In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.
According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.
These cost pressures are not limited to cyber insurers alone. Cyber-related incidents also trigger losses for property and casualty insurers from policies that do not expressly grant or exclude coverage for cyber incidents. These costs are referred to as “non-affirmative” or “silent” risks, and they have spawned a fair amount of coverage litigation, particularly in the area of coverage for spear-phishing/social engineering attacks.
Accordingly, DFS is not only requiring authorized property / casualty insurers who write cyber insurance to follow the best practices outlined in the Framework, DFS is also recommending that other insurers evaluate their exposure to these “silent” risks and take appropriate steps to reduce that exposure.
While not part of the Framework itself, Superintendent Lacewell’s letter includes an additional recommendation that insurers not make ransom payments. DFS identifies two reasons for this recommendation. First, ransom payments perpetuate the economic incentives behind cybercrime, resulting in more attacks in the future.
Second, there is the potential for a ransom payment to violate the Office of Foreign Assets Control (OFAC) economic sanctions programs, which are enforced against certain countries, groups and individuals, such as terrorists and narcotics traffickers. If the payment is sent to an OFAC-designated location or individual, the insurer may be at risk of violating the OFAC sanctions, which are applied on a strict liability basis, and carry substantial civil penalties.
The Framework acknowledges that an insurer’s incurred risks can be a function of several factors, including its size, resources, geographic footprint and industry presence. In addition to those company-specific factors, DFS provided the following best practices for insurers:
- Establish a formal cyber insurance risk strategy. The strategy should have identifiable goals, qualitative and quantitative, and progress against these goals should be measured.
- Manage and eliminate exposure to silent cyber insurance risk. Cyber risk is usually not priced into non-cyber policies such as burglary and theft, errors and omission, general liability, and product liability insurance. Policies that do not explicitly exclude cyber-related coverage create risks for the insurers.
- Evaluate systemic risk. This evaluation includes third-party service providers and stress tests based on unlikely but far-reaching cyber events.
- Rigorously measure insured risk. These measurements can be performed by third party specialists.
- Educate insureds and insurance procedures. Insurers benefit themselves and the business community by educating policy holders on cybersecurity measures and incentives for implementing them.
- Obtain cybersecurity expertise. Insurers should recruit and hire people with the necessary expertise to comprehend and assess cyber risk.
- Require notice to law enforcement. Timely notification of law enforcement by victims has the potential to recover lost data and funds, protect the victims’ reputations and warn other potential victims of the threat.
Of course, none of these best practices should be construed as excusing policyholders from doing their part to mitigate the underlying risk to their own businesses. Detailed questionnaires, company-wide privacy and cybersecurity audits, and follow-up interviews with underwriters not only give an insured a better understanding of the scope of potential cyber threats to its own business, but they also give the insurer a stronger incentive to issue a policy (at a fair premium) because the insured has contributed to building the kind of strong risk profile envisioned by the Framework.
The Framework also does not preclude insurers from continuing to use more traditional methods of assessing reducing risk. While broad and sweeping exclusions are never the preferred method of dealing with potential exposure issues, manuscripted exclusions tailored to specific risks (new cyber policies may very well include a Solar Winds or enterprise hack exclusion) may go a long way towards answering coverage questions before a dispute arises. Self-insured retentions on ransomware coverage can place responsibility for the decision to pay or not pay a ransom squarely with the insured (although the OFAC notice that appears in most insurance policies should definitely remain). And sub-limits for certain industry-based risks can ensure that one type of threat in one business sector does not overwhelm insurers. Overall, the Framework should be seen as an enhancement to the underwriting process, not a replacement of it.
While the patchwork of state laws and regulations continues in the absence of universal federal standards, revised corporate privacy policies to comply with the California Consumer Privacy Act (CCPA) and copy-cat legislation in other states are tacit acknowledgements of California’s economic clout. New York enjoys similar influence with the financial services industry, which may prompt other states to piggyback on the Framework’s provisions.