With so much confusion in the marketplace about how much and what kind of cyber insurance to buy, experts from Marsh, AON, and more leading companies in the insurance space came together to form the FAIR Institute’s Cyber Insurance Workgroup to think through how the discipline of quantitative risk analytics could help clear the fog.
At the recent 2018 FAIR Conference at Carnegie Mellon, they presented some practical insights. On the panel at FAIRCON:
- Chip Block, VP at Evolver and Co-Chair of the workgroup
- Geoji Paul, Director of Information Security, Express Scripts
- Trish Carreiro, Associate, Axinn, Veltrop & Harkrider (photo)
- Samuel Tashima, Associate Director & Actuary, Aon
- Indrajit (Indy) Atluri, Information Security Manager, HIPAA Security Officer, ProPath Services
Watch the video: Using FAIR to Optimize Your Cyber Insurance Coverage. FAIR Institute membership required. Join now (it’s free).
On getting organized, the workgroup quickly realized that their focus should be on business interruption insurance. As Sam Tashima said, “Every conversation we have with clients is around business interruption” in the wake of NotPetya and similar attacks that knocked Merck, FedEx and a wide range of other companies out of production.
But “business interruption loss is very different from breach loss,” as Chip said, and requires working through a checklist for FAIR analysis, which the workgroup presented in this panel discussion.
For instance, taking on the Loss Event Frequency side of the FAIR model, recent business interruption hits appear to be indiscriminate to market sector, raising issues such as…
- How to come up with frequency numbers that are specific, not generic
- Attack frequency is high and attacks might be targeted or coming in from the wild
- Is there a difference in frequency between attacks that are state-sponsored or criminal?
On the Loss Magnitude side, FAIR analysts should be particularly careful about running down all the potential litigants and litigation costs, Trish warned: “Factor in the multiple factors that can make that litigation even more expensive.” She presented a checklist of legal implications of a business interruption attack.
The bottom line on evaluating cyber insurance with FAIR analysis, Chip said, is not to look at the top line aggregate risk but to use the FAIR model to dig down through all levels of Loss Magnitude, then evaluate the specific sublimits or maximum payable amounts in your policy on business interruption or other categories of loss.
Watch the video Using FAIR to Optimize Your Cyber Insurance Coverage now.
