On February 4, the New York Department of Financial Services (DFS) released the Cyber Insurance Risk Framework (Framework), which is considered the first guidance by a U.S. regulator on cyber insurance. The Framework is aimed at property and casualty insurers that provide cyber insurance, as well as other insurers that do not write specific cyber insurance policies but may be exposed to cyber-related incidents through nonexplicit clauses, known as “silent risk.”
In the insurance industry, a “silent risk” deals with an insurer’s exposure to cyber incidents within policies that were not intended to cover such cyber incidents. For example, a silent risk would arise from a property insurance policy that provides coverage for losses associated with a fire but does not explicitly exclude cyber-related damage. In one occurrence, a fire caused by a cyberattack that prevented a steel mill from shutting down its furnace may have exposed a carrier to a silent risk, even though the property policy may not have been intended to insure for a cyber incident.
DFS reminds providers that every organization will have different needs, and it recommends seven practices to “sustainably and effectively manage  cyber insurance risk.”
1. Establish a Formal Insurance Risk Strategy. DFS recommends that insurers develop a strategy for “measuring cyber insurance risk [which] include[s] clear qualitative and quantitative goals for risk, and progress against those goals should be reported to [the organization’s leaders].” This means that providers will likely need to acquire additional information from organizations they serve to measure such risks, such as by requesting categories of data covered under specific policies to better determine the sensitive nature of the information covered under each policy.
2. Manage and Eliminate Exposure to Silent Cyber Risk. The primary way for insurers to manage and eliminate silent risk is “by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage” for cyber incidents. This means that insurers should revisit their policies to identify whether their terms explicitly exclude cyber risk.
3. Evaluate Systemic Risk. Insurers should account for the potential effect of a “catastrophic cyber event on  critical third parties that may cause simultaneous losses to many of their insureds.” The recent SolarWinds hack, for example, compromised numerous organizations in the private and public sphere; an insurance company covering many of the third parties involved within that single massive hack could quickly learn that a single cyber event “may jeopardize [insurers] financial solvency.”
4. Rigorously Measure Insured Risk. DFS recommends insurers develop a “comprehensive plan for assessing the cyber risk of each insured and potential insured.” This means that insurers will need to assess an organization’s cybersecurity programs to identify the level of risk associated with that specific organization. For instance, insurers may need to dig deeper than an organization’s technical systems to correctly calculate risk, such as by interviewing an insured’s staff to get a sense of the insured’s cyberculture or following along on an insured’s tabletop cyber exercise.
5. Educate Insureds and Insurance Procedures. Insurers should strive to offer “comprehensive information about the value of cybersecurity measures and facilitate the adoption of those measures.” For instance, DFS shares that certain leading insurers currently offer “guidance, discounted access to cybersecurity services, and even cybersecurity assessments and recommendations for improvement.” Offering such services through the eRisk Hub or concierge-like services has been a trend for many years and should continue and grow. While tying reductions in premiums for those insureds that use such services has proven problematic, we have discussed previously how the underwriting process can help to solve the absence of any true standard on reasonable cybersecurity controls to the benefit of the market generally.
6. Obtain Cybersecurity Expertise. As we have discussed before, insurers need to hire individuals with cybersecurity (and technical) experience, and they need to offer them training and development to ensure they keep up with future cyber-related challenges. Attending events, like those hosted by NetDiligence or Information Security Media Group (ISMG), and relying on informed and experienced experts continues to be critical.
7. Require Notice to Law Enforcement. Finally, DFS recommends that insurers should require their clients to notify law enforcement because it may be beneficial to recover certain lost assets or to enhance the insured’s reputation “when its response to a cyber incident is evaluated by its shareholders, regulators, and the public.” Engaging certain attorneys general or other regulators beyond the statutory requirements should also be considered.
To stay up to date on additional privacy and cybersecurity-related developments, check out Troutman Pepper’s Consumer Financial Services Law Monitor.