News & Events

NYS Department of Financial Services Issues “Cyber Insurance Risk Framework”

On February 4, 2021, New York State’s Department of Financial Services (DFS) issued a seven-part “Cyber Insurance Risk Framework” (the Framework) urging insurance companies to develop a “rigorous” and “data driven approach” to insuring cybersecurity risks. Ransomware attacks reported to the DFS nearly doubled in 2020 from the previous year, with costs continuing to rise.

Managing cyber risk continues to be a challenge for insurers, and according to the DFS, one that requires coverage offerings and pricing based on a careful assessment of an insured organization’s risk level…which isn’t news to experienced cyber carriers.

To manage their cyber insurance risk, however, the DFS recommends the following for property/casualty insurers that write cyber insurance (again, not news to serious cyber insurance carriers): 

  1. Establish a formal cyber insurance risk strategy;
  2. Manage and eliminate exposure to silent cyber insurance risk;
  3. Evaluate systemic risk;
  4. Rigorously measure insured risk;
  5. Educate insureds and insurance producers;
  6. Obtain cybersecurity expertise; and
  7. Require notice to law enforcement.

Additionally, in line with recent OFAC and FinCen advisories from October 2020, the DFS recommends against, but does not mandate, paying ransom payments.

While experienced carriers are already implementing these recommendations (and others), smaller and less experienced insurance carriers should begin to build them into their process of writing and marketing their cyber insurance policies.

If you have any questions about the Framework, please contact Carolyn Purwin Ryan (; 267.930.6836), Maria Monastra (; 267.930-4602) or another one of our cybersecurity professionals.

© Mullen Coughlin. Attorney Advertising Notice: Information contained in this Web site may be considered attorney advertising. The material and information contained on these pages is intended to provide general information only and not legal advice. You should consult with an attorney licensed to practice in your jurisdiction before relying upon any of the information presented here. You are advised that the acts of sending e-mail to or view or downloading information from this website does not create an attorney-client relationship. Disclaimer | Sitemap