In recent webinar co-hosted by the FAIR Institute and the Legal Services Information Sharing and Analysis Organization (LS-ISAO), Brooke Oppenheimer and Trish Carreiro, attorneys with Axinn, Veltrop, & Harkrider LLP, made the case that any organization looking to buy cyber insurance should first understand its cyber risk in financial terms through FAIR analysis.
Policies vary hugely and are all untested by litigation, the attorneys advised, so it’s on you to negotiate a customized policy.
The key to success, they said: Align Your Policy Coverage with Your Risks.
View the webinar: “Evaluating Cyber Insurance Using the FAIR Methodology”. FAIR Institute membership and registration in our LINK resource site required.
Oppenheimer and Carreiro gave these tips for getting your best deal on cyber risk insurance:
Understand your business and your data
As the attorneys described the process, this is a made-for-FAIR problem. To target your coverage, you need to understand what data and applications are on your systems, which are more or less of value, also the threat actors, their probability of attack, and how much you are willing to spend to protect against them. You may have the option to specify certain high-value databases or other assets in your policy.
Watch out for the definitions in the policy and how they apply to your risk scenarios
Again, the discipline of FAIR helps in defining risk scenarios as specific events with a threat actor, an asset at risk and a probable range of loss, Critical concepts in policy writing are triggering events, causes (direct and indirect), and covered losses and exclusions — a bad fit to your situation could mean no payout on your losses. Examples of sweating the details: A phishing attack could be considered as authorized use of your system (not covered) or unauthorized (covered). To make things more complicated definitions vary based on state laws in the U.S. States define “direct" and “indirect” causes differently, with some requiring a closer relation of the event to a loss.
Make a cyber insurance buy a group decision
For FAIR practitioners, this is familiar territory: Bringing in experts from around the business to scope an analysis, then discussing risks in the financial terms that everyone an understand. IT can talk about data backups or other controls strength issues as well as mitigation costs, business continuity team members or business unit owners bring the figures on downtime costs. Of course, Legal will be involved, but also Marketing to make sure that the organization doesn’t over-promise a level of data security that could lead to liability claims. Everyone should review the terms of the policy, Oppenheimer and Carreiro advise
View the webinar: “Evaluating Cyber Insurance Using the FAIR Methodology”. FAIR Institute membership and registration in our LINK resource site required.
Related:
How to Use FAIR to Optimize Your Cyber Insurance Coverage
[Video] FAIRCON18 Panel: Optimizing Cyber Insurance Coverage
The FAIR Institute was named one of the Most Important Industry Organizations of the Last 30 Years" at the 2019 SC Awards ceremony. .Join the Institute!
