NYDFS – 4 Areas of Cyber Risk Framework To Focus On

NYDFS – 4 Areas of Cyber Risk Framework To Focus On

On February 4th, the NYDFS (New York Department of Financial Services) released a letter to all insurance carriers reminding them of the increased concern around cyber risk, particularly silent cyber risk and effective pricing for cyber insurance policies.  The letter states that “[b]y driving improved cybersecurity and cyber risk management, cyber insurance can also benefit consumers who entrust their sensitive data to these organizations.”

The letter also detailed the newly created Cyber Insurance Risk Framework “based on [their] extensive consultation with industry, cybersecurity experts, and other stakeholders.”  The Framework sets forth a number of best practices for carriers to effectively manage the risk posed by their book.  Although the Framework is directed at property and casualty insurers that report to the DFS, all entities are encouraged to review and assess the guidance.

It is difficult to accurately measure cyber risk, but carriers can “play a critical role in mitigating and reducing the risks of cybercrime.”  The Framework recognizes that carriers are in a unique position to assist with education and risk reduction as it relates to cyber incidents.  Quite a few carriers already offer value-added services such as guidance, discounted cybersecurity services, and cybersecurity assessments to their Insureds.  These tools are valuable, particularly for those organizations with less robust cybersecurity knowledge.

The Framework identified 7 areas of focus,  4 of which are highlighted below:

1. Establish a Formal Cyber Insurance Risk Strategy

In relation to other lines of insurance, cyber insurance is still in its infancy.  Over the past five years, the purchase of cyber insurance has expanded, but the analysis conducted to underwrite these risks hasn’t been consistent, which has led to volatility in the market.

During the past year, claims skyrocketed, and carriers started to correct pricing to adequately address the exposure in their current books of business.  The Framework encourages a formal strategy for accepting and measuring the potential cyber risk presented by an Insured

2. Address Potential Cyber Risk in Traditional Coverages

Silent cyber, or non-affirmative cyber coverage, presents a real risk for insurance carriers.  Traditional insurance policies often aren’t intended to cover cyber incidents, but the language in some of these policies has been interpreted to offer coverage when it’s unclear.  Carriers have been encouraged to take a holistic look at these traditional insurance policies to clarify whether they intend to provide coverage for cyber losses, so they can manage the potential aggregate exposure that sits on their balance sheet.  This doesn’t necessarily mean carriers are looking to exclude all cyber coverage in traditional policies; they are simply being encouraged to consciously make a decision as to whether they intend to offer cyber coverage on traditional policies.

3. Cybersecurity Education

Over the past six months, the cyber insurance market hardened, and carriers started to require certain security controls of organizations.  Carriers are no longer willing to accept mediocre protections if Insureds want competitive terms.

Insureds should expect questions around encryption, multifactor authentication, incident response planning, endpoint detection, and more.  Although some Insureds find these requirements daunting, many in the cybersecurity community feel these demands will help lift up all organizations’ security posture.

Many carriers already offer cybersecurity resources and solutions, whether it’s through discounted cybersecurity services or online portals with assessment tools and a variety of other resources.  Education on the complicated topic of cyber risk helps make Insureds a better risk.

It’s also important for Insureds to be knowledgeable about what is and isn’t covered within their cyber insurance policy.

4. Notice to Law Enforcement

Currently, notice to law enforcement after a cyber incident is encouraged although not required under many policies.  The Framework recommends making this a requirement, stating, “[l]aw enforcement often has valuable information that may not be available to private sources and can help victims of a cyber incident.”  Even if the culprit isn’t apprehended, law enforcement can utilize the details of the incident to help prevent or mitigate the next attack.  Additionally, notice to law enforcement goes a long way when an organization has to later answer to regulators, shareholders, and the public.


Although not a formal regulation, the Framework provides meaningful guidance for insurers to manage cyber risk.  The goal of the Framework is to grow a “robust cyber insurance market that maintains the financial stability of insurers and protects insureds.”  Mitigating cyber risk is top of mind for many organizations, particularly with the ever-changing threat landscape.