On February 4, 2021, New York State’s Department of Financial Services (DFS) issued a seven-part “Cyber Insurance Risk Framework” (the Framework) urging insurance companies to develop a “rigorous” and “data driven approach” to insuring cybersecurity risks. Ransomware attacks reported to the DFS nearly doubled in 2020 from the previous year, with costs continuing to rise.
Managing cyber risk continues to be a challenge for insurers, and according to the DFS, one that requires coverage offerings and pricing based on a careful assessment of an insured organization’s risk level…which isn’t news to experienced cyber carriers.
To manage their cyber insurance risk, however, the DFS recommends the following for property/casualty insurers that write cyber insurance (again, not news to serious cyber insurance carriers):
- Establish a formal cyber insurance risk strategy;
- Manage and eliminate exposure to silent cyber insurance risk;
- Evaluate systemic risk;
- Rigorously measure insured risk;
- Educate insureds and insurance producers;
- Obtain cybersecurity expertise; and
- Require notice to law enforcement.
Additionally, in line with recent OFAC and FinCen advisories from October 2020, the DFS recommends against, but does not mandate, paying ransom payments.
While experienced carriers are already implementing these recommendations (and others), smaller and less experienced insurance carriers should begin to build them into their process of writing and marketing their cyber insurance policies.
If you have any questions about the Framework, please contact Carolyn Purwin Ryan (; 267.930.6836), Maria Monastra (; 267.930-4602) or another one of our cybersecurity professionals.