How Much Cyber Insurance Do We Need?

April 17, 2019  Chad Weinman

Leveraging the RiskLens platform and its guided quantification application, we can perform simple analyses over a few significant loss event scenarios to help an organization understand how much cyber insurance coverage it needs.

Outlined below is some insight in how this can be achieved and sample results you can rapidly generate.

The  FAIR ontology is the foundational model by which we quantify risk. The two main branches cover Loss Event Frequency (LEF) and Probable Loss Magnitude (LM). To determine cyber insurance coverage limits, we are not as concerned with LEF but rather want to focus on the magnitude associated with an event. This is because cyber insurance is viewed as a responsive control (vs. preventative or detective). Its main objective is to reduce the magnitude of loss an organization will suffer when an event occurs.

For example, we start by scoping a set of separate small analyses over key systems that contain large amounts of sensitive information.  Once these very simple and discrete analyses are completed and run, we focus on the following type of reports.

Loss Exposure - The aggregate loss associated with a single loss event (example).

The RiskLens platform utilizes  Monte Carlo simulations as part of the analysis engine. This method performs thousands of random simulations based on the inputs we entered within the data-gathering workshop and configured loss tables. The outcome is a result set of simulated outcomes. This derives the table and graph you see above.

Management can use this information to guide decision-making around cyber insurance coverage. Based on the organization and its risk tolerance, management may want to gain coverage that meets the average loss exposure ($30.8M) associated with a large data breach. If the organization is more risk averse, they may choose to ensure their coverage is up to the 90th percentile ($42.7M).

Additionally, we can leverage an additional report that breaks that total loss exposure down into the categories of primary and secondary losses, as defined by the FAIR standard. Coupled with your specific policy guidelines, you can see what areas of loss your cyber insurance policy is likely to cover

This is just a single use case where quantitative risk analysis with the RiskLens platform provides valuable information and risk intelligence for the purpose of optimizing cyber insurance coverage.