The proverb says: "the best defense is a good crime." This seems to be the approach advocated by New York insurers in response to what they consider to be "systemic risk [s] that occurs when a widespread cyber incident injures many insureds at the same time, potentially overloading insurance companies with heavy losses." On February 4, 2021, the New York Department of Financial Services ("DFS"), which regulates insurance operations in New York, issued guidelines in Insurance Circular No. 2 (2021) regarding the "Cyber Insurance Risk Framework" (the "Guidelines"), which urges insurers to take stricter measures to take out cyber risks. In the guidelines, DFS cites the 2020 SolarWinds attack as an example of how growing cyber risk management is "an urgent challenge for insurers."
DFS has created the guidelines and risk framework for cyber insurance that describe best practices for managing cyber insurance risk (the "framework") with the stated goal of promoting the growth of a robust cyber insurance market that maintains the financial stability of insurance companies and protects insured persons. DFS requires that all authorized real estate / accident insurance companies that write cyber insurance in the state use the methods identified in the framework, including in the first instance, establish a formal cyber insurance strategy that is controlled and approved by the company management and the board or insurer's governing body. DFS instructs that the strategy should contain clear qualitative and quantitative goals for risks, progress towards these goals should be reported to management and the board or board regularly and should include the six methods described in the framework.
Below we deal with the framework and considerations for cyber policyholders in the light of the same.
- Manage and eliminate exposure to silent cyber insurance risk which is the risk that an insurance company must cover loss from a cyber incident under a policy that does not explicitly mention cyber, such as under errors and omissions, burglary and theft, general liability and product liability insurance. Insurers should also take measures to mitigate existing silent risk, for example by purchasing reinsurance.
Policyholder's Considerations: This guideline derives from the NotPetya 201
Mondelez filed a claim under Zurich Real Estate Insurance that provided coverage for "physical loss or damage to electronic data, software or software, including physical loss or damage caused by malicious implementation of a machine code." According to Mondelez's complaint, Zurich adjusted the claim and even went so far as to make an unconditional advance of $ 10 million as a partial payment against Mondelez's losses. But after changing coverage coverage, Zurich suddenly changed course and invoked the "war elimination" of politics to deny coverage. Mondelez filed a lawsuit against Zurich, alleging breach of contract, solely estoppel and disturbing and unreasonable conduct under section 155 of the Illinois Insurance Code. Mondelez is seeking $ 100 million in damages. white-collar workers (D&O), commercial real estate and commercial general liability policies. Policyholders should also be aware of any cover gaps that may exist, especially with regard to risks associated with critical infrastructure and the Internet of Things. In fact, many cyber policies exclude coverage for property damage and bodily harm, even if they are due to a cyber attack; At the same time, general liability policies may include general cyber exemptions. Policyholders should retain competent coverage advice to analyze these gaps and should talk to their brokers and insurers about cutting back these exemptions from appropriate insurance policies and / or considering buying differences in terms to fill this gap in coverage.
- Evaluate systemic risk which has grown in part due to the fact that institutions are increasingly dependent on third-party providers that are highly concentrated in key areas such as cloud services and managed service providers. Examples include a self-propagating malware or a supply chain attack that infects many institutions simultaneously, or a cyber event that disables a major cloud service provider. Insurers should conduct internal stress tests for cybersecurity based on unlikely but realistic catastrophic cyber events and should track the effects of stress test scenarios in different types of insurance they offer as well as in different insurance industries.
Consideration of the policyholder: Based on this consideration, policyholders can predict that insurance companies will reduce the coverage limits for any business interruptions, which covers loss of income due to an interruption with a supplier on which your company depends. Nevertheless, policyholders should continue to claim this coverage and should work to compensate for indemnity provisions in their supplier contracts to cover losses, costs, expenses and liabilities resulting from an interruption or attack on a provider's system.
- Measure insured risk carefully. through a data-driven, comprehensive plan to assess the cyber risk for each insured and potential insured. This usually begins with gathering information about the department's cyber security program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, border defense, incident response planning and third party security policies. The information should be sufficiently detailed for the insurer to make an accurate assessment of potential gaps and vulnerabilities in the insured's cyber security. Third-party sources, such as external cyber risk assessments, are also a valuable source of information. This information should be compared with analysis of previous damage data to identify the risk associated with specific gaps in cybersecurity checks.
Consideration of the policyholder: This consideration may lead insurers to engage in more intensive guarantees, which may consume more policyholders. resources to seek coverage. In this regard, policyholders should build in the time needed for additional guarantees, including renewals, and start discussions with their cyber insurance company early in the process. Policyholders should also ensure that they involve all key personnel, including general advisers, risk managers, finance departments, IT departments and external coverage advice, in filling out insurance applications and answering any questions that the insurer may have.
Unfortunately for policyholders, insurers often try to cancel coverage based on alleged misrepresentation in applications. In many jurisdictions, even the innocence of an insurance claim in an application can invalidate the insurance as a whole and insurance companies often try to cancel insurance based on an alleged misrepresentation. See e.g. Columbia Cas. Co. v. Cottage Health Sys., Nr. 2: 15-cv-03432, 2015 U.S. Pat. Dist. LEXIS 93456 (CD Cal. 17 July 2015) (dismissed without prejudice to the insurance because mandatory ADR provision is included; the insurer sought to repeal the policy and claimed that the policyholder incorrectly presented the facts of the application for its maintenance and safety minimum practices; continuously implement the procedures and risk controls identified in its application, regularly check and maintain corrections on its systems or improve risk controls. ").
- Educate insured and insurance manufacturers on cyber security and reduce the risk of cyber incidents. Insurers should also stimulate the adoption of better cyber security measures through pricing policies based on the effectiveness of each insurance cyber security program. Insurers should also encourage and assist in the training of insurance manufacturers who should have a better understanding of potential cyber exposure, types and extent of cyber coverage offered and monetary limits in cyber insurance.
Policyholders' Consideration: Many cyber insurance insurers build into their policy coverage for cyber risk management training. Policyholders should take advantage of these services, which are often provided free of charge.
- Acquire cybersecurity expertise to properly understand and evaluate cyber risk. Insurers should recruit employees with cyber security experience and skills and engage in their training and development, supplemented if necessary by consultants or suppliers.
Consideration of the policyholder: This consideration is likely to seep into the insurance process, where insurers' cybersecurity experts may have technical issues and / or may need to speak directly with all IT and / or cybersecurity experts within the policyholder's organization. . This again underlines the importance of involving key people in the IT insurance application and the insurance process.
- Request a notice to law enforcement agencies of victims of a cyber incident directly in cyber insurance. Message to law enforcement can be beneficial to both the victim insured and the general public, as law enforcement often has valuable information that may not be available to private sources and can help victims of a cyber incident. For example, law enforcement can help recover data and money stolen through a compromise between company emails, sometimes by blocking or restoring bank transfers, if they are immediately notified of the incident. Crime law enforcement can also improve the victim's reputation when its response to a cybercrime is evaluated by its shareholders, regulators and the general public. Finally, information received by law enforcement can be used to prosecute attackers, warn others of existing cyber security threats, and discourage future cybercrime.
Considerations of policyholders: Policyholders should be aware that reporting cyber incidents to law enforcement can sometimes result in delays in reporting a claim or claim information to insurers to the extent that the policyholder is prohibited from law enforcement by law enforcement investigation. Therefore, policyholders should request approval of their cyber policy that excuses late notifications in situations where the policyholder is prohibited from disclosing any cyber incidents or information due to law enforcement or regulatory restrictions. DFS's guidelines are that insurance companies can begin to further limit coverage for cyber events by using sublimits and exceptions in cyber insurance and by inserting explicit cyber exceptions in traditional non-cyber policies, such as property, pollution, D&O or general liability policies. In addition, insurers may begin to implement a more involved insurance process with respect to cyber coverage. Consequently, policyholders should develop a team of IT or cyber security staff, internal advisors and others within their organization to be involved in the quality control insurance process and answer any technical questions that the insurer may have. Finally, policyholders should consider retaining coverage advice in policy procurement and renewal steps to assist in the analysis of proposed policies. Coverage advice can identify cover gaps, flag any problematic policy languages and exceptions, and provide language advice for proposed approvals.