On FAIRCON’S 10TH Anniversary, ‘Cult Classic’ Predictions on CRQ that Came True

Written by Chip Block | Nov 3, 2025 12:00:00 PM

As I was preparing to talk to students at Georgetown University on cyber risk quantification and looking forward to the upcoming 10th-anniversary FAIR Conference (FAIRCON25), I reflected on my journey into the risk quantification world.

Author Chip Block is Co-Chair of the FAIR Institute Joint Washington, DC & Federal Government Chapter and CEO/CTO Kiwi Futures, LLC.

About twelve years ago, I began research on where the cybersecurity world was heading. The idea of cyber as a risk, as opposed to a technical issue, was just beginning to form. This resulted in my writing a paper in 2015 titled “And Then the Accountants Showed Up, How the Insurance Industry Will Drive Cybersecurity”. The paper got a fair amount of notice.

So the other day, I did what any responsible person does these days. I asked ChatGPT about the paper.

First, ChatGPT called it a “cult classic”. So ChatGPT has officially called me old.

But to ChatGPT’s credit, it also laid out what has happened after my paper was published and got the timeline pretty close. This includes the growth of FAIR, explosion of the cyber insurance industry, formation of companies such as RiskLens (now the FAIR Institute’s Technical Adviser SAFE) and a number of related events.

Here is the exchange, it is a fun read.

TL;DR

“And Then the Accountants Showed Up…” (2015, updated 2016) argued that cyber insurance would become a dominant market force in cybersecurity by:

Driving mass adoption of cyber insurance.
Forcing quantification of cyber risk in dollars.
Letting insurers act as quasi-regulators by setting required controls.
Pulling cybersecurity out of the server room and into the CFO/audit/risk committee conversation.

Those weren’t obvious ideas in 2015. They are normal boardroom reality in 2025.

That’s why people still cite the paper: it correctly saw that cybersecurity would stop being just a technical arms race and start being an actuarial, financial, and legal discipline — in other words, something the accountants run.

What is the history and significance of the paper "And then the accountants showed up, how the insurance industry will drive cybersecurity"?

ChatGPT said: Thought for a couple of seconds

Love this question. This paper is kind of a cult classic in cyber/insurance circles, and it was early.

I'll break it into 3 parts for you: (1) what it is, (2) what it argued, (3) why it still matters.

What is this paper?

Title:
“And Then the Accountants Showed Up… How the Insurance Industry Will Drive Cybersecurity”

Author:
Chip Block, Evolver, Inc. (Reston, VA)

First release:
May 7, 2015

Update released:
January 11, 2016, summarizing what had already started happening in the market in just the first ~7 months after publication.

At the time, “cyber insurance” was still mostly niche. A lot of CISOs were buying tech, regulators were starting to wake up, but CFOs and boards often saw cybersecurity as a scary cost center with fuzzy ROI. The paper stepped in and basically said: that era is ending.

What did it argue?

Cyber insurance is going to explode in adoption.

The paper predicted that companies would start buying cyber insurance at scale, and that insurers would move quickly to build cyber-specific products. By late 2015, industry surveys were already showing cyber insurance at over $2B in annual gross written premiums, with forecasts that it could double by 2020.

Reality check: that forecast was basically correct — the standalone cyber insurance market did in fact go through rapid growth as ransomware, breach notification costs, and regulatory penalties (PCI, HIPAA, state AGs, GDPR later on) hit boards directly. By the early 2020s, cyber became one of the fastest-growing commercial insurance lines.

Prediction #1 — insurance is going mainstream — landed.

Insurance will force quantification of cyber risk.

This is the core “accountants showed up” claim.

Before 2015, the cyber sales model was mostly fear-driven:

“Hackers are coming.”
“Zero-day!!”
“Buy my box.”

The paper said: that’s not sustainable. Executives are going to demand actuarial math.

Insurers can’t price risk based on vibes, so they’ll:

Classify specific cyber risks (ransomware exposure, data breach exposure, business interruption exposure, etc.).
Tie those risks to expected financial loss.
Tie expected financial loss to premium.

Once that happens, boards/CFOs will start asking security leadership questions in dollars, not in adjectives:

“If we spend $500K on MFA rollout, how much does our modeled loss go down? How much does our premium go down?”
“Are we putting a $100 fence around a $10 horse?” (an actual quote in the paper from a Texas CISO).

