Will NYDFS’s Cyber Insurance Framework Set a Precedent for the Cyber Insurance Industry?
As ransomware attacks reach unprecedented numbers and the number of record exposures continues to skyrocket, an increasing number of organizations are at risk of attack—and the cyber insurance industry is taking note.
The FBI’s Internet Crime Report 2020, for example, cites almost 2,500 ransomware incidents reported to the Internet Crime Complaint Center in 2020, amounting to losses exceeding $29.1 million. Other numbers, depending on the source, are significantly higher. A report cited mid-year by NPR, noted as many as 65,000 ransomware attacks in 2020.
The rise in ransomware attacks even prompted the White House to urge U.S. businesses to implement security measures to better protect themselves from attacks. The White House suggested businesses consider adopting defensive security measures similar to those now required of federal agencies and other organizations that do business with the U.S. government.
We are seeing similar new and increasing mandates in other industries as well—e.g., from cyber insurance underwriters—affecting everything from new policies and renewals, to increasing premiums, and more difficulties for organizations to determine if a policy will pay out for a disruptive cyber event.
Increased pricing with restrictive terms and conditions are also among the many changes in the industry. Additional changes include new requirements for minimum security standards such as ensuring multifactor authentication (MFA) is enabled for a range of services such as remote connections and email, as well as more requirements for endpoint detection, Zero-Trust policies, and other technology and event-specific exclusions.
Today, many of these requirements differ from one cyber insurance provider to another but are related to a common theme—reducing risks for insurers.
Why is this important? Because as ransomware and other breaches continue to increase, so do the risks for insurers.
According to a 2020 survey from the New York’s Department of Financial Service (NYDFS), between early 2018 and late 2019, ransomware insurance claims increased by 180%, with the costs of those ransomware claims increasing by 150%. When increases like this happen, consumers feel the real cost of it, often in the form of higher premiums, more exclusions, and changing terms and limits—essentially further increasing the full scope of financial impact of ransomware attacks.
So as ransomware and related breaches continue to increase alongside insurance underwriter scrutiny and costs, how can the insurance industry as a whole better manage these risks? Can it streamline best practices across the nation, while continuously managing risks and adapting to the changing risk landscape?
Only time will tell, but the answer may very well be in a unified risk management framework, similar to what we’ve seen recently with the creation of NYDFS’s new Cyber Insurance Framework.
And, of note, like NYDFS on a statewide level, the Cybersecurity & Infrastructure Security Agency (CISA) nationally notes ways the cyber insurance market could help decrease the number of successful attacks and risks such as:
- Promoting adoption of preventative measures for additional coverage
- Encouraging implementation of best practicing by basing premiums on the insured organization’s level of self-protection
First, what is cyber insurance?
Before we look closer at the Cyber Insurance Framework, let’s cover some basics of cyber insurance to lay a foundation for our discussion.
Cyber insurance is designed to help organizations manage and mitigate losses associated with cyber events. Depending on coverage, these events may include everything from network damage to a data breach.
Cyber insurance coverage may also help organizations recover from and mitigate the lingering impacts of other events such as:
- Data loss or destruction
- Cyber extortion
- Legal claims
- Other legal, compliance, and regulatory obligations
Generally, traditional commercial insurance policies, such as general liability or property insurance, won’t cover cyber events, so many organizations opt to purchase cybersecurity insurance for additional stand-alone coverage.
Is there more than one kind of cyber insurance?
Yes, there is more than one type of cyber insurance.
The most common is cybersecurity insurance, which generally covers damage related to cyber event response. Those response costs often extend beyond the technical and personnel measures not only to stop and recover from an incident but also to recover additional expenses related to processes such as determining how a breach happened and making appropriate and mandated notifications to affected parties. In some cases, depending on the nature and severity of the breach, that could also include paying for costs associated with credit monitoring services for those affected up to a year.
