New York issues risk management guidelines for cyber-liability insurers

NEW YORK(Thomson Reuters Regulatory Intelligence) - *To read more by the Thomson Reuters Regulatory Intelligence team click here:

A hacker tries to access and alter data from an electronic poll book in a Voting Machine Hacking Village during the Def Con hacker convention in Las Vegas, Nevada.

Responding to escalating cyber insurance claims, the New York State Department of Financial Services (NYDFS) has published guidance for property and casualty insurers who write such insurance on how to manage the risk. The guidance, written after consultation with the insurance industry and cyber insurance experts, recommends that each insurer take a risk management approach that is proportionate to its risk and considers the insurer’s size, resources, geographic distribution, market share and industries insured.

The guidance(link is:here) recommends that property and casualty insurance firms that write cyber insurance -- which covers business liability for a computer-system or data breach -- establish a formal strategy measuring cyber risk. The strategy should be directed and approved by the insurer's senior management and governing body. It said insurers that do not write cyber insurance should still evaluate and take steps to reduce their exposure to “silent risk.”

A formal strategy should:

--Incorporate the best practices discussed below.

--Include clear qualitative and quantitative goals to reduce risk.

--Require that progress against those goals be regularly reported to its senior management and governing body.

It said firms should adopt the following best practices:


Insurers face increasing levels of “silent risk” (also called non-affirmative cyber insurance risk), which is the risk that “an insurer must cover loss from a cyber incident under a policy that does not explicitly mention cyber,” and therefore “has not been quantified or priced into these policies.” The NYDFS recommends that insurers review their policies to confirm whether the policies provide or exclude coverage for cyber-related losses. This will allow insurers to clarify any ambiguities in first-party and third-party coverage when they write new policies or renew existing ones. A thorough review would also entail an analysis of newer forms of risk, including cyber-induced physical sabotage, such as the recent cyber-induced alteration of chemical levels used in a Florida water treatment plant. The NYDFS also recommends that insurers mitigate their risk, such as by purchasing reinsurance. However, the framework does not specifically address how reinsurers should cope with their cedants’ silent risks.


The NYDFS recommends that insurers regularly evaluate systemic risk and plan for potential losses. In the context of insurance, systemic risk is the risk that an incident can trigger simultaneous and catastrophic losses at many insureds and threaten the stability of the entire insurance industry or even the economy. According to the NYDFS, systemic risk has grown in part because policyholders “increasingly rely on third party vendors and those vendors are highly concentrated in key areas like cloud services and managed services providers.” The NYDFS recommends that insurers model and stress test the effect of potential catastrophic cyber events (such as self-propagating malware like NotPetya and the Solar Winds trojan) on insurance losses across various types of policies and policyholders.


The NYDFS recommends that insurers implement a data-driven, comprehensive plan to assess the cyber risk of each insured and potential insured to allow insurers to rigorously assess potential gaps and vulnerabilities. The assessment should entail detailed information gathering (surveys and interviews, as well as external evaluations) about each insured’s and potential insured’s cybersecurity program. Information should be gathered about “corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies.” Insurers should compare gathered data with past claims data to further identify risks “associated with specific gaps in cybersecurity controls.”


Citing examples of leading insurers who have implemented robust education and incentive programs, the NYDFS recommends that insurers educate their insureds with comprehensive information about cybersecurity and risk reduction and offer price incentives for insureds to adopt more effective cybersecurity measures. The NYDFS also recommends that insurers educate insurance producers to “have a better understanding of potential cyber exposures, types and scope of cyber coverage offered, and monetary limits in cyber insurance policies.”


The NYDFS recommends that insurers increase their focus on the recruitment of employees with cybersecurity experience and skills to help insurers properly understand and evaluate cyber risk. Insurers should continue to engage their employees with appropriate cyber-related training and professional development.


Citing examples of insurers who already do this, the NYDFS recommends that cyber insurance policies require that victimized insureds notify law enforcement of cyber incidents (in addition to notifying the insurer under the policy’s notice provisions). According to the NYDFS, law enforcement:

--Often has valuable information that even insurers may not have.

--Can help insureds recover lost data and funds.

--Can “enhance a victim’s reputation when its response to a cyber incident is evaluated by its shareholders, regulators and the public.”

--Can use information obtained from insureds to “prosecute the attackers, warn others of existing cybersecurity threats, and deter future cybercrime.”

(Jason Hsieh is a contributing writer for Regulatory Intelligence)

*To read more by the Thomson Reuters Regulatory Intelligence team click here:

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Feb. 24. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters