N.Y. cyber rules could raise loss exposures for US insurersReprints
The New York Department of Financial Service's new cyber security regulations have the potential to raise premium growth in cyber security and directors and officers liability insurance, but they could also raise loss potential for insurers, Fitch Ratings Inc. said Monday.
The rules, effective March 1, will cover over 3,000 financial institutions and make New York the first U.S. state to put cyber security regulations into place, the New York-based rating agency said in a statement.
“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters,” Fitch said in the statement. “The rules require a director or senior officer to annually certify compliance with the regulations. If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.”
While cyber insurance premiums will rise, Fitch said that data for cyber claims, remediation costs and potential liability for insurers are limited, and this hinders pricing risk in the segment. Fitch said it “views substantial growth in stand-alone cyber coverage or higher portfolio concentration in cyber as a credit negative for insurers.”
Companies covered by the rules will be required to establish a formal cyber security program, adopt a written cyber security policy, encrypt data and conduct periodic tests of the system to identify potential vulnerabilities, among other requirements.
In addition, companies will have to designate a chief information security officer who will be responsible for overseeing the policy and reporting to the board at least twice a year.
Fitch said the new rules could set a wider template for other jurisdictions, given the
large number of financial institutions operating in New York.
There is also potential for other state or federal cyber regulations passed in the future to conflict with New York's, Fitch said. The National Institute of Standards and Technology, a nonregulatory agency of the U.S. Department of Commerce, has several recommendations that differ from the NYDFS plan.
In a report published last August, Fitch said there were about $1 billion in direct written cyber security premiums by property/casualty insurers in 2015. However, this likely understated insurers' total cyber risk exposures through package policies that do not isolate specific cyber premiums, Fitch said.
Fitch said it believes that rapid cyber insurance growth is likely to continue and that new regulatory requirements could play a part in reinforcing the trend. Part of the NYDFS regulation is that a company has to notify the regulatory authorities within 72 hours of a cyber security event occurring, and cyber security insurance can help firms navigate notification laws, Fitch said.