Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

New York’s DFS publishes a Cyber Insurance Risk Framework

New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

By Erik Dullea, Eric Levy
risk management freepik

<a href='https://www.freepik.com/photos/business'>Business photo created by rawpixel.com - www.freepik.com</a>

March 11, 2021

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.

These cost pressures are not limited to cyber insurers alone. Cyber-related incidents also trigger losses for property and casualty insurers from policies that do not expressly grant or exclude coverage for cyber incidents. These costs are referred to as “non-affirmative” or “silent” risks, and they have spawned a fair amount of coverage litigation, particularly in the area of coverage for spear-phishing/social engineering attacks.

Accordingly, DFS is not only requiring authorized property / casualty insurers who write cyber insurance to follow the best practices outlined in the Framework, DFS is also recommending that other insurers evaluate their exposure to these “silent” risks and take appropriate steps to reduce that exposure.

While not part of the Framework itself, Superintendent Lacewell’s letter includes an additional recommendation that insurers not make ransom payments. DFS identifies two reasons for this recommendation. First, ransom payments perpetuate the economic incentives behind cybercrime, resulting in more attacks in the future.

Second, there is the potential for a ransom payment to violate the Office of Foreign Assets Control (OFAC) economic sanctions programs, which are enforced against certain countries, groups and individuals, such as terrorists and narcotics traffickers. If the payment is sent to an OFAC-designated location or individual, the insurer may be at risk of violating the OFAC sanctions, which are applied on a strict liability basis, and carry substantial civil penalties.

The Framework acknowledges that an insurer’s incurred risks can be a function of several factors, including its size, resources, geographic footprint and industry presence. In addition to those company-specific factors, DFS provided the following best practices for insurers:

  1. Establish a formal cyber insurance risk strategy. The strategy should have identifiable goals, qualitative and quantitative, and progress against these goals should be measured.
  2. Manage and eliminate exposure to silent cyber insurance risk. Cyber risk is usually not priced into non-cyber policies such as burglary and theft, errors and omission, general liability, and product liability insurance. Policies that do not explicitly exclude cyber-related coverage create risks for the insurers.
  3. Evaluate systemic risk. This evaluation includes third-party service providers and stress tests based on unlikely but far-reaching cyber events.
  4. Rigorously measure insured risk. These measurements can be performed by third party specialists.
  5. Educate insureds and insurance procedures. Insurers benefit themselves and the business community by educating policy holders on cybersecurity measures and incentives for implementing them.
  6. Obtain cybersecurity expertise. Insurers should recruit and hire people with the necessary expertise to comprehend and assess cyber risk.
  7. Require notice to law enforcement. Timely notification of law enforcement by victims has the potential to recover lost data and funds, protect the victims’ reputations and warn other potential victims of the threat.

Of course, none of these best practices should be construed as excusing policyholders from doing their part to mitigate the underlying risk to their own businesses. Detailed questionnaires, company-wide privacy and cybersecurity audits, and follow-up interviews with underwriters not only give an insured a better understanding of the scope of potential cyber threats to its own business, but they also give the insurer a stronger incentive to issue a policy (at a fair premium) because the insured has contributed to building the kind of strong risk profile envisioned by the Framework.

The Framework also does not preclude insurers from continuing to use more traditional methods of assessing reducing risk. While broad and sweeping exclusions are never the preferred method of dealing with potential exposure issues, manuscripted exclusions tailored to specific risks (new cyber policies may very well include a Solar Winds or enterprise hack exclusion) may go a long way towards answering coverage questions before a dispute arises. Self-insured retentions on ransomware coverage can place responsibility for the decision to pay or not pay a ransom squarely with the insured (although the OFAC notice that appears in most insurance policies should definitely remain). And sub-limits for certain industry-based risks can ensure that one type of threat in one business sector does not overwhelm insurers. Overall, the Framework should be seen as an enhancement to the underwriting process, not a replacement of it.

While the patchwork of state laws and regulations continues in the absence of universal federal standards, revised corporate privacy policies to comply with the California Consumer Privacy Act (CCPA) and copy-cat legislation in other states are tacit acknowledgements of California’s economic clout. New York enjoys similar influence with the financial services industry, which may prompt other states to piggyback on the Framework’s provisions.

KEYWORDS: cyber insurance cyber security privacy legislation risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dullea erik

Erik Dullea is a partner in Husch Blackwell LLP’s Denver office and belongs to the firm’s Technology, Manufacturing & Transportation industry group.

 

Eric Levy is senior counsel in Husch Blackwell LLP’s Dallas office and belongs to the firm’s Financial Services & Capital Markets industry group.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber-person

    New York’s investigation of Dunkin Donuts results in a promise to abide by the SHIELD Act’s requirements

    See More
  • cyber 3 responsive default

    New York DFS charges title insurer with cybersecurity violation

    See More
  • The Corner Office - july 2018

    Looking for a New Year’s Cyber Resolution? Perpetual Vigilance

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing