NYSDFS’s Cyber Insurance Risk Framework Responds to the “Urgent Challenge” of Managing Cyber Risk


By: Curt Graham

New York’s Department of Financial Services (“DFS”) recently issued its Cyber Insurance Risk Framework which details seven best practices for managing cyber insurance risk. The Framework can be found here. One of the primary drivers for this guidance is the rise in the frequency of ransomware attacks, with the global cost of ransomware estimated to be $20 billion in 2020 alone.

The DFS joins the Office of Foreign Assets Control (“OFAC”) in recommending against making ransom payments in the event of a ransomware attack. Several justifications are offered for this recommendation. First, there is no guarantee that a victim will regain access to their data even if the ransom is paid. Second, ransom payments will almost certainly be used to fund more sophisticated attacks. Third, carriers and their policyholders risk violating OFAC sanctions if a ransom is paid.

The DFS’s bulletin also points out various deficiencies in the way cyber risk is currently assessed and priced by the insurance industry. In response, the DFS’s Framework identifies seven practices that all authorized property and casualty insurers writing cyber insurance should utilize. These include establishing a formal cyber insurance risk strategy, managing and eliminating exposure to silent cyber insurance risk, evaluating systematic risk, rigorously measuring insured risk, educating insureds and insurance producers, obtaining cybersecurity expertise, and requiring notice to law enforcement. Additional details relating to each practice can be found in the link above.

This Framework applies to all carriers writing insurance in New York. But its reach is far greater, as the DFS’s regulations also require regulated insurers to vet the cyber readiness of their vendors who may be located outside of New York. Given the vast reach of these regulations, any entity doing business with a DFS-regulated entity is well served by keeping an eye on DFS guidance such as the Cyber Insurance Risk Framework.

If you have questions or would like more information, please contact Curt Graham at