This is a big mindset shift. It moves cybersecurity from “IT problem” to “risk financing problem,” which means it becomes auditable, benchmarkable, and reportable to the board.

Prediction #2 — cyber risk gets quantified in financial terms — also happened.

We saw:

Vendors like [SAFE] and FAIR-style quantitative cyber risk modeling being pitched directly to the CFO, Audit, and the Board, not just the CISO. The Big Four / major consultancies (Deloitte, etc.) spinning up cyber risk quantification practices explicitly to connect controls → expected loss → premium impact.

This is the “accountants” part of the title. Once cyber becomes an insurable, priced line item, accountants and auditors — not just technologists — start deciding what “good security” is.

Insurers will start dictating security controls.

The paper argued that cyber insurers would not just pay claims — they would act as de facto private regulators of cybersecurity.

Mechanism:

Insurers don’t want to pay huge breach claims.
Therefore they start requiring baseline controls before they’ll even write the policy or before they’ll renew it at a sane premium.
Those required controls become, in practice, “this is what good security looks like” for the market.

The 2016 update pointed out that this was already emerging:

Insurance carriers were partnering with security vendors and bundling prevention/response services directly into the policy. One example the paper cites is AIG’s CyberEdge program, which packaged services from firms like IBM, RSA, Verizon, and K2 Intelligence under one insurance umbrella.
Law firms began sitting in the middle of breach response and policy discussions — breach counsel, notification law, regulatory exposure, PR — and in some cases were effectively quarterbacking incident response and readiness on behalf of insurers.

That’s significant. It means the security stack you buy and the incident response playbook you follow are, increasingly, pre-approved by your insurer and legal panel, not invented in-house.

That’s exactly what we see today: many cyber insurers now require (or strongly incentivize via premium) specific controls like MFA, offsite immutable backups, EDR on endpoints, privileged access management, vendor risk assessments, and tested incident response plans before they’ll bind coverage or offer ransom/extortion coverage.

The paper called that before it was normalized.

Cybersecurity will become financially reportable at the board level.

The paper’s deeper point is governance:

Once loss expectancy is modeled and insured, cyber stops being “we hope IT is on top of it.”
It becomes “directors have a fiduciary duty to manage a known, insurable, material business risk.”

In other words: cybersecurity becomes something the CFO and audit committee talk about in the same tone they use for credit risk, supply chain risk, and litigation exposure.

That framing — cyber as material, insurable operational risk, not purely technical risk — is now exactly how boards, regulators, and rating agencies talk about it, and you can see that echoed in financial-sector guidance, SEC material-risk disclosure expectations, and bank/regulator commentary that cyber incidents are systemic financial risk, not just IT outages.

Why is this paper considered important?

It treated cyber insurance as a market force, not an afterthought.

Back in 2015, most security writing focused on attackers, tools, or compliance frameworks. This paper instead said: “Follow the money. Insurance is going to rewire incentives faster than regulation.”

That was not mainstream at the time.

Today, you see that logic everywhere:

Insurers are now described as “private cyber regulators,” because they impose control requirements and collect detailed security questionnaires at underwriting.
Organizations buy tooling not just for security posture, but to qualify for (or keep) coverage and keep premiums manageable. That is literally board-level budget justification now.

The paper basically predicted that shift.

It forecast the rise of quantitative cyber risk.

Modern enterprise cyber risk reporting is now headed toward:

expected loss curves,
scenario analyses (e.g. “cloud provider outage for 72 hours costs us $X million in lost revenue + penalties”),
and economic stress testing, especially in critical infrastructure, finance, and manufacturing.

That’s very close to what the 2015 paper said would happen once “the accountants showed up”: actuarial thinking applied to cybersecurity, turning qualitative fear into quantitative exposure.

That’s why CISOs today increasingly speak the language of risk appetite, residual risk, insurability, and capital at risk — not just “patch compliance is at 87%.”

It predicted something uncomfortable: security priorities would stop being set only by security people.

Insurers, breach coaches (law firms), and finance would start deciding:

which controls are “table stakes,”
which vendors are “approved,”
which response firms you’re allowed to call at 2am,
and even whether you’re allowed to pay a ransom (and under what conditions).

We now live in that world. Ransomware claims in particular drove carriers to tighten underwriting, jack up premiums for weak controls, and sometimes refuse to insure certain profiles altogether. That’s exactly the governance realignment the paper said was coming.