The state's Department of Financial Services last Thursday called on cyber insurers to develop a "rigorous and data-driven approach to cyber risk," offering a new framework to do so while warning that failures to carefully assess client risks could have detrimental consequences for the market as a whole.
The DFS pointed to the recent hack of SolarWinds' Orion enterprise network management software — whose clients included the U.S. Department of Homeland Security, the U.S. military, the U.S. Department of State, the Office of the President of the United States and Fortune 500 companies — to illustrate the "systemic risk" posed by cyber threats.
It also cited research from cybersecurity firm PurpleSec that pegged the global costs of ransomware attacks in 2020 at roughly $20 billion.
"Insurers that don't effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity and pass the cost of cyber incidents on to the insurer," the DFS said in the new guidance. "Without an effective ability to measure risk, cyber insurance can therefore have the perverse effect of increasing cyber risk — risk that will be borne by the insurer."
Among other things, the DFS guidelines — which are not binding — urge cyber insurers to recruit employees with "cybersecurity experience and skills" and use a "data-driven, comprehensive plan" to assess the cyber risk posed by each potential insured during the underwriting process.
The regulator suggested these assessments can include surveys and interviews designed to evaluate the strengths and vulnerabilities of the potential insured's data security regime, as well as audits by third-party risk evaluators.
"Cyber insurance has been a quickly growing market and an effective solution for clients, but everyone is very aware of the large number of ransomware claims that have affected both industry and the cyber insurance market," said Matthew McCabe, a senior vice president at global professional services firm Marsh & McLennan Companies.
"I read these guidelines as the regulator identifying what the insurance companies are up against and announcing that they have an expectation of a minimal standard of rigor that carriers have to observe, because they want to ensure they have a stable market," he added.
A representative for AXA XL, which the National Association of Insurance Commissioners identified as the largest provider of cyber insurance in the U.S., declined to comment on its underwriting practices or whether it plans to implement the DFS guidelines. And the remainder of the top five cyber carriers — Chubb Ltd., AIG, Beazley and Travelers — did not respond to messages seeking comment.
But brokers and attorneys who represent insurance companies told Law360 many carriers have already begun taking steps to bolster their cyber insurance underwriting processes by recruiting more cybersecurity experts, engaging in extensive probes into potential insureds' data security defenses, and collecting data on claims and losses tied to cyber incidents both large and small.
The DFS framework could further bolster the cyber insurance market by providing a common baseline for carriers, said Nace Naumoski of Stewart Smith.
"The framework takes a step toward getting insurers on the same page about cyber coverage," said Naumoski, who represents insurers. "When everyone is operating from the same framework, it helps spread the risk and make it more manageable, which I think is a positive. It is helpful for both insurers and insureds to know that everyone is speaking the same language."
If cyber insurers follow the DFS' lead and continue to expand their teams of cybersecurity experts, they will become even more well-equipped to anticipate future cyber threats in advance and craft policies accordingly, Naumoski said.
"I think one of the problems is that, unless you are intimately involved in [the cybersecurity] field, it is difficult to stay a step ahead and determine what issues are coming down the road, as opposed to merely responding to things that have already happened," he said. "I like that DFS is taking this prophylactic approach. That gives tools to carriers to say what is likely to happen in the future and how can we be prepared, to the extent possible."
Hinshaw & Culbertson LLP partner Judy Selby, who also represents insurers, said she was encouraged by the DFS' emphasis on cyber insurers identifying and planning for systemic risk — the threat that a single cyberattack could destabilize an entire industry or sector of the economy.
According to the DFS framework, systemic risk has grown in recent years as more companies rely on small pools of third-party vendors in "key areas" like cloud storage and network management. The regulator advised cyber insurers to regularly evaluate and plan for hefty losses that could result from an attack on a single vendor used by multiple insureds.
"A catastrophic cyber event could inflict tremendous losses on insurers that may jeopardize their financial solvency," the DFS guidance said.
