Cyber InsuranceDFS February 2021 Guidance To Cyber Insurers

DFS February 2021 Guidance To Cyber Insurers

On February 4, 2021, the New York State Department of Financial Services (DFS) issued specific guidance to property/casualty insurers writing cyber insurance policies, known as the Cyber Insurance Risk Framework (“Framework”). The DFS promoted itself as the first US regulator in the nation to issue a specific guidance on cyber insurance, explaining the suggestions of the Framework are based on continued dialogue with the insurance industry and experts in cyber insurance regarding the shifting landscape of cybersecurity.

With the Covid-19 pandemic forcing companies to shift to an online workforce, cybercrimes, like ransomware and malware attacks, have drastically increased in frequency, severity, and cost to victimized companies. Cybercriminals use payments extorted from ransomware to fund more frequent and sophisticated ransomware attacks, emboldening them to target other organizations and widen their campaigns. The widespread use of ransomware has pressured cyber insurers to increase rates and tighten underwriting standards for cyber insurance.

The DFS advises New York regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risks that can be approved by a board or a governing entity. The Framework acknowledges that strategies should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, market share, and industries insured.  It is important to note the Framework constitutes a list of best practices and suggested approaches and does not yet constitute rules or regulations for the insurance industry.

The Cyber Insurance Risk Framework encourages cyber insurers to formalize a Cyber Insurance Risk Assessment Strategy that is managed by a governing body and establishes and/or formalizes qualitative and quantitative measures and goals for cyber risk that incorporate six best practices identified by DFS:

  1. Manage and Eliminate Exposure to “Silent” Cyber Insurance Risk

Cyber insurers should determine whether they are exposed to silent or non-affirmative cyber insurance risk, an insurer’s obligation to cover cyber incident losses under a policy that does not explicitly mention cyber incidents. The Framework suggests that insurers evaluate their silent risk exposure and take steps to minimize that exposure.

2. Evaluate Systemic Risk

Cyber insurers should conduct regular systemic risk evaluations and plan for potential losses. Increased reliance on third-party vendors has caused systemic risk to grow exponentially and thus, insurers should understand the third parties used by their insureds and model the effect of catastrophic cyber events that may result in simultaneous losses.

3. Rigorously Measure Insured Risk by Using Data

Cyber insurers should use a comprehensive, data-driven approach to assess their insured’s potential gaps and cybersecurity vulnerabilities.

4. Educate Insureds and Insurance Producers

Cyber insurers should educate their insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations of cyber insurance.

5. Obtain Cybersecurity Expertise

Cyber insurers can use strategic recruiting practices to hire employees with cybersecurity experience and invest in their training and development.

6. Require Notice to Law Enforcement

In the event of a cyberattack, cyber insurance policies should require victims notify and engage law enforcement agencies to help recover lost data and funds.

This guidance brings operational and other challenges to those in the property/casualty insurance market. It also adds new potential requirements to pass along to their insureds. For example, insureds may not know that their policy will require notification of law enforcement, and they may have reasons not to notify law enforcement, but if they choose not to it can lead to a coverage dispute.

Beckage advises those in the insurance industry on risk management, cybersecurity best practices and measures, third-party vendor management, and incident response.  Beckage also works with global clients to evaluate risk management, including opportunities to obtain various cyber and tech related coverage. We can be reached 24/7 via our data breach hotline at 844.502.9363 or IR@beckage.com.

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

DFSLessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

Lessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

The DFS Cybersecurity Regulation 22 NYCRR 500 (“Regulation”) requires businesses operating under NY banking, insurance, and finance laws to implement and maintain certain cybersecurity practices, including risk assessments, documentation of security policies, management of third-party providers, and set strict requirements for data breach reporting.  Even though the Regulations were issued in March 2017, they did not become fully effective until March of 2019, following a two-year phased implementation process.

