Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

New Cyber Insurance Risk Framework Provides Best Practices for the Insurance Industry

By Heather Howell Wright, Andrew Tuggle & Brian Biddle on March 8, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

New Cyber Insurance Risk Framework Provides Best Practices for the Insurance IndustryThe cyber insurance market size is currently valued in the billions, and this does not include insurance policies that do not explicitly mention cyber incidents but may nevertheless cover them. With this in mind, policyholders and insurance carriers should be aware of the recently released Cyber Insurance Framework (the “Framework”) issued by the New York Department of Financial Services (NYDFS). The first of its kind, the Framework lays out formal strategies for measuring and managing cyber risks.

Recent events have highlighted the cybersecurity risks insurance carriers face. The Framework cites the COVID-19 pandemic, the SolarWinds hack, and a rise in ransomware attacks as examples of increased cyber risk for all organizations.

The Framework’s Best Practices

The Framework lists seven best practices to employ to best protect economic interests:

  1. Establish a formal cyber insurance risk strategy – Notably, this requirement requires approval by the senior management and the board of directors (or other governing body if there is no board of directors).
  2. Manage and eliminate exposure to silent cyber insurance risk – This practice may include rewriting standard policies to explicitly state whether cyber incidents will be covered and purchasing reinsurance for contracts that include silent cyber insurance risks.
  3. Evaluate systemic risk – One noteworthy aspect of this practice is understanding which third-party vendors are used across multiple insureds and determining the potential effect a catastrophic cyber incident on the third-party vendor could have on the insureds
  4. Rigorously measure insured risk
  5. Educate policyholders and insurance producers – The NYDFS recommends incentivizing policyholder cyber hygiene through providing pricing policies, cybersecurity assessments, recommendations for improvement, and general cybersecurity guidance.
  6. Obtain cybersecurity expertise
  7. Require notice to law enforcement

Measuring Risks

The Framework emphasizes the importance of measuring risk, noting that current cyber exposure may be significantly underestimated relative to the premiums being charged. Systemic risk — such as vulnerabilities in software common across policyholders or attacks coordinated by state-sponsored groups — can lead to large, correlated losses (for example, the SolarWinds cyber incident). Additionally, silent cyber risks — losses from cyber incidents in policies that do not explicitly grant cyber coverage — create uncertainty and represent cyber risks that might not have been measured as such before now.

The Framework does not provide guidance on how to “rigorously measure” risks other than to have a data-driven plan that includes, but is not limited to, information on  policyholder corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, incident response, third-party vendors, and open-source software components. (The NYDFS has previously emphasized the importance of third parties, identifying them as a consistent weak link in cybersecurity efforts, as has the Office of the Comptroller of the Currency.) As the cyber insurance market matures, we can expect to see more standardized assessments of cyber hygiene, such as the Cybersecurity Maturity Model Certification (CMMC) and the Basic Assessment currently being implemented by the Department of Defense for contractors in its supply chain.

Managing Risks

Other aspects of the Framework focus on managing risks by educating policyholders about cybersecurity and providing guidance about best practices. Cybersecurity education can strengthen security throughout the system, thereby lowering the overall cyber insurance risk that policyholders and their insurance carriers face. Additionally, the Framework recommends that insurance carriers themselves should stay educated by recruiting and training cybersecurity experts and committing to the development of sophisticated vendors.

The Framework also recommends that policies should require that victims notify law enforcement as a condition of coverage. Many businesses hesitate to call law enforcement, even when they are the victims of cybercrime, because of worries they will be blamed for the cyber incident, despite complying with cybersecurity best practices. In addition, some businesses have expressed concern that law enforcement may limit options for responding to attacks because of official stances against paying ransoms, for example.

Against these potential considerations, the NYDFS emphasizes that law enforcement agencies are a pool of knowledge from assisting throughout various incident responses. On top of helping a victim now, what is learned in an incident response can be used to help the next potential victim or even to prevent attacks.

Takeaway

The NYDFS has been a leader in cybersecurity regulation, specifically, since its cybersecurity regulation for financial services took effect in 2017 and its Cybersecurity Division was created in 2019. This is particularly relevant since the Framework is the first guidance of this type released by a U.S. regulatory agency.  As such, we expect the NYDFS will continue its dialogue with the insurance industry, leading to more comprehensive guidance. Contact Heather Wright, Andrew Tuggle, or Lissette Payne with any questions or to discuss the new framework’s impact on your business today.

Photo of Heather Howell Wright Heather Howell Wright

Heather Wright helps financial institutions identify operational risks and determine business solutions to mitigate those risks. She provides regulatory and compliance advice and manages litigation for financial institutions regarding compliance with, and alleged violations of, security agreements and other contracts as well as…

Heather Wright helps financial institutions identify operational risks and determine business solutions to mitigate those risks. She provides regulatory and compliance advice and manages litigation for financial institutions regarding compliance with, and alleged violations of, security agreements and other contracts as well as lending and consumer finance statutes and regulations — particularly in matters involving property insurance and flood insurance.

Read more about Heather Howell WrightEmail Heather's Linkedin Profile
Show more Show less
Photo of Andrew Tuggle Andrew Tuggle

Andrew Tuggle’s practice focuses on technology and intellectual property law. He helps clients protect their innovations and comply with laws about data and technology.

Andrew helps clients protect their innovations through patents, trademarks, and trade secrets. With a strong technical background, he advises…

Andrew Tuggle’s practice focuses on technology and intellectual property law. He helps clients protect their innovations and comply with laws about data and technology.

Andrew helps clients protect their innovations through patents, trademarks, and trade secrets. With a strong technical background, he advises clients on how to comply with laws about cybersecurity, data privacy, digital assets, and exports.

Read more about Andrew TuggleEmail Andrew's Linkedin Profile
Show more Show less
Photo of Brian Biddle Brian Biddle

Brian has been designing and creating legal blogs with LexBlog for the past 16 years. If a legal blog has the LexBlog logo on it, chances are this design came from him. Brian has served as Lead Designer and Art Director for LexBlog, …

Brian has been designing and creating legal blogs with LexBlog for the past 16 years. If a legal blog has the LexBlog logo on it, chances are this design came from him. Brian has served as Lead Designer and Art Director for LexBlog, and is now serving as the Director of Customer Experience. He works directly with the product team to provide design and UX/UI guidance for the tools that power the world’s largest legal community. BrianBrain also blogs about design, UX, life lessons, and Customer Experience on his site Biddle Brain. He’s been happily married for 21 years, is the proud father of four children, and loves running and coaching soccer.

Email
Show more Show less
  • Posted in:
    Financial
  • Blog:
    Financial Services Perspectives
  • Organization:
    Bradley Arant Boult Cummings LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo