New York Department of Financial Services Issues New Cyber Insurance Risk Framework

New York Department of Financial Services Issues New Cyber Insurance Risk Framework
Cyber Security & Data Privacy Client Alert February 9, 2021

On February 4, 2021, the New York Department of Financial Services (“DFS”) issued new guidance, entitled “Cyber Insurance Risk Framework,” enumerating best practices for New York regulated property and casualty insurers who write cyber insurance policies. The Framework is the first guidance by a U.S. regulator on cyber insurance.

The guidance recognizes the rise of data breaches and other cyber security incidents as working from home continues during the COVID-19 Pandemic. As a result, the DFS notes that “Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions. After extensive dialogue with industry and experts, we are issuing guidance to foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face.” Acknowledging that “[e]ach insurer’s cyber insurance risk will vary based [on] many factors,” and that “each insurer should take an approach that is proportionate to its risk,” the DFS Framework provides that all authorized property/casualty insurers that write cyber insurance should employ seven practices “to sustainably and effectively manage their cyber insurance risk.”

The guidance encourages New York Insurers to incorporate certain best practices into their risk strategy, including:

  1. Establish a Formal Cyber Insurance Risk Strategy for measuring cyber insurance risk . . . which “include[s] clear qualitative and quantitative goals for risk, and progress against those goals should be reported to management and the board, or the governing body if there is no board, on a regular basis”;
  2. Managing and/or eliminating exposure to “silent” cyber insurance risk, which occurs when cyber exposures exist within a traditional property and liability policy that does not specifically include or exclude cyber risk;
  3. Evaluating systemic risk, including the impact of catastrophic cyber events on third-party service providers, and conducting internal cybersecurity stress tests based on unlikely but realistic results;
  4. Rigorously measuring insured risk by using a data-driven approach to assess potential gaps and comparing this information with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls;
  5. Educating insureds and insurance producers about the value of cybersecurity measures through incentivizing the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program;
  6. Encouraging the recruitment of insurance employees with cyber security expertise such that they can properly understand and evaluate the cyber risk; and
  7. Requiring, in a policy, that an insured notify law enforcement after a cyberattack.

If you have any question about the new Cyber Insurance Risk Framework guidance, please contact Michael P. O'Mullan at, Labinot Alexander Berlajolli at, Alfonse Muglia at, or any other attorney in Riker Danzig’s Cyber Security & Data Privacy practice.