On February 4 New York became the first state to issue guidance to insurers on cyber risk. The Department of Financial Services Cyber Insurance Risk Framework is intended both for cyber insurers and those whose policies include "silent cyber" - risk neither specifically covered nor excluded.
As posted on the JDSupra website (judsupra.com/legalnews/dfs-releases-its-cyber-insurance-risk-2384863/), DFS recommends seven practices:
- Establish a formal insurance risk strategy to measure cyber risk.
- Manage and eliminate "silent cyber" risk.
- Evaluate systemic risk for catastrophic events that could jeapordize insurer solvency.
- Develop a comprehensive plan to measure insureds' and propspects' cyber risk.
- Educate insureds on security procedures and services.
- Hire cybersecurity experts.
- Require clients to notify law enforcement of breaches.
Since New York is a major insurance center it is likely these practices will be widely adopted. If it means increased attention to cyber security, insureds should welcome it and consider any additional cost as money well spent.