According to experts, cyber insurers can also seek to reduce their exposure to systemic risk by not issuing policies to too many companies that are reliant on the same vendor.
"I think that is something most big carriers have been aware of and other carriers will have to address as well — trying to diversify the risk that they are undertaking," Selby said. "You could be in a situation where a carrier says, 'Well, we don't want to have too much of a certain industry as insureds, whether it is health care or retail or hospitality.' But if all the companies in those different industries still use the same cloud provider, a carrier may not have diversified its risks as much as it thought."
The DFS also said in its guidance that cyber insurers can play a significant role in educating insureds about their exposure to cyber risks and helping them shore up their data security defenses.
The regulator commended existing initiatives by some cyber insurance carriers to provide insureds with educational materials and discounted access to cybersecurity services and assessments, encouraging carriers to "continue to expand the type, scope and reach of such offerings."
Selby said these "proactive risk management offerings" by some carriers have "always been, in my view, one of the greatest benefits of cyber coverage."
"The result may be that you never even have a claim, and if you do, it may not be nearly as bad as it otherwise might have been," she said. "Hopefully the DFS guidance will support insurers' efforts to incentivize policyholders to take advantage of these offerings as a best practice."
However, several aspects of the DFS' framework raised concerns among some insurance attorneys and brokers. In one section, the regulator cautioned cyber insurers against covering ransomware demand payments, noting that guidance from the Office of Foreign Assets Control last October warned that insurers can face legal consequences for making such payments to sanctioned entities.
The DFS did not indicate in the framework that it plans to take any steps to disallow ransomware coverage, and an agency representative declined to comment for this article. As it stands, ransomware coverage remains broadly available in cyber policies, although some insurers have reduced the scope and limits of the coverage in response to the recent surge in attacks, according to attorneys.
"Ransomware coverage is a crucial part of many cyber insurance policies," said Barnes & Thornburg LLP partner Scott Godes, who counsels policyholders. "For DFS to suggest that these claims shouldn't be paid, then, is troubling for policyholders who have purchased and are relying on this coverage for extortion payments. It is not clear at this point how this will unfold and carriers will respond to that recommendation."
Anderson Kill PC shareholder Josh Gold said that if coverage for ransomware payments were ever prohibited, companies' losses due to disruptions caused by ransomware attacks would likely just be funneled into the business interruption provisions in their cyber policies.
"If the policyholder is either dissuaded or prevented from making an extortion payment to get the encryption key from the hacker, then longer and more severe business interruption claims will be suffered," said Gold, who also represents policyholders. "Policyholders will necessarily need to conduct business with greatly reduced data and perhaps the unavailability of certain systems, thus enlarging the business interruption claim. That may be something the DFS has not fully taken into account."
Barnes & Thornburg's Godes also took exception to the DFS' recommendation that cyber insurance policies include a requirement that the policyholder notify law enforcement of any cyberattack. According to the framework, about 36% of existing cyber policies contain this requirement.
"That puts cybersecurity counsel in the box of trying to figure out how numerous states' laws apply in terms of privacy obligations, what is the best response to protect the insured, what the insurance policy purports to require, and how to reconcile all of that," Godes said.
Brian Gillin, senior vice president and east region leader at broker Aon, expressed similar concerns, telling Law360 he thinks "it should be left up to the insured to decide whether or not it is in their best interest to notify law enforcement."
"There may be a number of reasons a company does not want to notify law enforcement; for example, reputational concerns," Gillin said. "Maybe a better approach there would be to incentivize insureds with a premium credit or something to that effect, if they choose to notify law enforcement."
Naumoski, of Stewart Smith, emphasized that cyber insurers are free to adopt or reject the voluntary DFS guidelines as they see fit.
"This is still a work in progress, and I do not expect that carriers will adopt the guidelines wholesale, but I do think it is a step in the right direction," he said.