New York DFS’s Cyber Insurance Risk Framework Explained
TLTR: The cyber insurance risk framework is an important set of guidelines. This article discusses how you can adopt it to protect your clients.
With the world still recovering from the COVID-19 pandemic, an even bigger portion of our lives is online. While the internet has been a blessing in terms of connectivity, it has a dark side… cybercrime.
According to Statista, 72% of all Americans worry about being a victim of cyber attacks. So, it’s become apparent that private and government institutions need cyber insurance to combat growing risks.
Finally, in response, New York State has issued a cyber insurance risk framework to all authorized P&C insurers in the hopes of helping them stem the tide of cybercrime. So, the framework was launched by the state’s Department of Financial Services (DFS), and is the first of its kind. In a statement, they say they recognize that “cyber insurance plays a key role in managing and reducing cyber risk.”
Chiefly, cyber insurance policies commonly cover such things as data theft, identity theft, fraud with forged business emails, and attacks using ransomware trojans.
In this blog
Elements of The Cyber Insurance Risk Framework
Some of the things the framework was designed to promote include:
- Sustainable growth of the cyber insurance market
- Appropriate pricing for cyber-risk coverage
- The closing of price gaps and maintaining a semi-structured pricing trend
- Claims lodged under cyber insurance policies
- Better cyber risk management
Basically, the framework was based on industry consultation, i.e., on the advice from cybersecurity experts and other stakeholders.
What’s in The Cyber Insurance Risk Framework
Establish a formal cyber insurance risk strategy
All Insurance companies should follow a standard protocol to measure cyber insurance risks. To accomplish this, the criteria should:
- Approval from senior management
- Have clear qualitative and quantitative goals for risk and progress
- Complete all seven parts of the cyber insurance risk framework
Manage and eliminate exposure to silent cyber insurance risk
According to Insurance Business America, “silent cyber” refers to “potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk.” The framework urges insurance companies to determine if their clients are susceptible to this risk. Many P&C insurers don’t explicitly offer cyber insurance but the framework suggests they reevaluate their stance on this coverage.
Evaluate systemic risk
Many big organizations, both private and public, use third-party vendors for their digital needs. These third-party vendors are prone to cyber threats. For instance, as per CSO Online, the SolarWinds’ Orion software update was bugged by Russian hackers to access government and other systems.
A catastrophic cyber event like this can compromise an insured’s safety. So how can this be avoided? The framework suggests; designing a regulatory body to work for constant improvement.
Rigorously measure insured risk
Although cybersecurity risks are pretty common, their impact on individuals can vary. The framework suggests that insurers that offer this coverage must have a concrete plan to assess each insured’s cyber risks.
The insurers should collect data from the following sources:
- The institution’s cybersecurity program
- Corporate governance and controls
- Vulnerability management
- Access controls
- Endpoint monitoring
- Boundary defenses
- Incident response planning
- Lastly, third-party security policies
Hence, comparison on this data with past claims to provide better coverage is the suggested protocol.
Educate insureds and insurance providers
This is especially important for an insurance agent. They have an essential role to play when it comes to educating both the insurers and insured parties. They are responsible for ensuring that needs, benefits, and limitations are understood by both parties.
Insurers should aim to offer more comprehensive cyber insurance. They should also work on awareness campaigns that provide relevant information regarding cybersecurity. And clients should be given discounts and encouragement to buy cyber insurance.
Obtain cybersecurity expertise
Insurance companies that offer cyber insurance should recruit professionals who are experts in the field of cybersecurity. Certainly, it’s a commonsense suggestion that will help companies upgrade their policies.
Require notice to law enforcement
By and large, with most insurance claims, insureds should be required to notify law enforcement if they need to file a claim.
The Department of The Treasury has issued an advisory sanction for facilitating potential ransomware reports. The framework suggests that a filed cybercrime complaint should hasten the processing of related claims. Undoubtedly, the lodged complaints are important for potential prosecutions.
Despite the cyber insurance risk framework being issued only by the DFS of New York, significant underwriters are already following it. The framework is logical and makes sense to major carriers.
The New York DFS has taken the first step to outsmart malicious hackers. Indeed, it’s about time that the rest of the nation follows.
We have partnered with all the major national insurance carriers. Work with us to stay ahead of trends.
Was this blog helpful? Let us know in the comments below!
3 Simple Ways to Leverage Networking to Generate Leads for Insurance in 2021
How to Become an Independent Insurance Agent
A Cheat Sheet
Insurance Claim Process
Helping Clients is The Best Way to Retain Customers and Gain Referrals