SUPERINTENDENT LACEWELL ANNOUNCES DFS ISSUES CYBERSECURITY INSURANCE RISK FRAMEWORK

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On February 4, 2021, Ms. Linda A. Lacewell, the Superintendent of the New York State Department of Financial Services (NYSDFS) announced that NYSDFS issued the Cybersecurity Insurance Risk Framework.

Firms who have not taken their cybersecurity controls seriously, including cybersecurity insurance, should begin to revisit this process.

Press Release Highlights:

  • The Framework outlines industry best practices for New York-regulated property/casualty insurers that write cyber insurance to effectively manage their cyber insurance risk.
  • The Framework is the first guidance by a U.S. regulator on cyber insurance.
  • Insurers are encouraged to incorporate the following best practices into their risk strategy:
  • Manage and eliminate exposure to “silent” cyber insurance risk, which results from an insurer’s obligation to cover loss from a cyber incident under a policy that does not explicitly mention cyber incidents;
  • Evaluate systemic risk, including the impact of catastrophic cyber events on third party service providers like the recently discovered SolarWinds supply chain attack;
  • Rigorously measure insured risk by using a data-driven approach to assess potential gaps and vulnerabilities in insureds’ cybersecurity;
  • Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance;
  • Obtain cybersecurity expertise through strategic recruiting and hiring practices; and
  • Require notice to law enforcement in the event of a cyber-attack.

How does this new NYSDFS Cybersecurity Insurance Framework compare to the April 10, 2018 Press Release from the Federal Financial Institutions Examination Council (FFIEC) that states “The FFIEC members do not require financial institutions to maintain cyber insurance.” ?

Will US regulators now look even more closely at how firms have implemented regulatory driven cybersecurity controls and in particular, whether or not to purchase cybersecurity insurance?

Chief Information Security Officers (“CISO”) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look by the regulators at the underlying processes, including decisions around obtaining cybersecurity insurance.

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively and to prepare for more in-depth regulatory exams which inevitably are coming soon.