The New York State Department of Financial Services has released new guidance presenting some key practices for New York-regulated insurers that write cyber insurance.

Background

The 2020 Internet Crime Report issued by the FBI’s Internet Crime Complaint Center includes information from 791,790 complaints of suspected internet crime—an increase of a whopping 69.4% from 2019—and reported losses exceeding $4.2 billion. The top 3 cybercrimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams and extortion.

Between COVID-19 and the remote workplace the number of cybercriminals has increased, and cyber risk is now touching every aspect of modern life from health care data to national security.

“Cybersecurity is the biggest risk for government and industry, bar none,” said DFS Superintendent Linda Lacewell in a press release issued by her office. “Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions.”

Ransomware attacks are increasing, with a 2020 survey by DFS finding that from 2018 to 2019, the number of insurance claims arising from ransomware increased by 180% and the average cost of a ransomware claim rose by 150%.

Cyber Insurance Risk Framework

DFS’ recent Cyber Insurance Risk Framework comes after the regulator has had an ongoing dialogue with the insurance industry and experts on cyber insurance, including through meetings with insurers, insurance producers, cyber experts and insurance regulators across the U.S. and Europe, according to DFS’ release.

This is the latest strategy by the DFS to build on its cybersecurity efforts for the insurance industry, following DFS’ cybersecurity regulation that started in March 2017 and was rolled out over two years, as well as the 2019 establishment of a new cybersecurity division at DFS to oversee all aspects of its cybersecurity regulation and policy.

Cyber insurance is a new market of insurance for most insurers, however, the DFS explains that the industry has grown rapidly since then. In 2019, the U.S. cyber insurance market was $3.15 billion, and it is estimated that by 2025, it will be more than $20 billion, according to DFS.

As part of the guidance, The New York State Department for Financial Services is calling on regulated insurers to establish a formal strategy, approved by the insurer’s board, for measuring cyber insurance risk based on the insurer’s size, resources and geographic distribution, among other factors.

In recognition of this reality, the DFS released the first guidance by a U.S. regulator on cyber insurance—a Cyber Insurance Risk Framework. A key premise of the Framework is to drive improved cybersecurity and cyber risk management, thereby reducing cyberattacks and ensuring that cyber insurance premiums do not spiral out of control.

Best practices of the Cyber Insurance Risk Framework

The Framework mentions 7 best practices to minimize cyber risk and decrease the risk to insurers that underwrite and issue cyber insurance policies:

Establish a formal cyber insurance risk strategy.
Manage and eliminate exposure to silent cyber insurance risk
Evaluate systemic risk—understand critical third parties such as cloud services and managed services providers
Rigorously measure insured risk by a data-driven, comprehensive plan for assessing the cyber risk of each insured
Educate insureds and insurance producers, insurers should offer educative information about the value of cybersecurity.
Obtain cybersecurity expertise to understand and evaluate cyber risk.
Require notice to law enforcement of cyber incidents, Cyber insurance policies should include a requirement that victims notify law enforcement

Understanding the coverages available and purchasing cyber coverage that is best for your business can help protect your company in the event of a cyberattack or data breach. Are you prepare to protect your business in the case of a data breach? Find out here