NY Cyber Rules Could Raise Loss Exposures for US Insurers
The implementation of the New York Department of Financial Service's new cybersecurity regulations has the potential to underscore premium growth in cyber-security insurance and directors and officers (D&O) insurance, but could also raise loss potential for insurers...
The rules, effective March 1, will cover over 3,000 financial institutions, making New York the first US state to put cybersecurity regulations into place. Companies covered by the rules will be required to establish a formal cybersecurity program, adopt a written cybersecurity policy, encrypt data and conduct periodic tests of the system to identify potential vulnerabilities, among other requirements. Furthermore, requirements will also include designation of a chief information security officer who will be responsible for overseeing the policy and reporting to the board at least twice a year.
The new regulation reflects the growing importance of cybersecurity and its relevance for regulators in the financial services industry. Financial institutions' exposure to cyber risk is prominent given the large volumes of private customer information stored within their systems that is attractive to hackers targeting corporate vandalism, identity theft or computer fraud.
Considering the large number of financial institutions operating in the New York jurisdiction, these rules could set a wider template for other jurisdictions. There is also potential for other state or federal cyber regulations passed in the future to conflict with New York's. Notably, the National Institute of Standards and Technology, a nonregulatory agency of the Department of Commerce, has several recommendations that differ from the NYDFS plan.
The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters. The rules require a director or senior officer to annually certify compliance with the regulations. If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.
Cyber insurance underwriting, separate from D&O, has been growing significantly over the past several years. In a special report titled "US Cyber Insurance Market Share and Performance," published last August, Fitch noted that there were approximately $1 billion in direct written cybersecurity premiums by property/casualty insurers in 2015. However, this likely understated insurers' total cyber risk exposures through package policies that do not isolate specific cyber premiums.
Fitch believes that rapid cyber insurance growth is likely to continue, and new regulatory requirements could play a part in reinforcing the trend. Part of the NYDFS regulation is that a company has to notify the regulatory authorities within 72 hours of a cybersecurity event occurring. Cybersecurity insurance can help firms navigate notification laws.
While cyber insurance premiums will rise, Fitch notes that data for cyber claims, remediation costs and potential liability for insurers are limited, and this hinders pricing risk in the segment. As such, Fitch views substantial growth in stand-alone cyber coverage or higher portfolio concentration in cyber as a credit negative for insurers.
Visit Fitch Ratings