The New York State Division of Monetary Companies lately issued steering for New York-regulated property and casualty insurers to successfully handle the cyber insurance coverage danger current of their insurance coverage portfolio. The DFS’ steering alerts an effort to scale back total volatility within the cyber insurance coverage market, which has been compounded by the current proliferation of cyberattacks and by insurers’ broadly various approaches to measuring every policyholder’s cyber danger profile.
Though the DFS’ Cyber Insurance coverage Threat Framework applies primarily to New York-regulated property and casualty insurers that write cyber insurance coverage, the framework cautions that insurers that don’t write cyber insurance coverage nonetheless ought to consider their potential publicity to “silent danger” of their non-cyber insurance coverage insurance policies. Additional, because the DFS has taken the lead lately amongst insurance coverage regulators on cybersecurity points, the framework supplies precious steering to insurers that function in states apart from New York.
The framework’s steering is split into seven broad classes.
- Measuring combination cyber danger. The framework advises that insurers set up a proper cyber insurance coverage danger technique for measuring this danger. This technique ought to embody clear qualitative and quantitative targets for cyber insurance coverage danger, and such technique needs to be directed and authorized by the insurer’s senior administration and board.
- Handle potential cyber danger in “conventional coverages”. The framework cautions that insurers ought to handle and eradicate publicity to silent cyber insurance coverage danger. Though conventional insurance coverage insurance policies is probably not supposed to cowl cyber danger and by no means even explicitly point out cyber, the wording of a coverage nonetheless could also be interpreted to cowl loss from a cyber incident. The framework advises insurers to eradicate or mitigate this silent danger by revisiting the language of conventional coverage types in addition to doubtlessly buying ample reinsurance protection to hedge in opposition to this silent danger.
- Measure systemic cyber danger. The framework recommends that insurers recurrently consider systemic danger and plan for potential losses. Systemic danger is current in interconnected programs, by which an intrusion in a single a part of the system can create a domino impact to threaten all related programs. The framework explains that insurers’ higher reliance on third-party establishments and distributors lately has elevated systemic danger. These entities are prime targets for cyberattacks, and diversifying these establishments and distributors used will assist mitigate the consequential impression of an assault on any single one. Additional, the framework advises that insurers ought to recurrently conduct inside cybersecurity stress checks to measure the fallout from potential catastrophic cyber occasions.
- Knowledge-driven cyber underwriting. The framework counsels that insurers ought to have a “data-driven, complete plan” that evaluates the cyber danger of every policyholder and potential policyholder. Such plan ought to embody particulars that allow the insurer to guage gaps within the policyholder’s cybersecurity measures, which may result in better-informed pricing and enhance information about methods to boost cybersecurity.
- Incentivize robust cybersecurity. The framework recommends that insurers educate their policyholders and insurance coverage producer companions concerning the worth of robust cybersecurity measures and may incentivize the adoption of those measures by pricing insurance policies primarily based on their effectiveness. Insurers are uniquely positioned to assist incentivize robust cybersecurity practices by leveraging the price of the safety afforded beneath their insurance policies.
- Make the most of cybersecurity consultants to grasp danger. Insurers ought to rent cybersecurity consultants and, as crucial, complement these workers with further consultants or distributors. The objective is to enhance insurers’ potential to forecast cyber exposures so they’re appearing proactively and never reactively.
- Regulation enforcement notification. The framework advises that cyber insurance coverage insurance policies embody a requirement that victims of a cyber incident notify regulation enforcement. Typically, cyberattacks in opposition to a number of victims have a typical origin, and notifying regulation enforcement will help to make sure that all doable victims are knowledgeable earlier than in depth injury is finished.
The DFS framework sends a transparent message that growing stability in an often-volatile cyber insurance coverage market requires a collective effort amongst all events. Selling extra knowledgeable underwriting, higher cybersecurity practices and diversification of third-party establishments and distributors will help mitigate the frequency and impression of cyber occasions. Certainly, uninformed assessments of policyholders’ cyber danger profiles or mispricing of cyber insurance coverage coverages can doubtlessly result in extra claims, discount available in the market’s capability, insurer insolvency and a higher urge for food to disclaim lined claims.
Accordingly, policyholders and insurers alike ought to rigorously look at their coverages in gentle of the DFS’ directive – and particularly – assess the potential for provisions that cloud the supposed protection or create ambiguities affording silent cyber protection. Counsel can help with evaluating these points and exploring artistic options to mitigate the impression of cyber occasions. As cyberattacks are now not a difficulty of if however when, mitigating cyber publicity needs to be top-of-mind for all stakeholders, giant and small.
Contributors: Paul Moura, David Navetta, Alexander Traum