Cybersecurity rules from the New York Department of Financial Services (DFS) went into effect on March 1 and now banks and insurers are faced with an increasing level of potential legal exposure for data breaches. This development in cybersecurity is leading many financial and non-financial companies alike to purchase new cyber insurance policies. However, these products do not replace the need for due diligence, and they require a sophisticated understanding of cyber risks to select and adequately safeguard appropriate forms of coverage.
DFS’s cybersecurity rules require enhanced internal protocols for data security, monitoring of third-party vendors, data encryption standards, and breach notification of affected parties within 72 hours. The proposed rules were revised in December of last year to provide more flexibility and customization of internal policies and risk assessments, but financial institutions must still perform a periodic risk assessment to ensure their cybersecurity policies and protocols comply with the new regulation. These institutions must also file an annual certification statement verifying compliance with the DFS regulation by February 2018.
With some entities calling for a national data breach notification law, DFS rules present a possible model framework to be implemented in other jurisdictions and the potential for greater regulatory enforcement. The Federal Trade Commission has also engaged in a number of high profile and successful data security enforcement actions against companies like LabMD for failing to protect sensitive and personal consumer information.
As a result, coverages for regulatory defense and for breaches to third-party vendors have become increasingly essential as part of any cyber insurance policy. Many policies require that companies engage in internal security risk assessments and reduce or limit the risks of a data breach in some fashion. There are also potentially applicable exclusions for failing to follow your own privacy policy.
Many companies may not realize the dangerous potential involved when bodily injury or physical damage results from some form of cyber breach or data terrorism. First-party property and third-party liability policies contain cyber exclusions, and cyber insurance policies traditionally exclude bodily injury and property damage. Disastrous or catastrophic events in this area remain largely uncovered by existing insurance products
Cyber risks are fast changing with the level and nature of risks evolving almost on a daily basis. As a result, it is important to work with cyber specialists in any attempt to obtain cyber coverage to ensure the appropriate level of safeguards are in place to avoid a regulatory enforcement action and adequately safeguard all available forms of insurance coverage.
