The New York State Department of Financial Services on Thursday issued cyber insurance guidance to all property/casualty insurers doing business in the state.

In the guidance, the regulator advises New York-regulated property/casualty insurers offering cyber coverage to establish a formal strategy for measuring cyber insurance risk that is directed and approved by their board or other governing entity.

This strategy should be proportionate with each insurer’s risk based on its size, resources, geographic distribution and other factors, the department of financial services said.

It also recommends against making ransom payments.

“Cybersecurity is the biggest risk for government and industry, bar none. Cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions,” New York State Department of Financial Services Superintendent Linda Lacewell said in a statement.

“After extensive dialogue with industry and experts, we are issuing guidance to foster the growth of a robust cyber insurance market that can effectively help protect us against the growing cyber threats we face,” Ms. Lacewell said.

The so-called Cyber Insurance Risk Framework set out by the regulator in particular calls on insurers to manage and eliminate exposure to “silent” cyber insurance risk.

“Because silent risk can reside in many different types of policies, even insurers that write little or no cyber insurance need to measure and manage silent risk in their non-cyber insurance policies,” Ms. Lacewell said in the guidance.

The framework also advises insurers to evaluate systemic risk.

“In addition to overall rising costs, insurers must account for the systemic risk that occurs when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses,” the guidance states.

It also called on insurers to educate insurance buyers and brokers about the value of cybersecurity measures and “the need for, benefits of, and limitations to cyber insurance.”

The New York regulator’s action on cyber insurance comes as the COVID-19 pandemic has accelerated the shift online and as businesses face growing cyber vulnerabilities including a rise in ransomware attacks and the Solar Winds-based cyber espionage campaign.

In the guidance, the department says it has been assessing the impact of the SolarWinds compromise and appreciates “the engagement of industry in this process.”

“Although this cyber campaign appears to have been focused on espionage and not destructive attacks, given the number of impacted organizations the total remediation costs are likely to be substantial,” Ms. Lacewell said in the guidance.

While cyber insurance is a relatively new area of business for most insurers, it has grown rapidly, the regulator said.

“In 2019 the U.S. cyber insurance market was $3.15 billion. It is estimated that by 2025 it will be over $20 billion,” it said.