If you can’t measure risk, you can’t solve it: why New York’s DFS created a ‘Cyber Insurance Risk Framework’
It is not often that a governmental entity lays bare the strategy for commercial success.
On February 4, 2021, the New York State Department of Financial Services (DFS) issued “Insurance Circular Letter No. 2 (2021)" to “All Authorized Property/Casualty Insurers” with the gentle title “Cyber Insurance Risk Framework.”
The letter outlined a cyber insurance risk framework to carriers in the hopes of helping stem the tide of cybersecurity incidents. DFS acknowledges the importance of cyber insurance and asserts that “cyber insurance plays a key role in managing and reducing cyber risk.”
We couldn’t agree more, and we’re not mad DFS shared the strategy because we’ve taken this approach since Coalition’s founding in 2017 when we shared our “(not so) secret master plan.”
DFS recognizes the need for a robust cyber insurance market and policies that can proactively and explicitly provide coverage for cyber risk. Towards that goal, DFS proposes their Cyber Insurance Risk Framework specifically targeting property and casualty insurance companies that delineates the “best practices for managing cyber insurance risk,” focusing on “a rigorous and data-driven approach to cyber risk” by cyber insurers.
DFS accurately states that without this ability to measure risk, cyber insurers can actually increase the chances of an incident as policyholders will rely upon their carriers instead of creating a robust cybersecurity program.
Outline of the framework
Cyber insurance is just as important — if not more so — than commercial general liability coverage in 2021. DFS expects the $3 billion cyber insurance market (2019) to jump to over $20 billion by 2025. These numbers don’t even include those cyber-related claims that are submitted under non-cyber insurance policies. We can confidently say Coalition meets all practices in the framework not only for ourselves but our customers.
Let’s explore each suggestion in the framework:
Establish a formal strategy for measuring cyber insurance risk - Coalition scans the entire internet to determine an organization’s cyber risk. We use that data to find gaps in overall cybersecurity and provide customized recommendations in the form of our Coalition Risk Assessment report.
Manage and eliminate exposure to silent cyber risk - Coalition is a full-service cyber insurance provider and affirmatively takes on cyber risk, so we don’t need to worry about silent cyber risk.
Evaluate systemic risk, especially when dealing with certain third-party service providers such as cloud storage and other entities that could create an aggregated loss based on one event-Through our Attack Surface Monitor, you can evaluate the cyber risk of third-party providers. This ensures your vendors and digital supply chain are safe and secure.
Rigorously measure insured risk using a data-driven and comprehensive approach to analyze the cyber risk of any insured or potential insured - Coalition’s innovative data-driven approach to measuring risk and unique underwriting capabilities has made us a leader in the field. We recently received Frost & Sullivan’s 2021 North American Cyber Insurance Technology Innovation Leadership Award in recognition of our dedicated effort to solve cyber risk.
Educating Insureds and Insurance Producers - We provide our brokers and policyholders with a wide variety of educational materials to help them understand their risk and learn how to manage it effectively. We offer helpful articles, blog posts, PDFs, videos, webinars — even personal meetings with our team for free.
Obtain Cybersecurity Expertise - Our in-house team of experts come from diverse backgrounds with serious cybersecurity and forensics incident response experience, from three-letter agency alumni and leading security firms and businesses.
Require Notice to Law Enforcement - We have strong relationships with various law enforcement agencies and work closely with them to investigate cyber incidents and claims, helping organizations bounce back quickly.
NY DFS is hoping to protect insurance carriers from taking on silent cyber risk while also giving them a blueprint to help reduce cyber crime and cyber risk for their policyholders. If an insurance carrier is not following this framework, they are putting their policyholders at risk.
Not just for carriers
This framework is not just good for carriers to review but for prospective insureds and broker business partners as well. They can leverage it while reviewing their carrier relationships to ensure that their chosen cyber insurance provider has the most appropriate cyber insurance coverage for their needs.
Coalition has been following this framework since day one. Our policy is explicit in its coverage for cyber risk, and our proprietary scans and security tools are specifically designed to evaluate the cyber risk of our insureds, prospective insureds, and even their service providers. We aggregate this data and additionally look at risk based upon industry, employee count, and various other metrics to determine what type of risk a company has and what steps can be taken to reduce their exposure.
Coalition's unique approach
One of the most amazing things that I’ve seen at Coalition was when we notified an insured of a potentially latent compromise on their network — basically, we discovered a hacker in their network who had installed malware that was silent but could be activated at any time to steal data. We got buy-in from their IT team to install an endpoint detection & response (EDR) solution that was able to literally detect and stop the attempted deployment of ransomware a week later.
This is a rigorous and data-driven approach to cyber insurance where Coalition continuously evaluates the risk of our insureds to help keep them incident-free. One of the things I say to my Insureds often, “It was great talking to you, but I hope we never talk again.”
Coalition is here for the good days and most certainly here for the bad days, where we can leverage our expertise to help get businesses back up and running as quickly and efficiently as possible.
Education is key
I think one of the bigger parts of the framework is education. We cannot solve cyber risk on our own, so we have regular webinars and presentations for our policyholders and broker business partners. You can also reach out to our security and claims team with questions about your policy, how Coalition keeps your business safe, and if there is anything you should fix or remediate on your network even absent a security failure or data breach.
NY DFS has provided a foundational framework for how insurance companies should manage cyber risk and focuses on basic cyber hygiene and security risk management — which is exactly why Coalition has lower claims frequency, lower claim costs, and safer insureds than other insurance carriers in the marketplace.