At the recent 2018 FAIR Conference at Carnegie Mellon, they presented some practical insights. On the panel at FAIRCON:
Watch the video: Using FAIR to Optimize Your Cyber Insurance Coverage. FAIR Institute membership required. Join now (it’s free).
On getting organized, the workgroup quickly realized that their focus should be on business interruption insurance. As Sam Tashima said, “Every conversation we have with clients is around business interruption” in the wake of NotPetya and similar attacks that knocked Merck, FedEx and a wide range of other companies out of production.
But “business interruption loss is very different from breach loss,” as Chip said, and requires working through a checklist for FAIR analysis, which the workgroup presented in this panel discussion.
For instance, taking on the Loss Event Frequency side of the FAIR model, recent business interruption hits appear to be indiscriminate to market sector, raising issues such as…
On the Loss Magnitude side, FAIR analysts should be particularly careful about running down all the potential litigants and litigation costs, Trish warned: “Factor in the multiple factors that can make that litigation even more expensive.” She presented a checklist of legal implications of a business interruption attack.
The bottom line on evaluating cyber insurance with FAIR analysis, Chip said, is not to look at the top line aggregate risk but to use the FAIR model to dig down through all levels of Loss Magnitude, then evaluate the specific sublimits or maximum payable amounts in your policy on business interruption or other categories of loss.
Watch the video Using FAIR to Optimize Your Cyber Insurance Coverage now.