On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:

• Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
• Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
• Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
• Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
• Recruit and hire employees with cybersecurity experience.
• Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.