New York State has taken a bold step in meeting the challenge laid down by last year’s Solarium Commission Report, which called for insurance to fulfil its potential to drive better cyber risk management throughout the economy. Setting out a six-point plan for managing cyber insurance risk, Superintendent Linda A. Lacewell of the New York Department of Financial Services (NYDFS) said that the aim was to “foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face”.
Action by regulators to encourage good practice in cyber insurance has so far been focused mainly in London, where the Bank of England and Lloyd’s have issued a series of advisory notices backed up by mandatory stress tests. New York’s move is significant, therefore, in signaling a more proactive stance by one of the most influential regulators on the other side of the pond.
The “Cyber Insurance Risk Framework” announced by the NYDFS aims to embed cyber underwriting into broader risk strategy. It identifies six priorities for developing best practice:
- Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents;
- Evaluate systemic risk, including the impact of catastrophic cyber events on third-party service providers like the recently discovered SolarWinds supply chain attack;
- Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity;
- Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance;
- Obtain cybersecurity expertise through strategic recruiting and hiring practices; and
- Require notice to law enforcement in the event of a cyber attack.
Many insurers have already made significant investment in responding to these challenges. The real challenge laid down by the NYDFS, therefore, is to move every part of the insurance value chain on to a higher standard of cyber risk management.
At CyberCube, we work with clients and stakeholders - including regulators - to enable the growth of a robust cyber insurance market. Our Portfolio Manager, Account Manager and Broking Manager tools are optimised to address many of the requirements of the framework.
We are proud to partner with Lloyd’s and Guy Carpenter to develop cyber scenarios aimed at promoting the understanding of, and resilience to, major cyber losses. We also convene regular dialogues with regulators. These have shown that, while cyber risk is a strategic priority for many supervisors, the complexity and scope of the risk mean that no regulator can fully address the challenges in isolation. With this framework, the NYDFS has sought to strike a balance between raising standards while preserving enough flexibility to promote the growth of the market. That is a model which we expect other regulators will follow. .
