Cyber insurance is a necessary element in managing and reducing cyber risk. As an insurance policy that helps protect organizations from the ramifications associated with cyber incidents, the insured benefits from minimized business disruption and potentially having some of the financial costs covered. Essentially, this type of insurance prices an organization’s cyber risks. And doing so creates a financial incentive to fill the gaps in cybersecurity as this will reduce the insured’s premiums.
Earlier this month, the New York Department of Financial Services (NYDFS) released its Cyber Insurance Risk Framework, being the first state in the nation to do so. The framework came as a result of a rise in cyberattacks – with a recent example being the SolarWinds attack, whereby a Russian state-affiliated hacking group managed to infiltrate the computer systems of numerous US government agencies, including the US Treasury and Department of Commerce. With cybersecurity becoming increasingly necessary as cyberattacks proliferate, the cyber insurance market is expected to reach $20 billion by 2025, up from $3.15 billion in 2019.
The Framework applies to all property or casualty insurers that write cybersecurity insurance and includes a number of practices for managing cyber insurance risk under seven categories.
1. Establish a formal cyber insurance risk strategy.
Insurers need to have a clearly delineated strategy for measuring cyber insurance risk – both qualitatively, and quantitatively. Such a strategy should be directed and approved by senior management and the board. The strategy should include the following components:
2. Manage and eliminate exposure to silent cyber insurance risk.
Insurance carriers need to identify and evaluate their exposure to silent, or non-affirmative, cyber risks under non-cyber policies and, subsequently, reduce such exposure. Insurers can eliminate cyber risks by making clear, in any policy that could be subject to a cyber-related claim. This is whether or not the policy provides, or excludes, coverage for cyber-related losses.
3. Evaluate systemic risk.
This is a crucial step that will prevent insurers from facing significant, and possibly unsustainable, costs. Systemic risk has grown due to the increased dependency on third-party vendors. This is especially in highly concentrated areas, as a result of globalization. Hence, according to the Framework, insurers must “understand the critical third parties used by their insureds and model the effect of a catastrophic cyber event on such critical third parties that may cause simultaneous losses to many of their insureds”. The SolarWinds attack is an example of a systemic risk that could damage many insureds simultaneously.
To evaluate systemic risk, insurers should conduct internal cybersecurity “stress tests” based on unlikely, but possible, catastrophic cyber events. Such tests should, crucially, account for both silent and affirmative cyber risks. Additionally, these tests should also measure potential impacts across various industries.
4. Rigorously measure insured risk.
The Framework highlights the need for insurers to do a better job of knowing the exposure risks of their insureds. The NYDFS suggests developing and implementing a “data-driven” comprehensive plan that assesses the cyber risks of each insured, and potentially insured, organization. Such a plan must be able to be analyzed against claims data to better evaluate the risks presented. Additionally, insurers must evaluate an insured’s, or potential insured’s, data privacy and security program as this is critical to accurately assess the risk. The data gathering must provide enough detail to “make a rigorous assessment of protentional gaps and vulnerabilities in the insured’s cybersecurity”. This includes evaluating the following:
- Corporate governance.
- Vulnerability management.
- Access controls.
- Endpoint monitoring.
- Boundary defenses.
- Incident response planning.
- Third-party risk management.
5. Educate insured and insurance producers.
Insureds, and insurance brokers, need to be educated regarding the benefits of a comprehensive and effective data privacy and security program. Insurers should also facilitate and offer incentives for the development and implementation of such programs through policy pricing and discounted access to cybersecurity services and risk assessments.
6. Obtain cybersecurity expertise.
In order to evaluate cyber risks, insurers must have the appropriate level of expertise. Hence, this requires the recruitment of employees with cybersecurity experience and skills. Moreover, insurers should commit to training and developing personnel.
7. Require notice to law enforcement.
When sustaining a successful attack, insurance policies should require policyholders to notify law enforcement. In doing so, law enforcement can assist in recovering stolen data and funds, as well as enable the prosecution of attackers to deter future cybercrime.
With cyberattacks not only proliferating – tens of thousands occur every day – but also becoming more sophisticated and dangerous. Therefore, a cyber insurance framework will assist in the attempt to improve resilience to the malicious activities taking place in the cyber world. An organization’s cybersecurity team needs to ensure that every vulnerability is covered, while attackers only need to exploit one – and the latter are getting much better at their job. Hence, it is not a question of if you will get attacked, but rather, when. Importantly, malicious cyber actors are seeking innovative and sneaky ways to bypass security measures in place.
Hardware-based attacks, for example, are extremely challenging to mitigate due to their extremely covert nature. Network Implants can evade existing cybersecurity software solutions by sitting on the Physical Layer, and Spoofed Peripherals impersonate legitimate HIDs and are therefore not detected as harmful. With this, cyber insurance is a necessary tool, and a framework will provide a coherent resource for insurers to refer to when creating their policies.
New York might be the first state to introduce such a framework, but it certainly will not be the last. Hopefully, this will be the start of a global push to introduce cyber insurance risk frameworks; but for now, to quote Frank Sinatra, “it’s up to you, New York”.