Privacy Plus+

Privacy, Technology and Perspective

NYS-DFS Issues a New Cyber Insurance Risk Framework.  The New York State Department of Financial Services (NYS-DFS) has created a “Cyber Insurance Risk Framework” for insurance companies that underwrite cyber risk – including insurance companies that may be underwriting cyber risk without realizing it. 

In an Insurance Circular Letter issued earlier this month, the NYS-DFS has announced a “Cyber Insurance Risk Framework” which should be followed by property and casualty insurers who offer cyber-insurance (whether they realize they offer it or not).  You can read the Circular by clicking on the following link:

Here are some major takeaways from the Circular:

“Systemic” Risk is Growing.  “Systemic” risk is the risk to a carrier of losses resulting from a single cyber incident that affects many insureds.  The recent Solar Winds/Orion incident – affecting a large and still-undetermined number of organizations – is a good example.

“Silent” Risk is Growing.  “Silent” risk is the risk to a carrier that its non-cyber policies (e.g. E&O, general liability, burglary/theft, product liability, or other policies) will be found to cover cyber incidents, even though the policy(ies) doesn’t expressly provide coverage, and therefore is “silent” about cyber coverage.

If left unaddressed, systemic or silent risks could ruin insurance carriers.  To “underwrite” means to assess predictable risks and losses, and then to set prices which spread that risk across all policyholders – and make allowance for a reasonable number and range of surprises. “Systemic” risks amount to “mass casualty” events by another name. “Silent” risks are risks which the insurer hasn’t seen coming, or at least hasn’t provided for in its calculations.  As cyber risks have increased, so have the related systemic and silent risks posed to insurance carriers.

NYS-DFS recommends that insurance carriers address these risks specifically.  The Circular does not set forth a cybersecurity-assessment “Framework” like NIST, ISO 27000 family, or HITRUST, but advises that carriers should, among other things:

  • –       Manage and Eliminate Exposure to Silent Risk, by making clear whether their policies do or don’t cover cyber incidents and buying reinsurance, where appropriate; 

  • –       Evaluate Systemic Risk, such as catastrophic cyber incidents;

  • –       Measure Cyber Risk, by evaluating the quality of their insureds’ cybersecurity programs; and

  • –       Require Notice to Law Enforcement in event of cyber incidents, especially in event of lost data or misdirected wire transfers.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.