New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

Earlier this month, the New York State Department of Financial Services (NYDFS) published Insurance Circular Letter No. 2, which analyzes the risks of cyber insurance from an insurer’s perspective, discourages making ransomware payments, and announces a new Cyber Insurance Risk Framework. NYDFS has been a trailblazer in the cybersecurity space: in 2017, it issued the nation’s first cybersecurity regulation for financial services, and in 2019, it created its first Cybersecurity Division. Both insurers and insureds should heed NYDFS’s advice to mitigate the risks associated with increased cyberattacks occurring across the globe.

NYDFS published its new framework amidst, and in response to, a stark increase in ransomware insurance claims. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to that data unless the victim pays a ransom. The Cybersecurity & Infrastructure Security Agency reports that such a ransom can exceed $1,000,000. According to NYDFS, from 2018 to 2019, ransomware claims increased by 180% and the average cost rose by 150%, with the number of ransomware attacks reported to NYDFS almost doubling in 2020 from 2019.

NYDFS explains that ransom payments “fuel the vicious cycle of ransomware” and emphasizes the growing risk to cyber insurers and insureds alike, who, by making ransom payments risk (1) liability for violating regulations issued by the Office of Foreign Assets Control by making ransom payments to sanctioned entities, (2) failing to guarantee that their data access will be restored (or even if restored, that the data will not be published publicly), and (3) enabling future ransomware attacks against the organization or other organizations. NYDFS notes that data of many victims were leaked even after they paid the ransom.

As an overarching goal, NYDFS emphasizes the urgent need for cyber insurers to have a comprehensive risk strategy that's endorsed by the insurer’s senior management. Although NYDFS’s new framework is directed at cyber insurers to help create effective risk strategies, insureds are also advised to consider NYDFS’s guidance, summarized below, to minimize their own cybersecurity risks.

Guidance for Both Insurers and Insureds

  • Cyber insurance is not a substitute for cybersecurity. If insurers or insureds fail to assess the risk of a company’s cybersecurity program, then they could end up assuming huge risk with costly ramifications. To minimize this risk, NYDFS explains that insurers should assess their insured’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security policies. Insurers should then compare this information with their analyses of past claims data to identify the risk associated with specific gaps in cybersecurity controls.

Guidance for Insurers

  • Insurers should account for systemic risk, in addition to a company’s specific risk. NYDFS reminds insurers that, when assessing the risk of a potential insured, insurers should consider the insured’s industry as a whole. Due to the widespread use of certain types of software, many cybersecurity breaches occur across a swath of companies at the same time. If an insurer has many clients in one industry, and that industry is hit by a cyberattack, the insurer could face multiple claims simultaneously, resulting in massive losses. 
  • Insurers should assess risk exposure for cybersecurity claims in regular property and casualty policies. NYDFS notes that in 2020, 65% of underwriters expressed concern about potential cyber coverage exposure in property and casualty policies that do not explicitly cover cyber risks. This “silent risk” can arise in various types of insurance policy, including errors and omissions, burglary and theft, and general and product liability. According to NYDFS, an insurer should (1) align its and the insured’s expectations with respect to what risks the policy covers, and (2) price cyber risks into these policies or explicitly cover or exclude cybersecurity incidents, to avoid an unanticipated onslaught of claims.
  • Insurers should provide cybersecurity education to insureds and producers. NYDFS notes that educating insureds about cybersecurity lowers the risk of a cybersecurity incident.  Insurers can also incentivize better cyber practices by offering lower rates to companies who exercise good cyber hygiene. Ensuring that producers understand the cyber policies also helps ensure that the insureds will understand them.
  • Insurers should employ cybersecurity experts. An insurer cannot effectively create a risk strategy without the assistance of cybersecurity experts who understand the nuances of the market.
  • Insurers should require notice to law enforcement when cybersecurity incidents occur. By requiring insureds to give notice to law enforcement when cybersecurity incidents occur, insurers can help investigations and potentially recover funds and/or data. NYDFS also notes that the involvement of law enforcement also increases the credibility of an investigation.

Guidance for Insureds

  • Insureds should understand the cost of a cybersecurity incident. As is the case for insurers, insureds need to understand the massive risk that a single cyberattack can pose and whether they have procured the appropriate cyber insurance to cover a potential claim. Indeed, it is the insured—not the insurer—that bears the cost of a cyberattack where insurance is lacking for cybersecurity-related claims. Given the data suggesting that these types of attacks are increasing rapidly, the NYDFS guidance reminds insureds to take the initiative to learn about their cybersecurity risks and related insurance coverages.
  • Insureds should understand the specific coverage their cyber insurance policy provides. Without express coverage of a certain type of cybersecurity incident, or without knowledge of a policy’s requirements for notifying the insurer upon the occurrence of a specific cybersecurity incident, such an incident is more likely to fall outside the policy's coverage. Likewise, a lack of understanding of a policy’s coverage and exclusions can create more unpredictability for insureds.
  • Insureds should consider their specific company risks and general industry risks.  When assessing a specific cyber insurance policy, insureds should consider the risks not only to their company but to their industry as a whole. The insured might want to work with an insurer who has expertise in a specific industry. Likewise, if an insured has risks specific to its company, it might want to work with a particular insurer to cover those risks.
  • Insureds should seek cybersecurity education and consult a risk management expert and trusted outside advisors. To minimize the risk of a cybersecurity incident, insureds should seek educational opportunities about cybersecurity and cyber insurance. This education can yield practical improvements to the insured’s cybersecurity safeguards. The NYDFS guidance also suggests that insureds should consult their risk management team and trusted outside advisors to ensure that suitable internal controls are in place to prevent cyberattacks where possible and that appropriate cyber insurance coverage has been procured to mitigate risk if such an attack occurs. These steps alone can significantly reduce risk of cyberattacks and the associated costs that can result.

As cybersecurity incidents continue to increase, we expect the law and insurance guidance to continue evolving to help both insurers and insureds navigate future incidents. If you need assistance with your cyber insurance policies or any potential insurance claims associated with cybersecurity or ransomware, or if you have more general questions regarding data privacy and/or cybersecurity laws, please contact one of the authors.