New York DFS Circular Letter No. 2 (2021): Cyber Risk Framework for Property & Casualty Insurers

A link to the letter is here.

This circular letter was issued in light of the recent substantial increase in ransomware attacks, including the SolarWinds-based cyber-espionage campaign. It is suspected that the increase in cyber-attacks has resulted primarily from the COVID-19 pandemic, which has shifted more people’s work and lives online.

There are two aspects of this DFS circular letter that are critically important for property and casualty insurers, and their insureds, to consider. First, DFS emphasized the “silent risk” that exists in many non-cyber insurance policies. This relates to exposure for cyber risks under property and casualty policies that do not explicitly provide coverage for, or exclude, cyber incidents. The DFS circular letter noted that, according to a global survey in the second quarter of 2020, 65% of underwriters were concerned about cyber coverage exposure in property/casualty policies that do not explicitly cover cyber risks.

An example provided in the circular letter was the 2017 NotPetya global cyber attack, which led to $3 billion in insurance claims, of which $2.7 billion were made under property/casualty policies that were silent about cyber risks. Property and casualty insurers should review their policy forms and make sure that they explicitly address whether they provide coverage for, or exclude, cyber incidents. This can be achieved through an endorsement of the policy. It is unclear whether this circular letter will result in amendments to the cybersecurity regulations enacted in 2017 (23 NYCRR Part 500).

In addition, insurers should price their policies according to whether they do, or do not, provide coverage for cyber incidents. And insureds should seek the advice of coverage counsel to determine whether they should make a claim for coverage for a cyber incident that they experience under their property and casualty policies that are silent on the issue of cyber events. Moreover, insureds entering into agreements that require one or more of the parties to have adequate insurance coverage, including cyber insurance, should consult counsel about (a) the scope of coverage required by the agreement, and (b) the type of insurance policy that would satisfy that contractual requirement, in order to avoid non-coverage for a potentially “silent” cyber loss.

Second, the circular letter stated that the “DFS recommends against making ransom payments.” According to DFS, “[r]ansom payments fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks.” The circular letter references an October 2020 guidance by the Office of Foreign Assets Control (OFAC), stressing the national security risk posed by ransom payments, and stating that intermediaries — including insurers — can be liable for ransom payments made to sanctioned entities. In this regard, we note that many cyber insurance policies provide coverage for ransom payments made by the insureds to cybercriminals. Many such insurance policies also contain an exclusion that would apply where coverage for the ransom payment would be prohibited by law.

Cyber insurers whose policies provide coverage for ransom payments should seek legal advice from competent counsel as to whether paying a ransom demand directly, or indemnifying its insured for a ransom payment, would be a violation of the law that could (a) result in a voluntary payment under the insurance policy that may not be recouped by the insurer from the insured, and (b) expose the insurer to criminal liability, fines, and regulatory sanctions. Insureds, in turn, should also seek legal advice on whether they should make a ransom payment, as they could have their own criminal and regulatory exposure for making a payment to an entity included on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List.