ARN

New York issues cyber insurance framework as ransomware, SolarWinds costs mount

State looks to protect one of its core industries, which is threatened by mounting and potentially "unsustainable" losses due to the SolarWinds and ransomware attacks

On February 4, 2021, New York became the first state in the US to issue a cyber security insurance risk framework to all authorised property and casualty insurers.

In releasing the framework, New York's Department of Financial Services (DFS) said that "from the rise of ransomware to the recently revealed SolarWinds-based cyber-espionage campaign, it is clear that cyber security is now critically important to almost every aspect of modern life – from consumer protection to national security."

The framework applies to all property or casualty insurers that write cyber security insurance. However, the DFS wants all insurers, even though those that don't offer cyber security insurance, to "still evaluate their exposure to 'silent risk' and take appropriate steps to reduce that exposure."

DFS advises against paying ransom demands

Noting that ransomware insurance claims jumped by 180 per cent from 2018 to 2019 and doubled from 2019 to 2020, DFS advised insurers to not make ransomware payments for three reasons:

  1. The US Treasury Department's Office of Foreign Assets Control (OFAC) warns of the national security implications of paying a ransom, saying that insurers can be liable for ransom paid to sanctioned entities.
  2. Even if insurers do pay a ransom it does not guarantee the victims will get their encrypted files or stolen data back.
  3. Many insurers are not yet able to accurately measure cyber security risk. Without that gauge, “cyber insurance can therefore have the perverse effect of increasing cyber risk – risk that will be borne by the insurer."

For comparison, the damaging NotPetya malware unleashed by the Russian government in 2017 led to $3 billion in insurance claims, of which insurers paid $2.7 billion under policies that were silent about cyber security risks, DFS states.

The framework itself is short and spells out a series of practices to help insurance companies manage their risk. These practices fall under seven categories:

  1. Establish a formal cyber insurance risk strategy
  2. Manage and eliminate exposure to silent cyber insurance risk
  3. Evaluate systemic risk
  4. Rigorously measure insured risk
  5. Educate insureds and insurance producers
  6. Obtain cyber security expertise
  7. Require notice to law enforcement

Significant underwriters already following DFS recommendations

Major carrier-underwriters such as AIG and Zurich have mostly been following these recommendations already, according to Meredith Schnur, managing director, US cyber brokerage leader at Marsh USA, tells CSO. "This DFS guidance absolutely makes a ton of sense, but the underwriters have already been implementing [similar] practices and procedures to try to get in front of the challenge of ransomware," she says.

New York could lead the way for other states and even the federal government to implement similar frameworks. "You will see some states piggyback and copycat in their own way. On some of these practices, you will see federal guidelines. But New York is unique, and they're unique from a financial services perspective," given the state's status as the financial hub of the United States, Schnur says.

SolarWinds remediation costs could be high

SolarWinds, which installed malicious backdoors in potentially thousands of organisations, is an example of a "systemic risk" that could damage many insureds simultaneously, potentially swamping insurers with massive and possibly unsustainable costs. The DFS said when releasing the risk framework that it is still assessing the cost of the espionage campaign but "given the number of impacted organisations the total remediation costs are likely to be substantial."

The callout to SolarWinds in the DFS framework "highlights that underwriting companies should be managing their risks, their exposure to systemic events," Brent Leith, US practice leader, E&O and Cyber Liability of AON, tells CSO. "It's important for them to be thinking about that as they consider exposing their capital by offering insurance to such a wide range of insureds."

Most of the expenses incurred in SolarWinds remediation to date are the events management or crisis management expenses that arise in the investigatory stage of remediation.

These costs include finding out "where it was, how it got in, where it could be, where it could go, is there any kind of data exfiltration, has there been any access to any data," Schnur says. "It's way too early in the process to even get any sense of the numbers."

"At a minimum, those companies are likely going to engage breach counsel, an incident response firm, to help them conduct an investigation," Leith says. "They may opt to notify law enforcement. There are costs associated with even those initial steps."

"I say it's early to tell [what the total costs might be], depending on what's discovered during the investigative process. I would go so far as saying that we won't know the full effect from a loss perspective for quite some time."

Insurers already eyeing SolarWinds exclusions

Underwriters began posing questions about SolarWinds around January 1, Schnur says, asking organisations if they were affected, if they were remediating any infections and if they were conducting investigations. Some underwriters have honed in on SolarWinds, including firms that range from the smallest to the largest underwriters.

They ask questions, and "if the questions do not come back satisfactory, there are exclusions placed on policies. That's what we see six to eight weeks out from the incident." These exclusions are very broad brush saying that any future claims related to, or based upon, or arising out of SolarWinds would not be covered under the policy.

"From a broker's perspective, it is problematic to have exclusionary wording on policies going forward," Schnur says. "If we're going to accept an exclusion, we're going to narrow it as much as we possibly can."

"We've seen a few exclusions proposed by insurers," Leith says. "I don't know that we've placed many or any policies with that exclusion actually added or a similar exclusion added."

The big concern about any SolarWinds-type exclusion is the precedent it would set. "I think there could be some longer-term implications in terms of the language being somewhat precedent-setting, something that could be replicated for the next type of a SolarWinds event, whatever that may look like," Leith says.

"If it says anything resulting from, arising out of, or related to the SolarWinds Orion vulnerabilities, that's where you start to get into problems. Because it could be that the threat actor is the common threat element, maybe it's something somewhat unrelated to the use of their software.

But because it's the same threat actor using a similar tactic, say, utilising back doors to access an environment, that could be considered related. Those are the problems anytime we're introducing sweeping exclusions that could prevent the policy from performing the way the insured expects it to," Leith warns.