Fitch: cyber insurance rules may be costly
New cybersecurity regulations for financial institutions in New York have the potential to raise losses for insurers.
That is the warning from Fitch Ratings ahead of the New York Department of Financial Service's new rules, which become effective on March 1.
The agency sees the potential for premium growth in cybersecurity insurance and directors and officers insurance, but warns that the regulations could also raise loss potential for insurers.
More than 3,000 financial institutions be covered by the regulations will be required to establish a formal cybersecurity programme, adopt a written cybersecurity policy, encrypt data and conduct periodic tests of the system to identify potential vulnerabilities, among other requirements.
They must have a designated chief information security officer responsible for overseeing the policy and reporting to the board at least twice a year.
In a statement, Fitch said the rules could set a wider template for other jurisdictions.
“There is also potential for other state or federal cyber regulations passed in the future to conflict with New York's. Notably, the National Institute of Standards and Technology, a nonregulatory agency of the Department of Commerce, has several recommendations that differ from the NYDFS plan,” stated Fitch.
“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters. The rules require a director or senior officer to annually certify compliance with the regulations.
“If management and directors of financial institutions that experience future cyberincidents are subsequently found to be non-compliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.
Fitch believes that rapid cyberinsurance growth is likely to continue, and new regulatory requirements could play a part in reinforcing the trend.
“Part of the NYDFS regulation is that a company has to notify the regulatory authorities within 72 hours of a cybersecurity event occurring. Cybersecurity insurance can help firms navigate notification laws,” stated Fitch.
The agency said data for cyberclaims, remediation costs and potential liability for insurers are limited, and hinders pricing risk, leading it view “substantial growth in stand-alone cyber coverage or higher portfolio concentration in cyber as a credit negative for insurers”.