After consulting industry experts, the New York Department of Financial Services (DFS) has investigated ways to improve both the cyber insurance market and cybersecurity. The result is the Cyber Insurance Risk Framework released in Insurance Circular Letter No. 2 on February 4, 2021.
The Framework’s approach includes best practices for the insurance industry in analyzing risk but allows each insurer to calculate their own risk based on flexible factors, such as the size of the insurer, geography, industries, and resources.
Cyber insurance used to only be necessary for complex international conglomerations. Now it is estimated that the U.S. cyber insurance market will exceed $20 billion by 2025.
Part of this growth trend is due to the prevalence of ransomware attacks. According to the DFS, the number of attacks almost doubled in 2020 and the average cost of such claims rose 150%.
With this dramatic increase in costs and attacks, it is essential that the insurance industry becomes proactive in the fight.
Cyber insurance risk framework
The DFS’s Cyber Insurance Risk Framework consists of seven steps:
- Establish a formal cyber insurance risk strategy
- If an insurer offers cyber insurance, the insurer’s management should conduct a formal strategy for evaluating cyber insurance risk. Management should determine the appropriate qualitative and quantitative maximum risk and continuously monitor where the current risk falls.
- The strategy should involve the six steps below.
- Manage and eliminate exposure to silent cyber insurance risk
- Best practice: Specify whether a cyber-loss would be covered under any type of policy where a cyber-claim could conceivably be brought.
- Silent cyber risk occurs when insurers end up covering losses caused by cyber incidents under policies that were not written for cyber use. All policies—whether property, casualty, general liability, burglary and theft, etc.—should be evaluated for cyber risk to limit the size of unexpected losses caused by cyber under these policies.
- Eventually, over time, this requirement will be phased out after silent risks have been prematurely addressed.
- For current policies, it may be worth the expense for insurers to purchase reinsurance to cover silent cyber risks.
- Evaluate systemic risk
- Best practice: Continued evaluation of systemic risk and planning for losses.
- Systemic risk is born out of the increasing use of third party vendors and service providers. It is essential that insurers understand insureds’ reliance on third parties. When these parties are compromised, it can cause insurers substantial loss, like in the SolarWinds Trojan attack.
- Conducting “internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events” allows insurers to analyze their potential risks and losses across industries. This information can be used to create a more complete picture for the cyber insurance risk strategy in step 1.
- Rigorously measure insured risk
- Insurers need to require detailed, data-driven information from each cyber insurance insured.
- Such information should also be required from third parties who work with the insured.
- Insurers can use the information gathered to assess weaknesses in the insured’s existing cybersecurity plan.
- Educate insurance producers and insureds
- Best practice: Insurers should actively engage in drafting cyber policies, from the types and scope to the limits allowed.
- Routinely updating insurance producers on new risks and exposures will create stronger policies.
- Best practice: Provide education, discounts on cybersecurity planning, and recommendations to insureds.
- Insurers and insureds benefit when insureds implement stronger cybersecurity programs. Insurers should increase cyber policy prices if a particular insured has a weak cybersecurity program, and drop prices for those with advanced, effective cyber policies.
- Obtain cybersecurity expertise
- It is essential that insurers understand the evolving nature of cybersecurity. This requires insurers to hire experienced cyber professionals and regularly train their existing staff.
- Require notice to law enforcement
- Best practice: Notify law enforcement following a cyber-incident.
- Policies should be drafted to require notifying law enforcement. Notification helps insurers, insureds, and the public compile information, recover what was taken, and catch culprits, limiting the number of future attacks.
Three things insurers need to keep in mind
- Silent Risks
- Systemic Risks
- Education and Training
Insurers need to be especially aware of silent risks. Regardless of the type of policy, insurers can suddenly find themselves incurring enormous losses caused by cyber incidents under non-cyber policies.
Systemic risk is another problem—when one cyber incident causes losses to many insureds. Considering the ongoing crisis caused by the SolarWinds’ Orion compromise, insurers need to be aware of this potential and plan ahead for such damaging losses.
It is equally beneficial to insurers and their insureds if insurers provide enhanced cybersecurity education and compliance training. Insureds can potentially receive a reduced insurance rate if they complete and comply with cyber insurance training. Insurers will be forced to foot the bill for fewer preventable cyber incidents.
Our Privacy, Cybersecurity, and Data Management team will continue to monitor this Framework and other cyber insurance developments.