On Wednesday, July 22, the Department of Financial Services (“DFS”) filed its first enforcement action against a leading title insurance provider alleging multiple violations of the Regulation.  This enforcement action provides important guidance to those covered entities subject to the Regulation and signals that the DFS is now ready to actively begin enforcing it.  This, of course, comes at an interesting time given the heightened risks and challenges organizations face because of the COVID-19 pandemic.

Enforcement Action Summary

The enforcement action at issue alleges that a vulnerability resulted in the exposure of millions of files that included consumers’ bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.  Of note, the DFS alleges that the respondent:

1. Failed to follow its own policies to conduct a security review and risk assessment of the vulnerability and the exposed information.

2. Misclassified the vulnerability within the system as “low” severity and failed to investigate the vulnerability within its own defined time period.

3. Failed to conduct a reasonable investigation into the scope and cause of the exposure after the data exposure was discovered.

4. Failed to follow the recommendations of its internal cybersecurity team to conduct a further investigation into this vulnerability.

5. Did not implement centralized and coordinated training to protect against the unauthorized exposure of sensitive information.

The DFS alleges that these errors not only led to a data exposure that lasted a few years but also violated six provisions of the DFS’s Cybersecurity Regulation including:

1. Section 500.02 requiring a cybersecurity program informed by risk assessment

2. Section 500.03 requiring a written policy approved by a senior officer of the board of directors

3. Section 500.07 requiring access controls

4. Section 500.09 requiring periodic risk assessments

5. Section 500.14(b) requiring regular training

6. Section 50015 requiring encryption in transit and at rest

The Regulation is pursuant to Section 408 of the Financial Services Law, which carries penalties of up to $1,000 per violation in respect to a financial product or service, including title insurance. The DFS alleges that each instance of Nonpublic Information within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.  This action is scheduled for a hearing before NYDFS beginning on October 26, 2020.

The full DFS press release on its enforcement action is available here.

Lessons Learned

Businesses should follow their own policies, focus on employee training, and employ people who are well adverse in data security and privacy.

-Businesses should not underestimate the level of risk associated with vulnerabilities.

-Business must follow their own cybersecurity policies and related internal policies and procedures.  If representations are made throughout policies, it is critical that they are adhered to.  For example, if the policy commits to performing a risk assessment, it is imperative that the business carry out its commitment and perform the risk assessment.

-Vulnerabilities must be regularly reviewed and identified.  They must be taken seriously, and any security lapses must be addressed.

At Beckage, our lawyers are also technologists and are highly knowledgeable in cybersecurity and data privacy and regulatory compliance. We have worked with numerous businesses on DFS inquiries and regulatory compliance efforts including policy development and training.  Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program. Beckage will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.

*Attorney Advertising. Prior results do not guarantee a similar outcome.*

Subscribe to our newsletter.

Abstracts Black and White hallwayReminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Reminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.

Who?

“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.

What?

The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.

The policies shall be based upon a risk assessment and address, to the extent applicable:

1.     The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);

2.     Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3.     Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4.     Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:

1.     The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;

2.     The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

3.     Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and

4.     Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

What else?

There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.  

When?

The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.

Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.

Why?

Because the DFS Regulation says so.

The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

How (to take Next Steps)?

Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.

The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Black and White upward view of buildings in cityNext Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

Next Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017.  The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation, which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.  

SUMMARY OF COMPLIANCE MILESTONES TO DATE

The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017.  Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation.  By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.

The most recent milestone was on September 3, 2018.  Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications.  In addition, Covered Entities were required to establish policies on Data Retention limitations, continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.  

NEW MILESTONE – MARCH 1, 2019 DEADLINE

The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company.  This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.  Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.  

SUGGESTED NEXT STEPS

Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks.  It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.  

ADDITIONAL INSIGHT INTO THE REGULATION

It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight.  The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

The contents of  23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com.or info@beckage.com.

Attorney Adverting: Prior results to not guarantee a similar outcome.