The New York Department of Financial Services ("NYDFS") issued guidance on cyber insurance risk for property/casualty insurers writing cyber insurance. The NYDFS advised insurance companies to establish a formal cyber insurance risk strategy proportionate to the insurer's risk, taking account of the insurer's size, resources, geographic distribution and market share and the industries insured.

In its framework, the NYDFS outlined the following best practices:

  • minimize exposure to "silent" cyber insurance risk (e., loss from a cyber incident that an insurer must cover even though the policy does not explicitly mention cyber incidents);
  • evaluate systemic risk, as catastrophic cyber events (g., the SolarWinds Trojan horse) have grown due to reliance on third-party vendors;
  • "rigorously" assess the gaps in the cybersecurity of each potential insured;
  • educate insureds and insurance producers on the value of cybersecurity measures;
  • hire employees with cybersecurity experience; and
  • require that insureds notify law enforcement if they are victims of a cyber incident.

Primary Sources

  1. NYDFS Press Release: Superintendent Lacewell Announces DFS Issues Cybersecurity Insurance Risk Framework
  2. NYDFS Insurance Circular Letter No. 2 (2021): Cyber Insurance Risk Framework

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.