Cyber Insurance Blog

How the NYDFS Cyber Security Regulation Will Change the Industry

How the NYDFS Cyber Security Regulation Will Change the Industry

It is no secret that cyber crime is only on the rise. As businesses continue to hand off essential business processes to their technology, their cyber risk exposure only increases.

To fight this, the New York Department of Financial Services (NYDFS) posted a best practices report for insurance providers. In it, they require insurance providers to take seven steps to mitigate their own risk and maintain their financial stability.

Cyber security professional sits in front of a monitor in a room with blue lights.

Read on to learn about the new seven-step NYDFS cyber security regulation and what it could mean for brokers like you.

A Cure for Rising Cyber Insurance Premiums

With cyber crime more prevalent than ever, cyber insurance providers have had to continue raising rates to match the new risk they assume. As a result, cyber insurance premiums have more than doubled in the last five years. In 2020 alone, premiums rose an average of 21%.

Because cyber insurance is such an essential part of owning a modern-day business, many companies pay the extra cost to continue mitigating their cyber risk. However, government agencies have partnered with cyber insurance providers to slow the rising rates and prevent a disaster where a carrier goes under because they cannot fill their claims.

New NYDFS Cyber Security Regulation

The NYDFS recognizes how essential cyber insurance is for modern-day businesses. As a result, the last thing they want to see is insurers taking on too much risk and not being able to assist their insureds.

Man with two monitors looks at code.

Their letter to cyber insurance providers aims to curb the rapidly rising cyber insurance premiums and foster a robust cyber insurance market. They believe that the best way to achieve those goals is by creating a financial incentive for businesses to improve their cyber security. After all, if a company has robust cyber security measures before purchasing cyber insurance, they pose much less risk than a business with no cyber security.

Through pricing incentives for those businesses that invest in cyber security, the NYDFS believes insurers can lower premiums while reducing their risk. As part of their report, the NYDFS included the seven following recommendations for cyber insurance providers.

Manage and Eliminate Exposure to Silent Cyber Risk

Silent or non-affirmative cyber insurance risk is the risk an insurer assumes from a cyber incident under a policy that does not explicitly mention cyber. In other words, insurers might be on the hook for expenses related to a cyber attack even if they did not intend a policy to cover such a risk.

With silent risk, insurers may assume more risk than they plan for, leading to what could be a disaster. Insurers need to clarify that their policies either do or do not cover cyber-related losses to eliminate silent risk.

Evaluate Systemic Risk

Cyber insurance providers should evaluate the systemic risk to plan for potential losses. In the cyber insurance world, systemic risk includes popular third-party vendors in the cloud services industry. If a critical third-party vendor gets hacked, hundreds or thousands of businesses that a company insures could be compromised. For example, the SolarWinds and NotPetya hacks exposed systemic risks in the cyber insurance industry.

Man working on his laptop at his company office.

Insurance providers can run stress tests to plan for a disaster scenario and calculate potential losses. The stress tests can accurately uncover how much systemic risk an insurance provider has, based on these catastrophic scenarios.

Rigorously Measure Insured Risk

Before insuring a business, cyber insurance providers should always calculate their cyber risk. Using data-driven calculations, insurance providers can make a rigorous assessment of potential cyber security gaps that could pose a threat. Some areas that insurance providers may examine include:

  • Corporate governance and controls
  • Vulnerability management
  • Access controls
  • Encryption
  • Endpoint monitoring
  • Boundary defense
  • Incident response planning
  • Third-party security policies

Educate Insureds and Insurance Producers

Cyber insurance providers should educate those they ensure and their fellow insurance providers on developing trends and risks in cyber security. By educating and enabling businesses to bolster their cyber security, insurance providers assume less risk when insuring them. With less risk per insured, insurance companies can charge lower premiums and ensure more companies.

On the other hand, sharing knowledge with other insurance companies helps foster a robust cyber security market. Together, cyber insurance providers can reduce the risk of catastrophic cyber events and subsequent claim payouts.

Obtain Cyber security Expertise

Insurance providers need to hire people with expertise in that area to identify and quantify how much risk a given business poses. Therefore, cyber insurance providers should employ the best people to understand and evaluate cyber risk. Additionally, insurance companies should offer continuous training and education so that their employees stay up to date on the newest cyber risk trends.

Require Notice to Law Enforcement

Cyber insurance providers should incorporate a notice to law enforcement requirements on their cyber insurance policies. If law enforcement quickly learns of the incident, they can help victims on the company and public side of affairs. For example, law enforcement can help recover stolen funds by reversing wire transfers.

Notifying law enforcement also reflects positively on the company that got attacked. If a company tries to keep the attack secret and information comes out later that customers were compromised, the damage to the company image is much more severe.

Establish a Formal Cyber Insurance Risk Strategy

Cyber insurance providers need a formal risk strategy that the senior management, board of directors, or other governing body approves. As part of that strategy, there should be qualitative and quantitative goals for the amount of risk that the organization can take.

In addition, senior management should regularly examine where the company is relative to its goals. As part of those regular reports, management should consider where the company is in terms of all the previous recommendations on this list.

What the NYDFS Cyber Security Regulation Means for Brokers

Whether you are a broker that practices in New York or elsewhere, the NYDFS cyber security checklist will impact you. If you practice in New York, the cyber insurance options you can find for your clients change across the board. If you practice outside of New York, do not be surprised when similar regulations reach your state.

The requirements for cyber insurance providers described above are likely the beginning of a nationwide cyber insurance revamp. Given how much businesses depend on their cyber insurance in times of need and the ever-increasing risk of cyber attacks, it is only natural for the government to regulate the industry.

As far as how such regulations will affect brokers, cyber insurance brokers will need to ensure that their clients have enough cyber security measures in place to get insured in the first place. As insurance companies bolster their risk assessment efforts, businesses need to do the same for their cyber security. Those businesses that do not invest in their security will likely not be able to get insured.

Therefore, it is more important than ever for brokers to be their clients’ cyber security experts who can advise them about their exposures and barriers to getting insured. If you want to make sure that you are up to date on the latest trends in cyber security, click here to download our free ebook, The Six-Step Guide to Becoming Your Clients’ Cyber Expert.

Subscribe to Our Monthly Newsletter!

    Retail vs. Wholesale Brokerage

    Experts Weigh In

    Get the eBook