As cyberattacks continue to increase, cyber insurers are always looking for ways to manage the cyber risk they take on. The NY DFS offers some best practices from top insurance companies.
I’ve covered a number of stories before of cyber insurers that did not pay out on a policy that involved some form of cyberattack. Usually it came down to a technicality or was denied due to specific attack scenarios outlined in the policy. Those news stories usually involve an insurer that is well-established and experienced in the field of cyber insurance. But for those insurers just now seeking to get into the market, without the proper experience, it could be costly if they’re not careful.
To assist, last month the NY DFS issued an open letter to property and casualty insurers, offering guidance in addressing their exposure to cyber risk through issued policies.
The framework, based on dozens of discussions with experienced cyber insurers, includes the following:
- Establish a Formal Cyber Insurance Risk Strategy – made up of the next six key practices, the strategy should define clear risk goals, involving senior management and the insurer’s governing body.
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk – silent risk stems from any cyber loss that must be covered under a policy that does not explicitly mention cyber.
- Evaluate Systemic Risk – insureds relying on third-party vendors and supply chains can create an environment ripe for risk, which can result in a catastrophic loss to the insurer.
- Rigorously Measure Insured Risk – Insurers need to have a comprehensive plan to measure out the risk of a given insured. The word “rigorous” should be enough to get an idea of how much effort needs to be placed into this step.
- Educate Insureds and Insurance Producers – Helping the insured organization with security assessments and recommendations, as well as advocating Security Awareness Training for their employees will help reduce the risk of a claim event.
- Obtain Cybersecurity Expertise – You can’t insure what you don’t understand. Seek out industry expertise to assist with building out every part of this framework.
- Require Notice to Law Enforcement – victim organizations need to engage with local law enforcement to get assistance with data and fund recovery, prosecution of attackers, and more.