Skip to main content
Top Button
NY DFS Framework for Cyber Insurance – Helpful Guide for Mitigating Risks NY DFS Framework for Cyber Insurance – Helpful Guide for Mitigating Risks

NY DFS Framework for Cyber Insurance – Helpful Guide for Mitigating Risks

Incorporating cyber insurance into risk mitigation is an important, yet often difficult element of a cybersecurity program. The New York Department of Financial Services (NY DFS) last week issued a helpful framework for insurers that also offers some good pointers for larger companies looking to add or review their stance[1]. In this overview, we focus on the extent to which some of the NY DFS six “key practices” also apply to companies looking to assess their cyber-risk.
  1. Evaluate Systemic Risk
    • NY DFS cautioned insurers that Solarwinds or NonPetya types of incidents, which can affect a large sector or many companies, can create systemic risks that can lead to simultaneous losses. Every year this risk grows because more companies and governments increasingly are relying on the same third-party IT vendors, which are often small in number and large in scale.
    • Likewise, companies should factor systemic risks into risk assessments and ensure they are not ignoring risks of great magnitude—such as nation-state attacks—because they seem unlikely or impossible to mitigate. They are certainly not the former, and the latter is more often a case of implementing solid simple security.
  2. Rigorously Measure Insured Risk
    • NY DFS recommends that insurers drive their risk understanding with “a data-driven, comprehensive plan” that “starts with gathering information regarding the institution’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies.”
    • Companies should take the same approach because it makes sense and because we will see a more rigorous approach by insurers for companies to provide this kind of information to receive coverage, including through the use of third-party sources, such as external cyber-risk experts, and by comparing past claims data to anticipate gaps in cybersecurity controls.
  3. Educate Insureds and Insurance Producers
    • NY DFS called on insurers to educate their customers about cybersecurity and reducing risks and to provide incentives (pricing policies) for the adoption of better cybersecurity measures.
    • Companies are well served to be doing training and education to their employees and to their vendors—a well prepared workforce can be a powerful defense to many social engineering attacks.
  4. Obtain Cybersecurity Expertise
    • NY DFS recommends that insurers who offer cyber-coverage must have the appropriate expertise to understand and evaluate cyber-risk.
    • Companies should likewise be looking to integrate cyber-expertise— either internally or using external advisors—with a particular focus on helping their boards and key managers, in particular general counsels and CFOs.
  5. Require Notice to Law Enforcement
    • NY DFS recommends that insurers require victims to notify law enforcement in their policies, which many already do or are considering doing.
    • Victim companies often are reluctant to deal with law enforcement, and not all situations are equal, so this should be assessed each time by legal counsel. However, for the most part, many cyber-incidents can be appropriately notified to law enforcement. This is particularly so for ransomware events or incidents involving the potential for a nation-state threat actor.
  6. Exposure to Silent Cyber-Insurance Risk
    • Silent risks are those that might involve loss coverage from a cyber-incident but are not explicitly noted as such in the policy. NY DFS recommends that insurers close this gap, which can lead to unanticipated losses.
    • As more insurers shut down this type of coverage, companies need to make sure they are compensating by acquiring explicit coverage elsewhere if the risk is one that should be mitigated by insurance or should take other compensating actions.
Ice Miller has extensive experience assisting clients with incident responses and investigations. Our team includes Guillermo Christensen, a former CIA intelligence officer and partner in the Data Security and Privacy and government and internal investigations practice based in DC and New York, and Safet Metjahic, a partner in the Intellectual Property and Data Security and Privacy practices based in New York with more than three decades of patent experience. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized