The New York State Department of Financial Services (DFS) issued a letter to the cyber insurance community on February 4, 2021 that should signal a warning to many other businesses seeking to obtain or keep their cybersecurity insurance.
The letter offers analysis of the cybersecurity supply chain and the risk a number of cyber insurance companies face from insuring companies that do not have adequate security controls in place to address their risk. The letter warns the insurance industry that cyber insurance paradoxically causes many companies to fail to implement meaningful security controls because they have insurance, and the insurance premiums may be less expensive to the insured than implementing the protections they should have. This, DFS argues, is unsustainable and they urge the insurance industry to better evaluate their insureds and the risk they pose.
While DFS guidance is to the insurance industry, its impact will likely be more widespread because we believe many insurers will adopt this guidance and soon create more rigorous requirements to insure organizations against cyber-related loss. Should a company’s cyber insurance lapse it faces significant loss exposure and could be in breach of numerous contracts. Thus we believe it is important for an organization to ensure its cybersecurity program, policies and controls are reasonable for the risk it faces, comply with the new security requirements of NY SHIELD found at GBL 899-bb, and meet the representations it made when it applied for cyber insurance.
In particular, organizations seeking cyber insurance can soon expect to see their insurers rigorously measure the organization’s cyber-risk and implement a data-driven, comprehensive plan for measuring the insurance risk for each current and potential new insured. DFS describes the assessment process as follows:
This commonly starts with gathering information regarding the institution’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies. The information should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity. Third-party sources, such as external cyber risk evaluations, are also a valuable source of information. This information should be compared with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls.
If carriers follow this guidance, the application process will seek to examine not just the policies, but also the controls in place to manage cybersecurity risk and the procedures and technologies in place to implement those policies and controls.
In our experience, many midsized organizations have security practices which they undertake on an ad-hoc basis. They typically react to prior events and upgrade or change when opportunities present themselves. To implement controls, endpoint monitoring, boundary defenses and incident response and review of third-party security practices takes a managed security program with differs substantially from an ad hoc approach. Identifying the required controls, incorporating them into a security program and documenting the procedures which implement those controls takes time and effort. This effort is compounded when extended to vendors in the organization’s cybersecurity supply chain.
If an organization fails to pass the risk testing performed by their potential insurance carrier or passes the test but is then found to not have actually followed their written program, they risk being either denied coverage or having their claim disclaimed for misrepresenting their security defenses. This can cascade further because if the program is found to be significantly lacking, the organization could be found to be in breach of contract with its customers. If it has federal contracts requiring security, it could be subject to claims under the False Claims Act or disbarment from future contracts.
