N.Y. regulator releases cyber insurance framework
The guidelines outline best practices for P&C insurers to strengthen risk strategies and protect against a growing threat.
In a first of its kind move by a U.S. regulator, the New York State Department of Financial Services (DFS) has issued a cyber insurance risk framework, which outlines best practices for the state’s regulated property and casualty insurers.
Calling cybersecurity the biggest risk for government and private institutions, DFS Superintendent Linda A. Lacewell said in a release: “Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions. After extensive dialogue with industry and experts, we are issuing guidance to foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face.”
DFS encourages New York insurers to incorporate the following best practices into their risk strategy, which should be proportionate with each insurers’ size, resources, geographic distribution and other factors:
- Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents;
- Evaluate systemic risk, including the impact of catastrophic cyber events on third-party service providers like the recently discovered SolarWinds supply chain attack;
- Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity;
- Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance;
- Obtain cybersecurity expertise through strategic recruiting and hiring practices; and
- Require notice to law enforcement in the event of a cyberattack.
The framework was developed through conversations with the industry and experts on cyber insurance. This working group included insurance producers, insurers, cyber experts, and insurance regulators from the U.S. and Europe, DFS reported.
This move builds off of DFS’s longstanding work in the cyber sector. In 2017, the department put into effect the nation’s first cybersecurity regulations. Two years following this, DFS established a Cybersecurity Division, a first among U.S. services regulators.
Related: