New York Regulators Call on Insurers to Strengthen the Cyber Underwriting Process
The adage goes, “the best defense is a good offense.” This appears to be the approach that New York insurance regulators are advocating in response to what they deem “systemic risk[s] that occur when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” On February 4, 2021, the New York Department of Financial Services (“DFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, DFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”
DFS has created the Guidelines and Cyber Insurance Risk Framework outlining best practices for managing cyber insurance risk (the “Framework”) with the stated goal of fostering the growth of a robust cyber insurance market that maintaining the financial stability of insurers and protecting insureds. DFS requires that all authorized property/casualty insurers that write cyber insurance in the state employ the practices identified in the Framework, including in the first instance, establishing a formal cyber insurance risk strategy that is directed and approved by senior management and the board of directors or governing body of the insurer. DFS instructs that the strategy should include clear qualitative and quantitative goals for risk, progress toward those goals should be reported to senior management and the board or governing body on a regular basis, and should incorporate the six practices outlined in the Framework.
Below, we address the Framework and considerations for cyber insurance policyholders in light of same.
- Manage and eliminate exposure to silent cyber insurance risk, which is risk that an insurer must cover loss from a cyber incident under a policy that does not explicitly mention cyber, such as under errors and omissions, burglary and theft, general liability and product liability insurance policies. Insurers should also take steps to mitigate existing silent risk, such as by purchasing reinsurance.
Policyholder Consideration: This guideline stems from the 2017 NotPetya incident, where malware unleashed by the Russian government caused damage across the globe, leading to $3 billion in insurance claims, of which $2.7 billion were made under property/casualty policies that were silent about cyber risks. For example, Mondelez International Inc. sought coverage for expenses under its property insurance policy. The litigation, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., No. 2018-L-11008, 2018 WL 4941760 (Ill. Cir. Ct., Cook Cty., complaint filed Oct. 10, 2018), remains pending in an Illinois state court.
Mondelez submitted a claim under its Zurich property insurance policy that provided coverage for “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code.” According to Mondelez’s complaint, Zurich adjusted the claim and even went as far as committing to an unconditional advance of $10 million as a partial payment toward Mondelez’s losses. But, after changing coverage counsel, Zurich suddenly changed course and invoked the policy’s “war exclusion” to deny coverage. Mondelez brought suit against Zurich, alleging breach of contract, promissory estoppel and vexatious and unreasonable conduct under Illinois Insurance Code Section 155. Mondelez is seeking $100 million in damages.
Policyholders should beware of cyber exclusions in traditional policies, such as directors and officers (D&O), commercial property, and commercial general liability policies. Policyholders also should beware of coverage gaps that may exist, particularly as to risks associated with critical infrastructure and the Internet of Things. Indeed, many cyber policies exclude coverage for property damage and bodily injury, even if resulting from a cyber-attack; while at the same time, property and commercial general liability policies may contain broad cyber exclusions. Policyholders should retain competent coverage counsel to analyze these gaps and should speak to their brokers and insurers about carving back these exclusions on the appropriate policies and/or consider purchasing Difference-in-Conditions policies to fill this gap in coverage.
- Evaluate systemic risk, which has grown in part because institutions increasingly rely on third-party vendors which are highly concentrated in key areas like cloud services and managed services providers. Examples include a self-propagating malware or a supply chain attack that infects many institutions at the same time, or a cyber event that disables a major cloud services provider. Insurers should conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events and should track the impact of stress test scenarios across the different kinds of insurance policies they offer as well as across the different industries of their insureds.
Policyholder Consideration: Based on this consideration, policyholders foreseeably may see insurers reduce the coverage limits afforded for contingent business interruption, which covers business income loss due to an outage at a vendor on which your business relies. Nevertheless, policyholders should continue to request this coverage and should work to shore up indemnity provisions in their vendor contracts to cover loss, cost, expense, and liability claims resulting from an outage or attack on a vendor’s system.
- Rigorously measure insured risk through a data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured. This commonly starts with gathering information regarding the institution’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies. The information should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity. Third-party sources, such as external cyber risk evaluations, are also a valuable source of information. This information should be compared with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls.
