New cybersecurity regulations in New York could raise loss potential for insurers, even as they fuel premium growth for both the cybersecurity and directors and officers sectors, Fitch Ratings said in a new assessment.
“Considering the large number of financial institutions operating in the New York jurisdiction, these rules could set a wider template for other jurisdictions,” Fitch said. “There is also potential for other state or federal cyber regulations passed in the future to conflict with New York’s.”
The new rules, effective March 1, will affect more than 3,000 financial institutions in a move that makes New York the first U.S. state to put cybersecurity regulations into place. Among the new requirements: affected companies must establish a formal cybersecurity program, adopt a written cybersecurity policy, encrypt data and conduct periodic tests of the system to identify potential vulnerabilities. Also, companies will have to designate a chief information security officer to oversee the policy and report to the board at least two times per year.
Fitch said that despite the regulations’ potential to broaden the market, the likelihood they will clash with other state or federal cyber regulations passed in the future is noteworthy. Also, the National Institute of Standards and Technology (a nonregulatory agency of the Department of Commerce) has several regulatory recommendations that differ from those launching from the New York Department of Financial Services, a reality that could create multiple problems, Fitch said.
“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters,” Fitch said. “The rules require a director or senior officer to annually certify compliance with the regulations. If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.”
Regardless, Fitch sees cyber insurance as continuing a rapid growth and argues that new regulations could help reinforce this, though it adds that data for claims, remediation costs and potential insurer liability makes it harder to price cyber-related risks.
Because of this, Fitch sees “substantial growth” in stand-alone cyber coverage or a greater concentration of an insurers’ portfolio in the cyber space as credit negative.
Source: Fitch Ratings