Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks. The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1] The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
DFS Guidance Provides a Cyber Insurance Risk Framework
On February 4, 2021, DFS published a letter addressing the risks that cyber insurance companies face and issued guidance for these companies. Their stated goal is to “facilitate the continued growth of a sustainable and sound cyber insurance market.”[3] DFS noted that cyber insurance is an important tool through which companies can mitigate cyber risk, especially as the frequency and cost of ransomware attacks have increased. The global cost of ransomware was at approximately $20 billion in 2020.[4] DFS continues to recommend that companies do not make ransomware payments although there is currently no per se prescription against doing so.[5]
One obstacle that cyber insurers face is that cyber insurance is a fairly new area of insurance, and insurers are not often able to accurately assess risk. The DFS guidance notes that cyber risk varies significantly based on the quality of the insured’s cybersecurity program. The DFS has expressed concern that companies may take advantage of the inability of insurers to accurately assess cyber risk, preferring to let insurance pay for the cost of cyber incidents rather than improve their own cybersecurity.
The guidance notes two main areas that insurers should take note of: (1) preparation for a widespread cyber incident and (2) loss from “non-affirmative” or “silent” risk, which is the risk insurance companies face of insureds making claims under policies that do not explicitly include or exclude cyber coverage. This “non-affirmative” or “silent” risk can lead to insurers covering cyber-related losses that they had not intended to include in their insurance policy.
Due to these concerns, DFS issued a “Cyber Insurance Risk Framework,” listing out best practices for insurers to follow with regard to cyber insurance:
- Establish a Formal Cyber Insurance Risk Strategy
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk
- Evaluate Systemic Risk
- Rigorously Measure Insured Risk
- Educate Insureds and Insurance Producers
- Obtain Cybersecurity Expertise
- Require Notice to Law Enforcement[6]
DFS Recommends Steps to Secure Data for Companies that Display Nonpublic Information
On February 16, 2021, DFS issued separate guidance regarding increased attempts to fraudulently access Nonpublic Information (NPI), caused in part by rising fraud activity tied to the COVID-19 pandemic. Subsequently, this stolen information has been fraudulently used to submit claims for unemployment and other pandemic-related benefits. The superintendent of DFS noted that “[c]yber criminals are creative and tenacious, and continue to look for new ways to exploit us during an already vulnerable time.”[7] These attempts to access NPI are focused on public-facing websites that provide NPI, in particular websites that display an instant quote, such as an auto insurance rate. Attackers appear to be focused on accessing driver’s license numbers.
In their guidance, DFS presses all regulated entities with public facing websites, especially Instant Quote Websites, to look for evidence of fraudulently accessed information. Two main ways to determine if a website has been hacked are to review (1) website traffic for spikes in quote requests, especially those that are abandoned as soon as NPI is displayed and (2) server logs to determine if there has been unauthorized access of NPI. DFS also notes that these two suggestions are not an exhaustive list of methods of detection. If a regulated entity has found evidence of a hack, it should fix any security flaws that allowed the attack, report the hack pursuant to 23 NYCRR Section 500.17(a) as soon as possible, and follow its other normal reporting procedures.
DFS recommends that first, entities reconsider whether it is necessary to display NPI to users. If entities determine that it must display NPI to users, the following are the steps recommended by DFS to secure data:
- Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
- Review public-facing websites for browser web developer tool functionality. Verify and, if possible, limit the access that users may have to adjust, deface, or manipulate website content using web developer tools on the public-facing websites.
- Review and confirm that its redaction and data obfuscation solution for NPI is implemented properly throughout the entire transmission of the NPI until it reaches the public-facing website.
- Ensure that privacy protections are up to date and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
- Search and scrub public code repositories for proprietary code.
- Block the IP addresses of the suspected unauthorized users and consider a quote limit per user session.[8]
Takeaways
The DFS has led the way in cybersecurity regulation and continues to take an active role in providing guidance and setting expectations for regulated entities. As in years past, DFS’s views often foreshadow the positions of other regulators. All companies should consider and potentially incorporate the ongoing guidance from the DFS to the extent applicable, which can help mitigate business risks of cyberattacks and enforcement risks in the event of an incident.
[1] Insurance Circular Letter No. 2: Cyber Insurance Risk Framework, New York State Department of Financial Services (Feb. 4, 2021), https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02#_edn10.
[2] Industry Letter: Cyber Fraud Alert, New York State Department of Financial Services (Feb. 16, 2021), https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210216_cyber_fraud_alert.
[3] Insurance Circular Letter No. 2: Cyber Insurance Risk Framework.
[4] Ben Kochman, Regulators Are Homing In On Perils Of Ransomware Payouts, Law360 (Feb. 12, 2021), https://www.law360.com/cybersecurity-privacy/articles/1354297/regulators-are-homing-in-on-perils-of-ransomware-payouts.
[5] Companies must still comply with other legal obligations when making any such payments, including sanctions and anti-money laundering laws. See Alexis Collins, Chase D. Kaniecki & Samuel H. Chang, OFAC and FinCEN Issue Advisories on Cyber Ransom Payments, Cleary Gottlieb (Oct. 6, 2020), https://www.clearycyberwatch.com/2020/10/ofac-and-fincen-issue-advisories-on-cyber-ransom-payments/.
[6] Insurance Circular Letter No. 2: Cyber Insurance Risk Framework.
[7] Press Release: Department of Financial Services Announces Cybersecurity Fraud Alert, New York State Department of Financial Services (Feb. 16, 2021), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202102161.
[8] Industry Letter: Cyber Fraud Alert.