Nobody loves the process of information gathering to price a cyber insurance policy - not the underwriters, brokers or buyers.
Insurance companies require filling out lengthy, time-consuming application questionnaires about the buyer’s financials and cybersecurity controls. But give the applications to two different underwriters and you may get back two different premium levels, depending on their subjective judgments.
Meanwhile, the customers struggle to understand what coverage limits they should buy without clear knowledge of their loss exposure in dollar terms.
Now, some forward-looking insurance buyers, underwriters and sellers have found a way to reimagine this clunky marketplace: the FAIR Materiality Assessment Model (FAIR-MAM). This offshoot of the FAIR Model brought a new level of detail and accuracy to the right side of the FAIR Model, where analysts estimate Loss Magnitude, the dollar impact in a risk scenario.
FAIR-MAM leads an analyst through 10 primary loss modules (business interruption, proprietary data loss, etc.) and shows the way to drill down to subcategories with tunable drivers that can be customized to the organization’s business resources and operational profile.
With FAIR-MAM as a guide, the analyst can fill in dollar values (let’s say hourly cost of forensic consultants) collected from operating data or from business or industry standard data. The result is a firm fix on probable costs that the underwriter, broker and policy buyer can use to negotiate a premium.
Left to right: Jack Jones, Monica Tigleanu, Robert Immella, Erica Eager
“FAIR-MAM is a huge opportunity for the insurance industry because it gives claims information the real flavor that it needs,” Monica Tigleanu, Cyber Strategy Leader for BMS Group, a global broker, told the recent 2024 FAIR Conference.
“Most insurance companies are still on legacy systems; the loss-magnitude claims information is not as detailed as FAIR-MAM. We need a more precise way to adjust premiums and coverage.”
Watch a video of the FAIRCON24 session:
Quantifying Cyber Losses Like an Insurer and CFO Would
featuring Monica, FAIR creator Jack Jones, Robert Immella, CRQ lead for an international company and FAIR-MAM creator Erica Eager, Sr. Director, Risk Quantification, at Safe Security.
Tips on Using FAIR-MAM for Cyber Insurance
–Collecting information to fill out FAIR-MAM can be a challenge, Robert advised. Getting on the calendars of subject matter experts takes time – and then they may be resistant to sharing information. His technique: as a conversation starter go to the meeting armed with some industry standard figures and ask if your organization fits into those ranges.
But be persistent; as Erica said, “it’s critical to deal with your actual company numbers - they’re the most defensible. It may take you a little while to get those numbers but the good news is they don’t change frequently. You can look at them maybe once a year.”
–In figuring Loss Magnitude for a cyber event, keep an eye on how your company makes its money, Erica said. For instance, don’t neglect deferred revenue – customers may pay eventually after the event ends. On the other hand, if your organization runs on ecommerce, you’re looking at immediate lost sales. Understand the effects of loss of IP or reputation or any event that interrupts cash flow.
“There needs to be a shift [from filling out an insurance application questionnaire] to align you to the actual operational profile and financial status of the company.”
Why FAIR-MAM Is Trusted by Leading Cyber Insurers
1. The FAIR-MAM framework with its ten Loss Modules was built in collaboration with cyber insurers to align with generally accepted claims categories.
2. Cyber insurers use the model to project cyber losses and set premiums across portfolios, accounting for basic differences in industry, revenue size and geography as well as the presence and maturity of various controls that impact loss magnitude.
3. FAIR-MAM is the model used to create Materiality Assessments for the HowMaterialIsThatHack website by tuning the loss drivers to align with reported findings and research assumptions about a specific hack. The Monte Carlo simulation function for primary losses is turned off so the model acts like a traditional, columnar financial statement for known primary losses. Secondary losses maintain a likelihood of occurrence until they have reached their conclusion – eg, a fine is imposed or a class action settlement is negotiated.
4. The research behind FAIR-MAM is continuous and from primary sources such as: SEC filings; company notifications; official breach notifications; judicial filings; regulatory investigations and decisions; emergency budget procurements; criminal indictments; public vendor reports and datasets; original source media; social media postings by people impacted by a breach, etc. The data sourced is highly curated into defined data fields for use in automated modeling.
Watch the FAIRCON24 session: Quantifying Cyber Losses Like an Insurer and CFO Would