February 26, 2021

New York issues cyber insurance framework as ransomware, SolarWinds costs mount

On February 4, 2021, New York became the first state in the nation to issue…

On February 4, 2021, New York became the first state in the nation to issue a cybersecurity insurance risk framework to all authorized property and casualty insurers. In releasing the framework, New York’s Department of Financial Services (DFS) said that “[f]rom the rise of ransomware to the recently revealed SolarWinds-based cyber-espionage campaign, it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.”

The framework applies to all property or casualty insurers that write cybersecurity insurance. However, the DFS wants all insurers, even though those that don’t offer cybersecurity insurance, to “still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

DFS advises against paying ransom demands

Noting that ransomware insurance claims jumped by 180% from 2018 to 2019 and doubled from 2019 to 2020, DFS advised insurers to not make ransomware payments for three reasons:

  1. The US Treasury Department’s Office of Foreign Assets Control (OFAC) warns of the national security implications of paying a ransom, saying that insurers can be liable for ransom paid to sanctioned entities.
  2. Even if insurers do pay a ransom it does not guarantee the victims will get their encrypted files or stolen data back.
  3. Many insurers are not yet able to accurately measure cybersecurity risk. Without that gauge, “cyber insurance can therefore have the perverse effect of increasing cyber risk—risk that will be borne by the insurer.”

For comparison, the damaging NotPetya malware unleashed by the Russian government in 2017 led to $3 billion in insurance claims, of which insurers paid $2.7 billion under policies that were silent about cybersecurity risks, DFS states.

The framework itself is short and spells out a series of practices to help insurance companies manage their risk. These practices fall under seven categories:

  1. Establish a formal cyber insurance risk strategy
  2. Manage and eliminate exposure to silent cyber insurance risk
  3. Evaluate systemic risk
  4. Rigorously measure insured risk
  5. Educate insureds and insurance producers
  6. Obtain cybersecurity expertise
  7. Require notice to law enforcement

Significant underwriters already following DFS recommendations

Major carrier-underwriters such as AIG and Zurich have mostly been following these recommendations already, says Meredith Schnur, managing director, US cyber brokerage leader at Marsh USA. “This DFS guidance absolutely makes a ton of sense, but the underwriters have already been implementing [similar] practices and procedures to try to get in front of the challenge of ransomware,” she says.

Copyright © 2021 IDG Communications, Inc.