VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION
On February 4, the New York Department of Financial Services (NYDFS) released Insurance Circular Letter No. 2 (2021), a Cyber Insurance Risk Framework (Framework) for insurers that write cyber insurance.
The Framework identifies best practices that property/casualty insurers “should employ” to manage cyber insurance risk and raises a number of issues relevant to multiple stakeholders including policyholders who rely on insurance as part of their cyber risk management strategy.
At its core the Framework is designed to address systemic risk to cyber insurers. But while NYDFS states that the Framework is directed to cyber insurers, those insurers that do not write cyber policies should assess and apply the Framework as relevant to “silent risk” they carry from non-cyber policies that may provide coverage for cybersecurity-related losses.
To provide context for the new Framework, NYDFS identifies the need to address systemic risk in light of several key factors:
the rapid expansion of cyber insurance in the marketplace, which in the United States is expected to grow from $3.15 billion in 2019 to more than $20 billion in 2025;
challenges in pricing cyber risk coverage appropriately; and
evolving cyber threats, including an increase in business email compromises and ransomware events and the possibility of more significant events more broadly impacting the supply chain and associated companies.
NYDFS further expresses concern that absent insurers’ being able to adequately assess cyber risk, insureds could use cyber insurance in lieu of developing appropriate cybersecurity practices, which could increase cyber risks and negatively impact insurers’ business.
Notably, as to ransomware, NYDFS added its voice to the government entities advising against making ransom payments.
The Framework contains seven elements regarding insurer best practices for managing cyber insurance risk:
Establish a Formal Cyber Insurance Risk Strategy;
Manage and Eliminate Exposure to Silent Cyber Insurance Risk;
Evaluate Systemic Risk;
Rigorously Measure Insured Risk;
Educate Insureds and Insurance Producers;
Obtain Cybersecurity Expertise; and
Require Notice to Law Enforcement.
Each of these elements is important, but we call particular attention to elements 3, 4, and 7.
Regarding #3, DFS notes that evaluating systemic risk is an urgent issue in today’s marketplace, where businesses increasingly rely on a handful of providers for authentication, cloud services, and other important functions. The Framework document references the recent SolarWinds attack as an example of a vendor supply chain issue having a widespread impact. It also expresses concern about the possibility of an incident at a major cloud provider. While cyber insurers are unlikely to view the Framework as requiring that businesses adopt specific technologies to mitigate systemic risk, it will likely result in cyber insurers increasing their oversight and potentially focusing on new issues such as vendor diversification, to limit outsized impacts that might result from an incident at a larger vendor.
Regarding #4, the call to rigorously measure insured risk may result in more robust technical evaluations when businesses seek to acquire or renew cyber insurance policies. Given the importance of cyber insurance coverage to sophisticated businesses as part of overall risk management, the Framework and its corresponding effect on the underwriting processes of cyber insurers may, effectively, force organizations to orient their cyber assessment and risk management programs to the expectations of cyber insurers to a greater degree than exists today.
Regarding #7, the call to require via cyber insurance policies that insureds notify law enforcement of incidents may similarly shift practices. Today, a decision to inform and potentially engage with law enforcement in the aftermath of a cyber incident is informed by multiple considerations and many cyber incidents do not necessarily result in law enforcement interactions. Were cyber insurance coverage conditioned on such disclosure, however, it is reasonable to expect that businesses will become more inclined to disclose incidents to law enforcement, resulting in an increase in visibility of such incidents to both law enforcement agencies as well as regulators.
The Framework is likely to have a significant influence on the development of cyber insurance coverage and enterprise risk management going forward. Other recent actions by NYDFS include the first enforcement action, announced last year, under its groundbreaking 2017 cybersecurity regulation. We expect NYDFS to continue to take a leadership role in cybersecurity regulation and policy.
The Framework identifies best practices that property/casualty insurers “should employ” to manage cyber insurance risk and raises a number of issues relevant to multiple stakeholders including policyholders who rely on insurance as part of their cyber risk management strategy.
At its core the Framework is designed to address systemic risk to cyber insurers. But while NYDFS states that the Framework is directed to cyber insurers, those insurers that do not write cyber policies should assess and apply the Framework as relevant to “silent risk” they carry from non-cyber policies that may provide coverage for cybersecurity-related losses.
To provide context for the new Framework, NYDFS identifies the need to address systemic risk in light of several key factors:
the rapid expansion of cyber insurance in the marketplace, which in the United States is expected to grow from $3.15 billion in 2019 to more than $20 billion in 2025;
challenges in pricing cyber risk coverage appropriately; and
evolving cyber threats, including an increase in business email compromises and ransomware events and the possibility of more significant events more broadly impacting the supply chain and associated companies.
NYDFS further expresses concern that absent insurers’ being able to adequately assess cyber risk, insureds could use cyber insurance in lieu of developing appropriate cybersecurity practices, which could increase cyber risks and negatively impact insurers’ business.
Notably, as to ransomware, NYDFS added its voice to the government entities advising against making ransom payments.
The Framework contains seven elements regarding insurer best practices for managing cyber insurance risk:
Establish a Formal Cyber Insurance Risk Strategy;
Manage and Eliminate Exposure to Silent Cyber Insurance Risk;
Evaluate Systemic Risk;
Rigorously Measure Insured Risk;
Educate Insureds and Insurance Producers;
Obtain Cybersecurity Expertise; and
Require Notice to Law Enforcement.
Each of these elements is important, but we call particular attention to elements 3, 4, and 7.
Regarding #3, DFS notes that evaluating systemic risk is an urgent issue in today’s marketplace, where businesses increasingly rely on a handful of providers for authentication, cloud services, and other important functions. The Framework document references the recent SolarWinds attack as an example of a vendor supply chain issue having a widespread impact. It also expresses concern about the possibility of an incident at a major cloud provider. While cyber insurers are unlikely to view the Framework as requiring that businesses adopt specific technologies to mitigate systemic risk, it will likely result in cyber insurers increasing their oversight and potentially focusing on new issues such as vendor diversification, to limit outsized impacts that might result from an incident at a larger vendor.
Regarding #4, the call to rigorously measure insured risk may result in more robust technical evaluations when businesses seek to acquire or renew cyber insurance policies. Given the importance of cyber insurance coverage to sophisticated businesses as part of overall risk management, the Framework and its corresponding effect on the underwriting processes of cyber insurers may, effectively, force organizations to orient their cyber assessment and risk management programs to the expectations of cyber insurers to a greater degree than exists today.
Regarding #7, the call to require via cyber insurance policies that insureds notify law enforcement of incidents may similarly shift practices. Today, a decision to inform and potentially engage with law enforcement in the aftermath of a cyber incident is informed by multiple considerations and many cyber incidents do not necessarily result in law enforcement interactions. Were cyber insurance coverage conditioned on such disclosure, however, it is reasonable to expect that businesses will become more inclined to disclose incidents to law enforcement, resulting in an increase in visibility of such incidents to both law enforcement agencies as well as regulators.
The Framework is likely to have a significant influence on the development of cyber insurance coverage and enterprise risk management going forward. Other recent actions by NYDFS include the first enforcement action, announced last year, under its groundbreaking 2017 cybersecurity regulation. We expect NYDFS to continue to take a leadership role in cybersecurity regulation and policy.