Obtain Cybersecurity Expertise; and
Require Notice to Law Enforcement.
Each of these elements is important, but we call particular attention to elements 3, 4, and 7.
Regarding #3, DFS notes that evaluating systemic risk is an urgent issue in today’s marketplace, where businesses increasingly rely on a handful of providers for authentication, cloud services, and other important functions. The Framework document references the recent SolarWinds attack as an example of a vendor supply chain issue having a widespread impact. It also expresses concern about the possibility of an incident at a major cloud provider. While cyber insurers are unlikely to view the Framework as requiring that businesses adopt specific technologies to mitigate systemic risk, it will likely result in cyber insurers increasing their oversight and potentially focusing on new issues such as vendor diversification, to limit outsized impacts that might result from an incident at a larger vendor.