Cyber Insurance Risk Framework
As cybercrime becomes more common and costly, cyber risk continues to increase for all organizations. Cyber insurance – a relatively new area of insurance for most insurers – plays a key role in managing and reducing cyber risk. Insurers play a critical role in mitigating and reducing the risks of cybercrime.
To foster the growth of a robust cyber insurance market that maintains the financial stability of insurers and protects insureds, the NY State Department of Financial Services (DFS) created a Cyber Insurance Risk Framework (included below) that outlines best practices for managing cyber insurance risk (the Framework).
The Framework is based on the DFS’ extensive consultation with industry, cybersecurity experts, and other stakeholders. The Framework applies to all authorized property/casualty insurers that write cyber insurance. However, property/casualty insurers that do not write cyber insurance should still evaluate their exposure to “silent risk” and take appropriate steps to reduce that exposure.
Each insurer’s cyber insurance risk will vary based many factors, including the insurer’s size, resources, geographic distribution, market share, and industries insured. Therefore, they should take an approach that is proportionate to their risk.
All authorized property/casualty insurers that write cyber insurance can employ the practices identified below to sustainably and effectively manage their cyber insurance risk.
1. Establish a Formal Cyber Insurance Risk Strategy
Insurers that offer cyber insurance should have a formal strategy for measuring cyber insurance risk that is directed and approved by senior management and the board of directors, or the governing body if there is no board. The strategy should include clear qualitative and quantitative goals for risk, and progress against those goals should be reported to senior management and the board, or the governing body if there is no board, on a regular basis. The strategy should incorporate the six key practices identified below.
2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk
Insurers that offer cyber insurance should determine whether they are exposed to silent or non-affirmative cyber insurance risk, which is risk that an insurer must cover loss from a cyber incident under a policy that does not explicitly mention cyber. Even property/casualty insurers that do not explicitly offer cyber insurance should evaluate their exposure to silent risk and take appropriate steps to reduce their exposure. Silent risk can be found in a variety of combined coverage policies and stand-alone non-cyber policies, including errors and omissions, burglary and theft, general liability and product liability insurance. Cyber risk likely has not been quantified or priced into these policies, which exposes insurers to unexpected losses.
Ultimately, insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses. Elimination of this risk will take some time, given the many existing policies that can contain silent cyber risk. Insurers should therefore also take steps to mitigate existing silent risk, such as by purchasing reinsurance.
3. Evaluate Systemic Risk
As part of their cyber insurance risk strategy, insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses. Systemic risk has grown in part because institutions increasingly rely on third party vendors and those vendors are highly concentrated in key areas like cloud services and managed services providers. Insurers should understand the critical third parties used by their insureds and model the effect of a catastrophic cyber event on such critical third parties that may cause simultaneous losses to many of their insureds. Examples of such events could include a self-propagating malware, such as NotPetya, or a supply chain attack, such as the SolarWinds trojan, that infects many institutions at the same time, or a cyber event that disables a major cloud services provider. A catastrophic cyber event could inflict tremendous losses on insurers that may jeopardize their financial solvency.
Insurers also should conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events. Accurate stress testing requires accounting for both silent and affirmative risk. Moreover, because exposure to catastrophic cyber events varies across business industries and by type and size of the insured, insurers should track the impact of stress test scenarios across the different kinds of insurance policies they offer as well as across the different industries of their insureds. The cyber insurance risk strategy should account for possible losses identified in stress tests.
4. Rigorously Measure Insured Risk
Insurers that offer cyber insurance should have a data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured. This commonly starts with gathering information regarding the institution’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies. The information should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity. Third-party sources, such as external cyber risk evaluations, are also a valuable source of information. This information should be compared with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls.
5. Educate Insureds and Insurance Producers
Insurers that offer cyber insurance have an important role to play in educating their insureds about cybersecurity and reducing the risk of cyber incidents. They should strive to offer more comprehensive information about the value of cybersecurity measures and facilitate the adoption of those measures. In addition, insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.
Several leading insurers already offer their insureds guidance, discounted access to cybersecurity services, and even cybersecurity assessments and recommendations for improvement. We commend these initiatives, and insurers should continue to expand the type, scope and reach of such offerings.
Insurers should also encourage and assist with the education of insurance producers who should have a better understanding of potential cyber exposures, types and scope of cyber coverage offered, and monetary limits in cyber insurance policies. Ensuring that the need for, benefits of, and limitations to cyber insurance are well understood and conveyed to insureds and potential insureds will facilitate the growth of a robust cyber insurance market.
6. Obtain Cybersecurity Expertise
Insurers that offer cyber insurance need appropriate expertise to properly understand and evaluate cyber risk. Insurers should recruit employees with cybersecurity experience and skills and commit to their training and development, supplemented as necessary with consultants or vendors.
7. Require Notice to Law Enforcement
Cyber insurance policies should include a requirement that victims notify law enforcement. Some insurers that offer cyber insurance already engage in this best practice. Notice to law enforcement may be beneficial both to the victim-insured and the public. Law enforcement often has valuable information that may not be available to private sources and can help victims of a cyber incident. Law enforcement can help recover data and funds that were lost. For instance, when funds are stolen through a business email compromise, law enforcement can sometimes block or reverse wire transfers if alerted of the incident promptly. Notice to law enforcement also can enhance a victim’s reputation when its response to a cyber incident is evaluated by its shareholders, regulators, and the public. Finally, information received by law enforcement can be used to prosecute the attackers, warn others of existing cybersecurity threats, and deter future cybercrime.
About CMR & Associates + PolicySmart®
CMR & Associates’ risk management consultants provide independent retirement and insurance advice by reviewing your current plans to improve coverage and reduce cost. Through CMR’s proprietary database – The CMR Database® (comprised of some 13,000 brokers and specialists globally), we maximize access to the insurance and retirement industry for greater options that will translate to better coverage and lower cost.
Please email CMR & Associates or call 877-447-4301 or 212-447-4300 for more information.