In what the New York Department of Financial Services (NYDFS) is touting as the first guidance by a U.S. regulator on cyber insurance, NYDFS announced on February 4, 2020, in Insurance Circular Letter No. 2 (2021) that it has issued a new Cyber Insurance Risk Framework (Framework) addressed to authorized property/casualty insurers that write cyber insurance. Nonetheless, NYDFS states “property/casualty insurers that do not write cyber insurance should still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

The Framework consists of seven practices that “all authorized property/casualty insurers that write cyber insurance should employ,” while stating that “[E]ach insurer should take an approach that is proportionate to its risk.” The seven practices include:

  • Establish a Formal Cyber Insurance Risk Strategy
  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk
  • Evaluate Systemic Risk
  • Rigorously Measure Insured Risk
  • Educate Insureds and Insurance Producers
  • Obtain Cybersecurity Expertise
  • Require Notice to Law Enforcement

The background of the issuance of the Framework follows the growth of the cyber insurance market, the increase in cyber risks and payouts, and that “it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.” NYDFS recognizes that “as cyber risk has increased, so too has risk in underwriting cyber insurance.” Statistics cited in the Framework include the fact that based upon a survey it developed, from early 2018 to late 2019, “the number of insurance claims arising from ransomware increased by 180%, and the average cost of a ransomware claim rose by 150%. Moreover, the number of ransomware attacks reported to DFS almost doubled in 2020 from the previous year…[T]he global cost of ransomware was approximately $20 billion in 2020.”

NYDFS cautions that insurers “are not yet able to accurately measure cyber risk” and before offering that line of product to certain organizations, insurers should assess the risk of the insured.

NYDFS calls the growing cyber risk “an urgent challenge for insurers.” The NYDFS Letter can be accessed here: https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.