Policyholder Consideration: This consideration may lead underwriters to engage in more intensive underwriting, which can consume more of policyholders’ resources in seeking coverage. In this regard, policyholders should build in time needed for any additional underwriting, even at renewal, and start conversations with their cyber insurer early in the process. Policyholders also should ensure that they involve all key personnel, including general counsel, risk managers, finance departments, IT departments, and outside coverage counsel, in filling out policy applications and in answering any questions the insurer may have.
Unfortunately for policyholders, insurers often seek to rescind coverage based on purported misrepresentations in applications. In many jurisdictions, even an insured’s innocent misrepresentation on an application may void coverage for the policy as a whole and insurers often seek to rescind policies based on a purported misrepresentation. See, e.g., Columbia Cas. Co. v. Cottage Health Sys., No. 2: 15-cv-03432, 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015) (dismissed without prejudice because policy included mandatory ADR provision; insurer sought to rescind the policy and alleged that the policyholder misrepresented facts on the application about its maintenance and security minimum practices; alleging that Cottage failed to “continuously implement the procedures and risk controls identified in its application, regularly check and maintain patches on its systems, or enhance risk controls.”).
- Educate insureds and insurance producers about cybersecurity and reducing the risk of cyber incidents. Insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program. Insurers should also encourage and assist with the education of insurance producers who should have a better understanding of potential cyber exposures, types and scope of cyber coverage offered, and monetary limits in cyber insurance policies.
Policyholder Consideration: Many cyber insurers build into their policies coverage for cyber risk management education. Policyholders should take advantage of these services, which are often provided complimentary.
- Obtain cybersecurity expertise to properly understand and evaluate cyber risk. Insurers should recruit employees with cybersecurity experience and skills and commit to their training and development, supplemented as necessary with consultants or vendors.
Policyholder Consideration: This consideration is likely to trickle down to the underwriting process, where insurers’ cybersecurity experts may have technical questions and/or may need to speak directly with any IT and/or cybersecurity experts within the policyholder’s organization. This again underscores the importance of involving key IT personnel in the cyber insurance application and underwriting process.
- Require notice to law enforcement by victims of a cyber incident directly in cyber insurance policies. Notice to law enforcement may be beneficial both to the victim-insured and the public as law enforcement often has valuable information that may not be available to private sources and can help victims of a cyber incident. For example, law enforcement can help recover data and funds that were stolen through a business email compromise sometimes by blocking or reversing wire transfers, if alerted of the incident promptly. Notice to law enforcement also can enhance a victim’s reputation when its response to a cyber incident is evaluated by its shareholders, regulators, and the public. Finally, information received by law enforcement can be used to prosecute the attackers, warn others of existing cybersecurity threats, and deter future cybercrime.
Policyholder Consideration: Policyholders should beware that reporting cyber events to law enforcement can sometimes result in delays in reporting a claim or claim information to insurers to the extent the policyholder is forbidden by law enforcement from disclosing such information during the course of law enforcement’s investigation. Therefore, policyholders should request an endorsement to its cyber policy that excuses late notice in situations where the policyholder is forbidden from disclosing any potential cyber incident or information due to restrictions by law enforcement or regulation.
Overall, a key takeaway for policyholders from DFS’s Guidelines is that insurers may begin further limiting coverage for cyber events through the use of sublimits and exclusions in cyber insurance policies and by inserting express cyber exclusions in traditional non-cyber policies, such as property, pollution, D&O, or general liability policies. In addition, insurers may begin conducting a more involved underwriting process with respect to cyber coverage. Accordingly, policyholders should develop a team of IT or cybersecurity personnel, in-house counsel, and others at their organization to be involved in the underwriting process for quality control and to answer any technical questions the insurer may have. Finally, policyholders should consider retaining coverage counsel at the policy procurement and renewal stages to assist with analyzing proposed policies. Coverage counsel may identify coverage gaps, flag any problematic policy language and exclusions, and advise on language for proposed endorsements.