Regulation almost always has the side effect of increasing risk to an organization's interests.
, ,

The relationship between cyber security regulation and cyber insurance


As of March 1, financial institutions in New York State became obligated to comply with the nation’s first cyber security regulation. In broad strokes, the New York Department of Financial Services now requires that financial institutions structure a formal cyber security policy based on periodic risk assessments.

The immediate priority for financial institutions in New York is to create a risk management framework to sustain ongoing compliance with the new regulation. Also important, according to Law360 contributor Jeff Sistrunk, is having a backup plan in the event that a financial institution experiences a data breach. This is because the regulation gives litigators more leverage as a result of the added liability of the data security rule, or failure to comply entirely with it.

That backup plan, according to Sistrunk, is cyber security insurance.

A burgeoning market

“Investment in cyber insurance is expected to increase in 2017.”

Cyber liability insurance has been a hot-button issue in the past few months. As the fallout from cyberattacks increases – the Yahoo intrusion alone cost $350 million – so does the incentive to invest in cyber insurance. According to PricewaterhouseCoopers, the value of annual gross written premium will cap out at $7.5 billion by 2020.

That said, the market is still relatively young and must undergo a certain amount of maturation. At the moment, there is a significant lack of readily available data pertaining to the actual financial damage caused by cyberattacks, which makes it difficult to assess actual risk exposure. For example, we know that ransomware raked in a whopping $1 billion in 2016. While that information is helpful, there may not be enough of it just yet.

But even with those caveats, investment in cyber insurance is expected to increase in 2017, if for no other reason than that cyberattacks are continuing to become increasingly sophisticated. Meanwhile, digitization and even automation are becoming more central to business operations in a variety of industries. And as this happens, the potential for loss spikes – not just in terms of reputational damage and IT downtime, but also in the form of class-action lawsuits.

More regulation: Does it help or hurt? 

“Cyber security regulation is a form of ammunition that could someday guide liability.”

Sistrunk’s argument seems to be that greater cyber security regulation gives litigators something to really sink their hooks into as they bring data breach-related cases to court. In this sense, the regulation does ultimately create an added layer of risk for financial institutions.

The opposite is also true. Showing that an organization has complied with specific cyber security standards laid out by a state-sponsored regulatory body could undercut plaintiffs’ claims. At a minimum, this may serve to limit some of the damages imposed by the court.

Either way, the only certainly seems to be that cyber security regulation is a form of ammunition that could eventually guide liability. It’s also worth noting that New York’s pioneering cyber security regulation could influence regulators in other states to follow suit, which is certainly a development worth following.

At the end of the day, though, cyber risk continues to be a very real threat to financial institutions, regardless of what form that risk takes. As long as this is the case, cyber insurance will continue to have a place in America’s financial institutions.