On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1
Background
According to NYDFS, the department released this Framework now due to the increase in frequency and cost of ransomware attacks as well as the shift that many have made online due to COVID-19 — two trends that have resulted in a massive increase in cyber risk around the world, with associated increases in concrete instances of cybercrime. In the accompanying press release, NYDFS Superintendent Linda A. Lacewell stated that cybersecurity is the biggest risk for government and private organizations and described how the Framework is based on “extensive…