Cybersecurity insurance may also be called cyber liability insurance as it’s associated with damage liabilities related to a cyber incident. Cyber liability insurance could cover a range of events—for example, liabilities related to employee theft or loss of a device or a hacking incident. It may also cover liabilities associated with a business disruption related to an event, expenses related to data recovery, crisis management fees, and other related costs.
Some organizations may also choose to purchase privacy liability coverage, especially those that handle sensitive and protected data such as personal health information (PHI) and personally identifiable information (PII). Privacy liability coverage may be a good choice for organizations concerned about the impact of a breach or other event and related costs that could incur from compliance failures and penalties, civil penalties, or other fines and legal or regulatory actions.
There is also an option for errors and omissions insurance, which is related to issues regarding products and professional services.
Why do I need cyber insurance?
There are a range of factors your organization may consider when determining if you need cyber insurance, which type of coverage is best for you, and what limits best suit your business model. However, regardless of organization size or industry, there are some common benefits related to investing in cyber insurance. For example, cyber insurance may:
- Help cover a range of expenses related to overall breach costs
- Help you manage a range of business and income losses caused by a disruption
- Help you determine the cause and scope of a breach
- Help you manage cyber extortion claims and related losses
- Help cover expenses related to investigations and legal obligations
- Provide peace of mind to executives, key stakeholders, investors, partners, and your customers that you have coverage that extends beyond general commercial liabilities
Is there a downside to cyber insurance?
While there is a gamut of benefits for cyber insurance, some organizations have difficulties weighing those pros against the cons. Here are a few examples of why an organization might choose to avoid investing in a cyber insurance policy:
- The policies are too complicated to understand
- Premiums are expensive and increasing, or they fear total premium costs may exceed potential event damages
- Too many coverage and term limits
- Too many exclusions
- Lack of confidence a plan will pay out for a cyber event
- Too many technical requirements
- Not enough clarification about what’s required and how to implement, leaving pitfalls when a claim payout is needed
- Unsure which type of policy is best
- Unsure what each policy type covers
- Unsure of necessary coverage amounts
- Inconsistent information about claims payments
- Would rather invest in defensive and preventative cybersecurity and privacy measures
What are some common cybersecurity insurance security mandates?
As we mentioned earlier, with the increased number of successful cyber breaches such as ransomware attacks, many cyber insurance underwriters now require their customers to implement a range of security controls.
These requirements may range from provider to provider, but here are some worth noting:
- Surveys outlining existing security controls such as network setup and security or backup processes
- Ongoing risk analysis and risk management
- Governance and procedure documentation
- Additional security controls such as MFA, air-gapping, device and data segregation, identity and access management, and smart endpoint detection
The NYDFS Precedent
Earlier, we mentioned New York’s Financial Services Cybersecurity Regulation. Overseen by the Department of Financial Services (DFS), it’s noted as “the nation’s first cybersecurity regulation for financial services.”
Also known as 23 CRR-NY 500.0 NY-CRR, the rule applies to all DFS-regulated organizations that do business in New York as part of the state banking law, insurance law, or financial services law, and it applies to (with some exemptions) banks and lenders, as well as mortgage companies, insurance companies, and other third-party service providers that work with regulated organizations.
The rule outlines a number of cybersecurity requirements for financial services, of which cyber insurance organizations play an important role. That’s why, in part, in February 2021, NYDFS issued an insurance circular letter to all authorized property and casualty insurance providers announcing the creation of its Cyber Insurance Risk Framework, which overviews best practices for managing cyber insurance risk.
What is the NYDFS Cyber Insurance Framework?
The NYDFS Cyber Insurance Framework is designed to help the cyber insurance market—which is estimated to reach more than $20 billion in the next four years— adopt best practices to manage cyber risk.
There are seven core areas outlined in the framework, and NYDFS encourages each insurer to adopt approaches proportionate to its risk. Here’s a quick overview of the best practice recommendations:
1. Cyber Insurance Risk Strategy
Each insurer should establish a formal cyber insurance risk strategy to measure cyber insurance risks. This strategy should be received and approved by executive leadership and key stakeholders, such as the board of directors or other governing bodies. Include both quantitative and qualitative risk goals, as well measurements of progress against those goals. The next six elements should be part of this strategy.
