New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

Earlier this month, the New York State Department of Financial Services (NYDFS) published Insurance Circular Letter No. 2, which analyzes the risks of cyber insurance from an insurer’s perspective, discourages making ransomware payments, and announces a new Cyber Insurance Risk Framework. NYDFS has been a trailblazer in the cybersecurity space: in 2017, it issued the nation’s first cybersecurity regulation for financial services, and in 2019, it created its first Cybersecurity Division. Both insurers and insureds should heed NYDFS’s advice to mitigate the risks associated with increased cyberattacks occurring across the globe.

NYDFS published its new framework amidst, and in response to, a stark increase in ransomware insurance claims. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to that data unless the victim pays a ransom. The Cybersecurity & Infrastructure Security Agency reports that such a ransom can exceed $1,000,000. According to NYDFS, from 2018 to 2019, ransomware claims increased by 180% and the average cost rose by 150%, with the number of ransomware attacks reported to NYDFS almost doubling in 2020 from 2019.

NYDFS explains that ransom payments “fuel the vicious cycle of ransomware” and emphasizes the growing risk to cyber insurers and insureds alike, who, by making ransom payments risk (1) liability for violating regulations issued by the Office of Foreign Assets Control by making ransom payments to sanctioned entities, (2) failing to guarantee that their data access will be restored (or even if restored, that the data will not be published publicly), and (3) enabling future ransomware attacks against the organization or other organizations. NYDFS notes that data of many victims were leaked even after they paid the ransom.

As an overarching goal, NYDFS emphasizes the urgent need for cyber insurers to have a comprehensive risk strategy that's endorsed by the insurer’s senior management. Although NYDFS’s new framework is directed at cyber insurers to help create effective risk strategies, insureds are also advised to consider NYDFS’s guidance, summarized below, to minimize their own cybersecurity risks.

Guidance for Both Insurers and Insureds

  • Cyber insurance is not a substitute for cybersecurity. If insurers or insureds fail to assess the risk of a company’s cybersecurity program, then they could end up assuming huge risk with costly ramifications. To minimize this risk, NYDFS explains that insurers should assess their insured’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security policies. Insurers should then compare this information with their analyses of past claims data to identify the risk associated with specific gaps in cybersecurity controls.

Guidance for Insurers

  • Insurers should account for systemic risk, in addition to a company’s specific risk. NYDFS reminds insurers that, when assessing the risk of a potential insured, insurers should consider the insured’s industry as a whole. Due to the widespread use of certain types of software, many cybersecurity breaches occur across a swath of companies at the same time. If an insurer has many clients in one industry, and that industry is hit by a cyberattack, the insurer could face multiple claims simultaneously, resulting in massive losses. 
  • Insurers should assess risk exposure for cybersecurity claims in regular property and casualty policies. NYDFS notes that in 2020, 65% of underwriters expressed concern about potential cyber coverage exposure in property and casualty policies that do not explicitly cover cyber risks. This “silent risk” can arise in various types of insurance policy, including errors and omissions, burglary and theft, and general and product liability. According to NYDFS, an insurer should (1) align its and the insured’s expectations with respect to what risks the policy covers, and (2) price cyber risks into these policies or explicitly cover or exclude cybersecurity incidents, to avoid an unanticipated onslaught of claims.
  • Insurers should provide cybersecurity education to insureds and producers. NYDFS notes that educating insureds about cybersecurity lowers the risk of a cybersecurity incident.  Insurers can also incentivize better cyber practices by offering lower rates to companies who exercise good cyber hygiene. Ensuring that producers understand the cyber policies also helps ensure that the insureds will understand them.
  • Insurers should employ cybersecurity experts. An insurer cannot effectively create a risk strategy without the assistance of cybersecurity experts who understand the nuances of the market.
  • Insurers should require notice to law enforcement when cybersecurity incidents occur. By requiring insureds to give notice to law enforcement when cybersecurity incidents occur, insurers can help investigations and potentially recover funds and/or data. NYDFS also notes that the involvement of law enforcement also increases the credibility of an investigation.

Guidance for Insureds

  • Insureds should understand the cost of a cybersecurity incident. As is the case for insurers, insureds need to understand the massive risk that a single cyberattack can pose and whether they have procured the appropriate cyber insurance to cover a potential claim. Indeed, it is the insured—not the insurer—that bears the cost of a cyberattack where insurance is lacking for cybersecurity-related claims. Given the data suggesting that these types of attacks are increasing rapidly, the NYDFS guidance reminds insureds to take the initiative to learn about their cybersecurity risks and related insurance coverages.
  • Insureds should understand the specific coverage their cyber insurance policy provides. Without express coverage of a certain type of cybersecurity incident, or without knowledge of a policy’s requirements for notifying the insurer upon the occurrence of a specific cybersecurity incident, such an incident is more likely to fall outside the policy's coverage. Likewise, a lack of understanding of a policy’s coverage and exclusions can create more unpredictability for insureds.
  • Insureds should consider their specific company risks and general industry risks.  When assessing a specific cyber insurance policy, insureds should consider the risks not only to their company but to their industry as a whole. The insured might want to work with an insurer who has expertise in a specific industry. Likewise, if an insured has risks specific to its company, it might want to work with a particular insurer to cover those risks.
  • Insureds should seek cybersecurity education and consult a risk management expert and trusted outside advisors. To minimize the risk of a cybersecurity incident, insureds should seek educational opportunities about cybersecurity and cyber insurance. This education can yield practical improvements to the insured’s cybersecurity safeguards. The NYDFS guidance also suggests that insureds should consult their risk management team and trusted outside advisors to ensure that suitable internal controls are in place to prevent cyberattacks where possible and that appropriate cyber insurance coverage has been procured to mitigate risk if such an attack occurs. These steps alone can significantly reduce risk of cyberattacks and the associated costs that can result.

As cybersecurity incidents continue to increase, we expect the law and insurance guidance to continue evolving to help both insurers and insureds navigate future incidents. If you need assistance with your cyber insurance policies or any potential insurance claims associated with cybersecurity or ransomware, or if you have more general questions regarding data privacy and/or cybersecurity laws, please contact one of the authors.

Firm Highlights
News

Paul R. Himmelstein Joins Lewis Rice Kansas City Office

More
News

Brian P. Pezza Discusses Vaccination Considerations for Employees in Society for Human Resource Management (SHRM) Article

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
Client Alert

Supreme Court Decision Provides Good News for Creditors

More
News

Kansas City Office of Lewis Rice Names New Member

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
News

Lewis Rice Wins Significant Victory for Atlanta Landowners Impacted by the Belt Line Rail-Trail

More
News

David W. Sweeney Interviewed in Realtime REALTOR® Podcast on Changes to Elections in the City of St. Louis

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
Client Alert

City of St. Louis 2021 Primary Municipal Election: Meet the Candidates

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More