Reimagine Cyber Risk Insurance with the FAIR Materiality Model
Nobody loves the process of information gathering to price a cyber insurance policy - not the underwriters, brokers or buyers.
Insurance companies require filling out lengthy, time-consuming application questionnaires about the buyer’s financials and cybersecurity controls. But give the applications to two different underwriters and you may get back two different premium levels, depending on their subjective judgments.
Meanwhile, the customers struggle to understand what coverage limits they should buy without clear knowledge of their loss exposure in dollar terms.
Now, some forward-looking insurance buyers, underwriters and sellers have found a way to reimagine this clunky marketplace: the FAIR Materiality Assessment Model (FAIR-MAM). This offshoot of the FAIR Model brought a new level of detail and accuracy to the right side of the FAIR Model, where analysts estimate Loss Magnitude, the dollar impact in a risk scenario.
FAIR-MAM leads an analyst through 10 primary loss modules (business interruption, proprietary data loss, etc.) and shows the way to drill down to subcategories with tunable drivers that can be customized to the organization’s business resources and operational profile.
With FAIR-MAM as a guide, the analyst can fill in dollar values (let’s say hourly cost of forensic consultants) collected from operating data or from business or industry standard data. The result is a firm fix on probable costs that the underwriter, broker and policy buyer can use to negotiate a premium.
Left to right: Jack Jones, Monica Tigleanu, Robert Immella, Erica Eager
“FAIR-MAM is a huge opportunity for the insurance industry because it gives claims information the real flavor that it needs,” Monica Tigleanu, Cyber Strategy Leader for BMS Group, a global broker, told the recent 2024 FAIR Conference.
“Most insurance companies are still on legacy systems; the loss-magnitude claims information is not as detailed as FAIR-MAM. We need a more precise way to adjust premiums and coverage.”
Watch a video of the FAIRCON24 session:
Quantifying Cyber Losses Like an Insurer and CFO Would
featuring Monica, FAIR creator Jack Jones, Robert Immella, CRQ lead for an international company and FAIR-MAM creator Erica Eager, Sr. Director, Risk Quantification, at Safe Security.
Tips on Using FAIR-MAM for Cyber Insurance
–Collecting information to fill out FAIR-MAM can be a challenge, Robert advised. Getting on the calendars of subject matter experts takes time – and then they may be resistant to sharing information. His technique: as a conversation starter go to the meeting armed with some industry standard figures and ask if your organization fits into those ranges.
But be persistent; as Erica said, “it’s critical to deal with your actual company numbers - they’re the most defensible. It may take you a little while to get those numbers but the good news is they don’t change frequently. You can look at them maybe once a year.”
–In figuring Loss Magnitude for a cyber event, keep an eye on how your company makes its money, Erica said. For instance, don’t neglect deferred revenue – customers may pay eventually after the event ends. On the other hand, if your organization runs on ecommerce, you’re looking at immediate lost sales. Understand the effects of loss of IP or reputation or any event that interrupts cash flow.
“There needs to be a shift [from filling out an insurance application questionnaire] to align you to the actual operational profile and financial status of the company.”
Watch the FAIRCON24 session: Quantifying Cyber Losses Like an Insurer and CFO Would