With the rampant increase in cyber-attacks, the need for cyber insurance as a means of protection has unarguably never been higher. The World Economic Forum has stated cybersecurity failure among the highest risks in its Global Risks Report 2021. Ransomware attacks have increased by 150% in 2020, with the amount paid by victims increasing by over 300%. A study from the Ponemon Institute indicates that over 76% of US small and medium businesses (SMBs) experienced a cyberattack in the past year. The rising frequency of these cyber incidents is bound to increase the demand for cyber insurance. In this regard, insurance regulators have stepped up efforts for cyber risk mitigation and protect businesses by taking initiatives to regulate and monitor insurers and their cyber product offerings.
Context of regulation
Cyber insurance helps businesses safeguard against breach incidents and provide coverage for associated costs, including regulatory fines. In the US, the Federal and State Insurance Regulators have recommended cyber insurance regulations to protect key industries against cyber threats. The types of regulations and their impact vary greatly, from simple data collection or periodic reporting of risk exposures to understanding inclusions and exclusions in a cyber insurance product.
The role of regulators in cyber insurance
The Cybersecurity Information Sharing Act was one of the initial Federal laws passed in 2015 to enable sharing of personal information on cyber incidents. Many states have enacted their own legislation to address cyber risks in depth - from exclusions to penalties. The National Association of Insurance Commissioners (NAIC) insurance data security model law finalized in 2017 was recommended by the US Treasury Department, urging states to adopt it in five years. The law establishes data security standards and data breach mitigation processes for insurers. Currently, 19 states have adopted it, with seven states doing so in 2021. States have also enacted privacy laws, such as California’s Consumer Privacy Act (CCPA) and NY’s SHIELD act, while other states like Maine and Nevada launched online privacy laws with General Data Protection Regulation (GDPR)-like provisions. Almost all US states have introduced Data Breach Notification laws that have to be complied with when consumers’ personally identifiable information (PII) is compromised. A few states such as Connecticut, Maine, and New Hampshire have gone further and added requirements specifically for insurers to notify the state’s insurance department.
With the spate of ransomware attacks, the Office of Foreign Assets Control (OFAC) has issued a ransomware advisory discouraging ransomware payments. Recently, NY state had proposed a bill, which is currently under review, that bars businesses from paying ransom in the event of a ransomware attack. Cyber insurance regulations are expected to expand toward such measures for protection against cyber attacks, along with strict enforcement through fines for non-compliance.
What regulations mean for insurers
Cyber-attacks are evolving continuously in sophistication, from phishing and encryption to ransomware-as-a-service attacks. As they can pose a systemic threat, regulators expect insurers to acquire cybersecurity expertise and keep up with market trends. Consequently, insurers are also partnering with cyber security companies to assess insurers’ risks or get advice on compliance policies to gain knowledge. This will help them underwrite cyber-risk with appropriate inclusions, exclusions, or sub-limits for cyber-related losses and to comply with regulatory requirements.
Wake-up call for SMBs
SMBs generally lack cyber expertise or the budget to have a cybersecurity program. According to a recent survey, only 20% of SMBs have cyber insurance. Insurers with cyber expertise and their cyber ecosystem partners are poised to guide SMBs and may act as their risk advisors. Apart from regulations, supporting guidelines have evolved to help businesses implement adequate cybersecurity controls. The National Institute of Standards and Technology’s (NIST) cybersecurity framework is one of the early initiatives for cybersecurity awareness among SMBs. The Cyber Insurance Risk Framework was also recently introduced by NY’s Division of Financial Services. These frameworks enable SMBs to meet cybersecurity compliance and understand their risk exposure. In July 2021, Connecticut state enacted a law to incentivize businesses with safe harbor protection on adopting any of the industry-recognized cybersecurity frameworks. Another initiative is the Cyberspace Solarium Commission report with its recommendation for state regulators to develop certifications for cyber insurance products. These help consumers/insureds understand the level of protection and compliance to laws offered by insurance products.
The way forward
Regulations aim to reduce threats and improve the cyber risk environment. They may even necessitate businesses to have cybersecurity solutions and data privacy standards in place before seeking insurance. Although these may increase costs associated with insurance, they bode well for the cyber insurance industry in the long term. Cybersecurity solutions and data privacy standards prevent losses and help the insurance industry embrace cyber risks in a meaningful way. Cyber insurance regulations are bound to influence the future course of the industry for good. The regulations will ensure better cyber security measures and wider adoption of cyber insurance and curated insurance products.