New York cyber rules could raise loss exposures for U.S. insurers: Fitch

The implementation of the New York Department of Financial Services’ (NYDFS) new cybersecurity regulations has the potential to underscore premium growth in cybersecurity insurance and directors and officers (D&O) insurance, but could also raise loss potential for insurers, Fitch Ratings said earlier this week.

The rules, which come into effect on March 1, will cover over 3,000 financial institutions, making New York the first state to put cybersecurity regulations into place, Fitch reported in a press release on Monday. Companies covered by the rules will be required to establish a formal cybersecurity program, adopt a written cybersecurity policy, encrypt data and conduct periodic tests of the system to identify potential vulnerabilities, among other requirements. Requirements will also include designation of a chief information security officer who will be responsible for overseeing the policy and reporting to the board at least twice a year, the release pointed out.

The new regulation reflects the growing importance of cybersecurity and its relevance for regulators in the financial services industry, Fitch said, noting that financial institutions’ exposure to cyber risk is prominent given the large volumes of private customer information stored within their systems that is attractive to hackers targeting corporate vandalism, identity theft or computer fraud.

Considering the large number of financial institutions operating in the New York jurisdiction, these rules could set a wider template for other jurisdictions, Fitch said in the release. There is also potential for other state or federal cyber regulations passed in the future to conflict with New York’s. Notably, the National Institute of Standards and Technology, a non-regulatory agency of the Department of Commerce, has several recommendations that differ from the NYDFS plan.

The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters. The rules require a director or senior officer to annually certify compliance with the regulations. If management and directors of financial institutions that experience future cyber incidents are subsequently found to be non-compliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies, Fitch said.

Cyber insurance underwriting, separate from D&O, has been growing significantly over the past several years. In a special report titled US Cyber Insurance Market Share and Performance, published last August, Fitch noted that there were approximately US$1 billion in direct written cybersecurity premiums by U.S. property and casualty insurers in 2015. However, this likely understated insurers’ total cyber risk exposures through package policies that do not isolate specific cyber premiums.

Fitch believes that rapid cyber insurance growth is likely to continue, and new regulatory requirements could play a part in reinforcing the trend. Part of the NYDFS regulation is that a company has to notify the regulatory authorities within 72 hours of a cybersecurity event occurring. Cybersecurity insurance can help firms navigate notification laws, the release noted.

While cyber insurance premiums will rise, Fitch notes that data for cyber claims, remediation costs and potential liability for insurers are limited, and this hinders pricing risk in the segment. As such, Fitch views substantial growth in standalone cyber coverage or higher portfolio concentration in cyber as a credit negative for insurers.