Cyber security regulations being put in place by the New York Department of Financial Service (NYDFS) could help to increase demand for cyber risk insurance cover, and ultimately reinsurance, but may also increase the exposure and loss potential re/insurers hold, says Fitch Ratings.
The regulations coming into effect on March 1st 2017 will cover more than 3,000 financial institutions, and make New York the first U.S. state to put cyber security regulations into place.
Those companies covered by the regulations will have to have a formal cyber security program in place, including a written cyber security policy, take steps to encrypt data and also conduct periodic tests of the system to identify any potential vulnerabilities, among other requirements.
The covered companies will also have to appoint a chief information security officer who will hold the responsibility of overseeing the cyber security policy and reporting to the board at least twice a year.
The steps required to meet these new rules requirements almost guarantee that additional cyber risk insurance will be taken out, as companies become increasingly aware of their exposures and that could ultimately push more cyber risk into the insurance and reinsurance market.
Fitch Ratings notes that the adoption of these rules in New York could cascade out to other states, resulting in a much broader adoption of cyber security procedures.
But as well as the chance of increased cyber insurance demand, ultimately requiring more cyber risk reinsurance cover as well, Fitch highlights that the new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters.
As a director or senior officer is required to sign off on compliance with the rules, any future cyber incidents that subsequently result in companies being found to be non-compliant could mean those companies are more exposed to litigation that would be covered under professional liability policies.
Fitch said that rapid cyber insurance growth is likely to continue, and that any new regulatory requirements, such as seen in New York, could accelerate that trend. However Fitch notes that insurers and reinsurers continue to lack data on cyber incidents, which hinders pricing of this emerging class of risk business.
As a result, Fitch says that it “views substantial growth in stand-alone cyber coverage or higher portfolio concentration in cyber as a credit negative for insurers.”