Bates Research | 02-18-21
Seeking Growth and a Sound Market, NYDFS Unveils New Cyber Insurance Risk Framework; FINRA and NASAA Heighten Cyber Focus
In alerts, guidance and notices over the past year, federal enforcement agencies and financial regulators have been warning of increased cyber risks to public and private databases, financial institution infrastructure and retail investors. The government warnings highlight both general red flags and specific examples of malign actors who have successfully penetrated technology systems to steal or abuse protected information. The most recent high profile attack, the SolarWinds mega-hack, affected over 18,000 public and private sector companies and might have compromised thousands of organizations, including ten departments of the United States government and global corporations including Microsoft, Cisco, Intel and Belkin.
The pandemic has accelerated opportunities for a variety of less sensational, though equally costly and damaging cyber-attacks and cyber fraud. As financial institutions (with the encouragement of financial regulators) embrace new fintech solutions while shifting more permanently to remote online work, the pressure to ramp up cybersecurity efforts continues to grow.
On February 4, 2021, New York’s influential Department of Financial Services (“NYDFS”) addressed the growing market for cyber insurance, a special category of insurance meant to cover businesses and individuals from information technology and other risk. In an Insurance Circular Letter, the NYDFS noted that the market for cyber insurance is estimated to be over $20 billion in 2025 (up from $3.15 billion in 2019), numbers NYDFS believes are actually understated. Here, we take a closer look at the NYDFS’ Cyber Insurance Risk Framework and note recent communications on cybersecurity federal and state regulators.
Measuring the Risk
NYDFS states that its goal is to “facilitate the continued growth of a sustainable and sound cyber insurance market” to improve cybersecurity, generally, and effectively price risk. Given the rising level of cyber risk, particularly from ransomware attacks—DFS cited loss estimates of $20 billion in 2020—cyber insurance premiums are likely to rise. (See Bates’ posts on the increasing threat of ransomware here and here).
According to NYDFS, the current cyber insurance market is in need of a consistent framework to encourage insurers to “develop a rigorous and data driven approach to cyber risk,” and which, as a result, would create incentives for firms to improve their own policies and practices. The framework includes (i) constantly improving methodologies for effective measurement, (ii) properly accounting for “systemic risk” that results from an incident that may cause claims by multiple insureds simultaneously, and (iii) anticipating losses from “non-affirmative” or “silent’ risk, as to exposures in property casualty policies that do not explicitly cover cyber risk.
The NYDFS Framework
The NYDFS framework is a compendium of best practices and applies to property/casualty insurers that write cyber insurance. NYDFS expects the insurer’s risk to be proportionate to its “size, resources, geographic distribution, market share and industries insured.” Primarily, the recommendation is for cyber insurers to develop a “formal risk strategy” that would include six components:
- First, cyber insurers should manage or eliminate exposure to “silent cyber risk;” this requires a thorough review of all policies to determine exposure and then choosing to explicitly provide or exclude coverage under them. Until that is done, NYDFS says that insurers should purchase reinsurance to cover potential loss.
- Second, cyber insurers should review for systemic risk (for example, as to third party vendors who provide cloud services) prepare (through stress testing) for potential losses in the event of a cyber event that “may cause simultaneous losses to many of insureds.”
- Third, cyber insurers should have or develop assessment tools to accurately measure the risk to be covered. This includes collating detailed information that can be used to assess “potential gaps and vulnerabilities in the insured’s cybersecurity.” The information should then be analyzed against past claims data to identify gaps.
- Fourth, cyber insurers should price policies based on “the effectiveness of each insured’s cybersecurity program.” NYDFS said the intention with this component is to create an incentive for insureds to improve their programs, and for insurers to educate both their insureds and their insurance producers.
- Fifth, cyber insurers should develop or hire experts who can properly evaluate cyber risk and should implement training and development programs to maintain a high level of expertise.
- Sixth, cyber insurers should require in their policies that any claimant/victim notify law enforcement of a cyber incident. Among other goals, NYDFS wants to develop a system whereby insureds provide information to law enforcement for prosecution and cybercrime deterrence.
Regulatory CyberSecurity Reminders
As noted in Bates’ recent post on FINRA’s 2021 examination priorities, cybersecurity, particularly as it relates to the protection of customer records and information, remains a high priority. In its report, FINRA reminded members that their cybersecurity program must address new and existing risk of cyber-enabled fraud and crime. In prior exams, FINRA observed firm data breaches, systemwide outages, email takeovers, wire fraud, imposter websites and ransomware. FINRA also found encryption failures concerning confidential non-public data, branch office cybersecurity failures, control failures concerning employee access and vendor access, and, in general, failures to provide adequate training on cybersecurity. FINRA made it clear that it will review cybersecurity programs to ensure they are reasonably designed and tailored to the firm’s risk profile, business model and scale of operations.
Recently, NASAA weighed in on the SolarWinds cybersecurity incident, reminding firms to “report any known issues or concerns” to their primary securities regulator. NASAA said its intent was to raise awareness among state registrants and to provide information and resources to help those affected to recover quickly and protect their clients and colleagues. In addition, NASAA published an advisory for investors highlighting basic methods to protect online accounts.
Major cyber incidents, particularly ones involving state actors or those affecting hundreds of organizations, often push cybersecurity to front and center on the agendas of government and financial firms. The NYDFS framework for cyber insurance reminds us that there are many tools—some still relatively early in development—to use in the broader effort to confront cyber risk. Bates will continue to keep you apprised.
Meet Our Cyber Experts
For additional information and assistance, please follow the links below to Bates Group's Practice Area pages:
To speak with a member of our team, please contact:
Greg Faucher, Managing Consultant, Insurance & Actuarial Services