The New York State Department of Financial Services (DFS) issued a letter to the cyber insurance community on February 4, 2021 that should signal a warning to many other businesses seeking to obtain or keep their cybersecurity insurance.
The letter offers analysis of the cybersecurity supply chain and the risk a number of cyber insurance companies face from insuring companies that do not have adequate security controls in place to address their risk. The letter warns the insurance industry that cyber insurance paradoxically causes many companies to fail to implement meaningful security controls because they have insurance, and the insurance premiums may be less expensive to the insured than implementing the protections they should have. This, DFS argues, is unsustainable and they urge the insurance industry to better evaluate their insureds and the risk they pose.
While DFS guidance is specific to the insurance industry, its impact will likely be more widespread because we believe many insurers will adopt this guidance and soon create more rigorous requirements to insure organizations against cyber-related loss. Should a company’s cyber insurance lapse it faces significant loss exposure and could be in breach of numerous contracts. Thus we believe it is important for an organization to ensure its cybersecurity program, policies and controls are reasonable for the risk it faces, comply with the new security requirements of NY SHIELD found at GBL 899-bb, and meet the representations it made when it applied for cyber insurance.
In particular, organizations seeking cyber insurance can soon expect to see their insurers rigorously measure the organization’s cyber-risk and implement a data-driven, comprehensive plan for measuring the insurance risk for each current and potential new insured. DFS describes the assessment process as follows:
This commonly starts with gathering information regarding the institution’s cybersecurity program through surveys and interviews on topics including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning and third-party security policies. The information should be detailed enough for the insurer to make a rigorous assessment of potential gaps and vulnerabilities in the insured’s cybersecurity. Third-party sources, such as external cyber risk evaluations, are also a valuable source of information. This information should be compared with analysis of past claims data to identify the risk associated with specific gaps in cybersecurity controls.
If carriers follow this guidance, the application process will seek to examine not just the policies, but also the controls in place to manage cybersecurity risk and the procedures and technologies in place to implement those policies and controls.
In our experience, many midsized organizations have security practices which they undertake on an ad-hoc basis. They typically react to prior events and upgrade or change when opportunities present themselves. To implement controls, endpoint monitoring, boundary defenses and incident response and review of third-party security practices takes a managed security program which differs substantially from an ad hoc approach. Identifying the required controls, incorporating them into a security program and documenting the procedures which implement those controls takes time and effort. This effort is compounded when extended to vendors in the organization’s cybersecurity supply chain.
If an organization fails to pass the risk testing performed by their potential insurance carrier or passes the test but is then found to not have actually followed their written program, they risk being either denied coverage or having their claim disclaimed for misrepresenting their security defenses. This can cascade further because if the program is found to be significantly lacking, the organization could be found to be in breach of contract with its customers. If it has federal contracts requiring security, it could be subject to claims under the False Claims Act or disbarment from future contracts.
Harris Beach has a team of attorneys ready to help your organization improve its cybersecurity posture. We routinely work with security vendors, assessors and auditors to help organizations implement security programs that comply with the many cybersecurity regulations now enacted across different industries and geographical regions. Our attorneys are well versed in drafting policies and identifying the necessary controls to implement those policies. Depending upon your organization, we can also help on-board your organization to CyMetric, an automated platform that drafts both policies and controls to comply with different security or privacy regulations. This software solution is significantly less expensive to design than a custom program so it could make a lot of sense for your organization and can help with the decision process.
If you are interested in exploring the options your organization have to harden its security and data privacy requirements, contact Alan M. Winchester at 585 419-8713 and awinchester@harrisbeach.com.
This alert does not purport to be a substitute for advice of counsel on specific matters.
Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Long Island, New York City, Rochester, Saratoga Springs, Syracuse and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.