In what the New York Department of Financial Services (NYDFS) is touting as the first guidance by a U.S. regulator on cyber insurance, NYDFS announced on February 4, 2021, in Insurance Circular Letter No. 2 (2021), that it has issued a new Cyber Insurance Risk Framework (Framework) addressed to authorized property/casualty insurers that write cyber insurance. Nonetheless, NYDFS states “property/casualty insurers that do not write cyber insurance should still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

The Framework consists of seven practices that “all authorized property/casualty insurers that write cyber insurance should employ,” while stating that “[E]ach insurer should take an approach that is proportionate to its risk.” The seven practices include:

  • Establish a Formal Cyber Insurance Risk Strategy
  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk
  • Evaluate Systemic Risk
  • Rigorously Measure Insured Risk
  • Educate Insureds and Insurance Producers
  • Obtain Cybersecurity Expertise
  • Require Notice to Law Enforcement

The background of the issuance of the Framework follows the growth of the cyber insurance market, the increase in cyber risks and payouts, and that “it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.” NYDFS recognizes that “as cyber risk has increased, so too has risk in underwriting cyber insurance.” Statistics cited in the Framework include the fact that based upon a survey it developed, from early 2018 to late 2019, “the number of insurance claims arising from ransomware increased by 180%, and the average cost of a ransomware claim rose by 150%. Moreover, the number of ransomware attacks reported to DFS almost doubled in 2020 from the previous year…[T]he global cost of ransomware was approximately $20 billion in 2020.”

NYDFS cautions that insurers “are not yet able to accurately measure cyber risk” and before offering that line of product to certain organizations, insurers should assess the risk of the insured.

NYDFS calls the growing cyber risk “an urgent challenge for insurers.” The NYDFS Letter can be accessed here: