYDFS has released a Cyber Insurance Risk Framework that insurers can follow to ensure they're adhering to best practices for managing cyber insurance risk. While they're not legally enforceable, the recommendations help illustrate how NYDFS interprets requirements of existing laws and regulations and may be helpful to insurers and covered entities alike.
NYDFS is behind the United States' first cybersecurity regulation for financial services companies - 2017's NYDFS Cybersecurity Regulation 23 NYCRR 500. It also formed a cybersecurity division designed to enforce and investigate cases related to the department's cybersecurity regulations in 2019.
While NYDFS is content with the role insurers play when it comes to minimizing the damage incurred by cybercrime, it asserts that its role as an insurance regulator is to ensure the cyber insurance market grows at a stable rate. Cyber insurance has seen widespread proliferation, especially over the last couple of years. The NYDFS cites reports, including one from the Cyberspace Solarium Commission, that by 2025 it will be a $20 billion market, up from a $3.15 billion market in 2019.
In a letter outlining the framework from Linda Lacewell, NYDFS Superintendent, outlines some of the risks that insurers are taking on, including systemic risk and silent risk. NYDFS describes systemic risk as something like what organizations impacted by the SolarWinds hack are going through currently, when scores of outfits are impacted by an incident simultaneously, silent risk, or non-affirmative risk is used to define cyber-related losses from policies not designed specifically to cover cyber risk.
An example NYDFS gives that could epitomize both types of risk is 2017's NotPetya incident, which wrought havoc across several verticals and around the world that summer.
The framework is based on seven objectives that NYDFS is recommending cyber insurers follow:
1. Establish a Formal Cyber Insurance Risk Strategy
Insurers should have a clearly delineated strategy for measuring cyber insurance risk, both qualitatively and quantitatively; the strategy should include the rest of the following elements
2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk
Insurers should determine whether they're exposed to silent or non-affirmative cyber insurance risk. NYDFS recommends insurers make it clear that any policy could be subject to a cyber claim "whether that policy provides or excludes coverage for cyber-related losses."
3. Evaluate Systemic Risk
Insurers who provide cyber insurance should conduct periodic audits to evaluate risk, this means looking over third-party vendors who may also introduce risk. NotPetya and SolarWinds are good examples of this. There's always the chance something else entirely could rear its head. In the words of NYDFS, "a catastrophic cyber event could inflict tremendous losses on insurers that may jeopardize their financial solvency," and introduce a great deal of risk.
4. Rigorously Measure Insured Risk
Insurers should measure insured risk by determining a program's maturity and vulnerabilities. This begins, NYDFS claims, by assessing an organization's cybersecurity program on everything from governance and controls, to vulnerability management, access controls, encryption, incident response planning and third-party security policies. Insurers can compare and contrast this data with past data to identify gaps in security controls.
5. Educate Insureds and Insurance Producers
Insurers have a job to do when it comes to communicating with organizations on cybersecurity and how implementing measures can reduce the risk of incidents; organizations should feel incentivized by the benefits of these offerings. It’s important to communicate the limitations of cyber insurance should contribute to a “robust cyber insurance market,” as well.
6. Obtain Cybersecurity Expertise
Insurers need employees on staff with the technical skill and background on cybersecurity in order to properly convey "cyber risk."
7. Require Notice to Law Enforcement
NYDFS is encouraging cyber insurers to include a requirement that victims notify law enforcement following an incident, as it can be valuable in a few ways - it can help recover data that's stolen, enhance a victim's reputation, prosecute attackers, and deter future cybercrime.