Leveraging FAIR for making effective cyber insurance decisions
FAIR has a track record and the backing of the information security industry to help organizations quantify cyber risk. The obvious use case is insurance. In order to accurately transfer risk, it must be quantified. The FAIR Insurance Workgroup aims simply to review this application of the FAIR methodology to inform risk transference decisions. If that’s something you want to be a part of, join us on our regular workgroup calls and help shape an industry. (Select the 'Insurance Workgroup' box when joining the FAIR Institute. Membership is free).
I’ve been using FAIR to help organizations understand their risk for nearly a decade now. In the last two years, I’ve been asked more and more to come in and help answer the board-level question, “How much cyber exposure do we have?” This question is asked for any number of reasons, but the raison d'être du jour is simply to inform the decision around buying cyber risk insurance. I find this to be one of the most straightforward applications of the FAIR methodology and one of the most valuable. FAIR focuses primarily on answering the question, “how much?” and along the way it can’t help but point out the opportunities to reduce exposure that exist beyond risk transference. For example:
- You have a single point of failure when transferring company funds up to £1M and that is driving the majority of your exposure
- You have not tested your backups and could likely see £50k rather than £5k in damages should you fall prey to a cryptolocker attack
The cyber insurance challenge
The challenge is three-fold, at least:
- The underwriting community at large is not sure how to model cyber risk.
Without a model, the factors that drive exposure are determined through guesswork and through trying and failing (actuaries thrive with data, after all). Consistent feedback from buyers is that the forms they fill out to buy insurance are bewildering; either too short or too long but always bewildering. The opportunity on the buyer’s side is to model it better and align with underwriters and brokers that “get you” - The information security community does not trust insurance.
Given the coverage wordings I’ve seen, it is not difficult to understand why. I will give credit where it is due though; over the last few months, these wordings have improved. By that, I mean they are easier to understand and the exclusion/definition sections are not quite the nightmares they once were for determining coverage against any given scenario. Also, the quality of the claims handling and built-in crisis management services have had nowhere to go but up. The biggest opportunity here is for insurance buyers to influence the products that are available. - People who don’t understand the value of probabilistic models based on imperfect and imprecise information are...difficult to engage with.
I’ve been doing a lot of cross-discipline reading (from neuroscience to weather to gambling to modern warfare) and the common theme seems to be a gravitation towards modeling and probabilistic thinking, less intuition and “scripture”. But these new ways of approaching problems are daunting for those comfortable in their ways. Uncertainty is uncomfortable.
On the bright side, I can confidently say a surprising number of the top companies in the world embrace FAIR and even more of them leverage what FAIR is based on—model thinking and probability.
The mission of the Insurance Workgroup
The FAIR Institute Insurance Workgroup is going to attempt to address all three of the challenges above and at the very least, help those involved know more about cyber risk and cyber risk transference than most brokers and underwriters.
In the next conference call, we will review a sanitized report that I have created using FAIR to help an organization buy the appropriate cyber coverage. Questions, criticism, and adulation will all be welcomed.
