FAIR has a track record and the backing of the information security industry to help organizations quantify cyber risk. The obvious use case is insurance. In order to accurately transfer risk, it must be quantified. The FAIR Insurance Workgroup aims simply to review this application of the FAIR methodology to inform risk transference decisions. If that’s something you want to be a part of, join us on our regular workgroup calls and help shape an industry. (Select the 'Insurance Workgroup' box when joining the FAIR Institute. Membership is free).
In the last workgroup session:
We discussed the cyber insurance application forms that insurance buyers fill out in order to obtain insurance quotes. These forms are not yet standardized across the industry. While they aim to capture as much critical information as possible for underwriting, they inevitably leave room for improvement. We were able to hear from an experienced cyber insurance underwriter who has created an insurance product for SMBs which streamlines the critical question set. His insight and experience was invaluable and he also invited the group to evaluate his underwriting questionnaire. A cyber insurance broker also provided some insight and both fielded questions from the group of buyers and consultants.
A couple of workgroup members looking to incorporate FAIR-based data into their software model presented towards the end of the session. The presentation introduced the idea of the “good-driver monitoring” to the world of cyber risk insurance and they were also kind enough to field questions regarding the challenges likely to be faced in the real-world implementation of the idea. Updates are surely to follow in the coming months.
In the next workgroup session:
The primary goal of the next workgroup session is to vet our ideas on how to improve the questionnaires based on FAIR ideas within the community. This may turn into the beginnings of the group’s first white-paper project that presents to the wider industry a model-based cyber underwriting application question set for critique.
At the upcoming FAIR Conference:
I will also be attending the inaugural FAIR Conference on Oct 14th in Charlotte, NC, and will be leading a breakout session on cyber insurance.
Looking forward to seeing you there or during one of our next workgroup sessions!