2. Exposure Elimination
Cyber insurance providers should determine exposures to silent or non-affirmative cyber insurance risk. That means risks insurers must cover as a result of loss from a cyber event where the policy doesn’t explicitly mention cyber. “Silent risk can be found in a variety of combined coverage policies and stand-alone non-cyber policies, including errors and omissions, burglary and theft, general liability and product liability insurance,” according to NYDFS. “Cyber risk likely has not been quantified or priced into these policies, which exposes insurers to unexpected losses.”
3. Systematic Risk Evaluation
Insurance providers should regularly evaluate systematic risks and plan for potential losses, including evaluation of risks created by third-party vendors such as cloud services and managed services providers (MSPs). It’s important to understand critical third parties used by insured clients and “model the effect of a catastrophic cyber event on such critical third parties that may cause simultaneous losses to many of their insureds.” This systematic risk evaluation should also include internal cybersecurity stress tests related to unlikely, but plausible, catastrophic cyber events (for both silent and affirmative risks). Additional best practices include tracking stress test scenario impact across various insurance policy types and losses stress tests identify in risk strategy.
4. Measure Risk
Have a data-driven comprehensive plan to assess cyber risk of each insured and potential insured client. This detailed information may be gathered in a number of ways such as interviews and surveys about vulnerability management, governance, controls, incident response, and other security policies. Don’t forget about those third parties, where it may be beneficial to conduct external cyber risk evaluations. After collecting data, compare this information to past claims to identify risks associated with specific security control gaps.
5. Education for Insured and Insurance Producers
Another best practice involves education about cybersecurity and cyber incident risk reduction, providing valuable information to the insured about the value of cybersecurity measures, as well as facilitation of those measures. It may be helpful to incentivize cybersecurity measure adoptions by offering policy pricing based on the effectiveness of the insured’s cybersecurity program. It’s also recommended insurers consider offering guidance, as well as discounts on cybersecurity services, along with cybersecurity assessments and recommendations for closing gaps. Related to insurance producers, insurers are encouraged to help educate them about potential cyber exposures, as well as types of scope of cyber insurance coverage and monetary limits for policies.
6. Cybersecurity Expertise
Cyber insurers should have appropriate expertise to understand and evaluate cyber risks. Best practice includes recruitment of employees with cybersecurity experience, along with a commitment toward additional training and development, with additional support from vendors or consultants as needed.
7. Notice to Law Enforcement
The final best practice includes a requirement that victims notify law enforcement, which is a component some cyber insurers already employ and is beneficial to both victim and insurer.
Employing a cyber-risk framework for your organization
Whether or not your organization has cyber insurance, is considering it, or hasn’t tackled it yet, as a cybersecurity, privacy, or risk management professional, you likely feel like you already have a lot to manage, so you may feel inclined to wait and see what happens for your specific industry or state. But, as we have seen with other regulatory and compliance changes over the years, when one comes into play, we are often rushed to get everything in place when it finally goes into effect.
Instead of taking a wait-and-see approach, you may find it helpful to go ahead and take a closer look at your cyber risks now. You’ll need a lot of this important information if you’re moving ahead with a new cyber insurance policy, planning a renewal, or just to make your own cybersecurity program stronger. And, you may also discover some of your existing controls, policies, and processes are directly related to cyber risk analysis and management.
If you’re not already, consider using a cybersecurity framework management tool like Apptega to help you take a deeper dive into your cyber risks, find gaps in your security controls, and meet your existing and future regulatory and compliance obligations. You can even crosswalk your existing controls and frameworks for a better picture of your overall cyber risks.
Need help or have questions about selecting or implementing a cybersecurity framework for your organization? Contact an Apptega advisor and we’ll be happy to help.