Against the backdrop of the disruptions associated with the Covid-19 pandemic and SolarWinds cyber-espionage campaign, NYDFS has released guidance for insurers that underwrite cyber insurance policies and which contains a number of provisions expected to impact companies applying for or renewing cyber insurance coverage, not the least of which is a specific recommendation that insurers require insureds to report cybersecurity incidents to law enforcement. Although not technically a part of the seven-pronged Cyber Insurance Risk Framework, the NYDFS guidance includes a specific recommendation against making ransom payments in response to ransomware cybersecurity incidents.
The guidance sets forth a Cyber Insurance Risk Framework (the “Framework”) that provides best practices for managing cyber insurance risk amid NYDFS concerns that insurers are not able to accurately measure cyber risk, which may pose both systemic and “silent” risks to the financial sector. The guidance offers the extensive impact of the SolarWinds compromise as an example of systemic risk and both the SolarWinds compromise and the 2017 NotPetya incident as an example of silent risk, in which…
