New York DFS Issues Cyber Insurance Risk Framework

Written by: Charles R. Langhorne IV, Esq.

Back in March the New York Department of Financial Services (“NY DFS”) issued Circular Letter No. 2 (2021) providing guidance to insurers offering cyber insurance in New York. The guidance provides a framework that could very well become required of insurers at a later date. The guidance urges (read: commands) insurers to assess the risk insurers are taking on that purports to help insureds, that the NY DFS argues is actually hurting the insurance industry and even propelling cyber terrorism at-large.

Silent Risk

Front and center in the guidance, NY DFS asks insurers to assess what it calls the “silent risk” associated with older, non-cyber, policies that do not address whether cyber incidents are or are not covered by a policy. The problem with these policies is two-fold: first, the policies were not underwritten to assess the risk associated with providing coverage for cyber claims; and second, the case law governing insurance coverage issues has garnered huge deference towards an insured, almost requiring insurers to provide coverage when an incident is not explicitly disclaimed. This has caused many insurers to provide coverage for cyber claims when the policy is silent as to whether there is or is not coverage for such events. NY DFS advises insurers to reassess language in these older policies and put a plan in place to attempt to reduce this “silent risk.”

Education

The guidance also states that insurers have an inherit duty to educate both insureds and insurance producers of the risks associated with cyber incidents. For example, providing pricing incentives based on the effectiveness of an insured’s cybersecurity  measures.

Requiring Notice to Law Enforcement

A section I found interesting was the NY DFS asking insurers to require insureds to notify law enforcement when a cyber claim is submitted. Many victims of cyber incidents already do this via the FBI’s IC3 report, but there are times where it would not be advisable for liability reasons. This could put insureds in a predicament as to whether to report to law enforcement and risk liability exposure in order to receive coverage funds.

Conclusion

Overall, the gist of the guidance hits the mark, and it will be interesting to watch if other insurance regulatory agencies follow suit.