A New Kind of Insurance

A few years ago, I flew down to Florida to talk with some large insurance companies about this new cutting-edge market for “hacking insurance” (aka cyber insurance), and what I found out while talking to these companies blew my mind.

It turns out that many large companies are now wanting to protect themselves from the costly threat of being breached, so they look toward purchasing cyber insurance. It was a newer concept at the time, and I was just discovering how much potential this market had. This multi-million-dollar market for hacking insurance has popped up out of nowhere and is well on its way toward being a $3B industry by the year 2022. Many insurance companies are interested in bringing development to this cutting-edge market, but there are a few obstacles to overcome.

Let’s talk about how cyber insurance works. Purchasing cyber insurance will typically cost your company between $20k-$50k per million dollars in coverage annually. Then, there are deductibles. There’s still a missing piece of the puzzle and it’s the biggest one: the overall security of the company looking to become insured. This will ultimately determine exactly how much the organization will be charged for coverage, and what type of coverage they can receive.

Think of it this way: if your home was directly on the ocean in Florida where I spoke with these insurance companies, you would be much more likely to experience natural forces that could ruin your house. For this reason, it’s a bigger risk for insurance companies to insure you. If they’re going to accept that risk, they’re going to want more money for your policy, because they’re more likely to have to pay for damages to your home down the road.


The same is true of cyber insurance. If an organization takes rigid measures to ensure their organization and client data remains safe, it’s significantly less likely for an incident to occur or be handled poorly. Any insurance company would look at the low risk and be willing to ensure that company completely — and for less money.

However, this is still a relatively new concept. Underwriters find it difficult to pinpoint proper premiums that will adequately insure these businesses without undercharging and leaving themselves in a financial quandary. It can also be challenging to determine what the risk thresholds are that would cause an insurance company to charge a client more, less, or simply not insure them at all.

The Cyber Insurance Metric

So, what if there was a measure to calculate this for insurance companies looking to sell cyber insurance? What if there was an all-inclusive security analysis for a company that considers all aspects of the organization’s security? What if this analysis included everything from policies, to physical networks, to technical controls? And what if it gave us a reliable and readable analysis — an industry standard that everyone can understand?

There is an information security analysis that will do these things. It’s called FISASCORE®. Purposefully built on the same scoring scale as your individual credit score and considering administrative, technical, and physical controls of a business, this assessment is an all-encompassing score that can be easily understood by virtually anyone, even people who know little to nothing about cybersecurity.

Using an assessment system and scoring metric like FISASCORE® has direct benefits to insurance companies and the companies they look to insure. Not only does a credit-like score give insurance organizations an immediate understanding of the security level of the companies they look to insure, but it also gives those looking to purchase cyber insurance an understanding of how much and where they need to improve to avoid cyber risks.

Ultimately, FISASCORE is the answer to the cyber insurance conundrum. With it, insurance organizations will know exactly how much risk they’re taking on by insuring any given company, and that company will have a better understanding of where they can make improvements to keep their data safer. It’s a true win-win for all involved, the insurance company, the company seeking cyber insurance coverage, and the entire industry.

To learn more about FISASCORE, and other important information security services that can make an impact for your organization, visit frsecure.com.



FISASCORE® is a comprehensive assessment that measures your organization’s information security risk. It was created because of a recognized need in the information security industry for a common language people could use to be on the same page about security. Built on the widely unsterstood credit score scale, FISASCORE measures four different types of controls and give you the score to litmus test and starting point for improvements. Every organization should have a FISASCORE and here is why.

1. FISASCORE is easy to understand.

Information security is a complex discipline with many moving parts, but FISASCORE simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what FISASCORE is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2. FISASCORE can tell you what everyone else is doing.

Hundreds of organizations have received their FISASCORE and this allows for good, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.

3. With a FISASCORE, you can track progress.

FISASCORE is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the FISASCORE.


The average FISASCORE is 567.72. An “acceptable” level of security is 660.

4. FISASCORE is objective.

FISASCORE is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. FISASCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5. FISASCORE is credible.

FISASCORE was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. FISASCORE is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

6. FISASCORE represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. FISASCORE represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7. FISASCORE is comprehensive.

Fundamental to FISASCORE is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four phases within FISASCORE:

• Phase 1 – Administrative Controls
• Phase 2 – Physical Controls
• Phase 3 – Internal Technical Controls
• Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final FISASCORE report is presented both high level and then digs deep in the details.

8. There is fast-growing community support for FISASCORE.

The partner community behind FISASCORE is critical to its success. Partners works to generate FISASCOREs for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by FISASCORE). Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9. FISASCORE is an indicator of future losses.

As FISASCORE continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. FISASCORE provides the framework for predicting future information security losses accurately, using the best information available. Today FISASCORE is tied to research conducted by the Ponemon Institute for loss data.

10. FISASCORE is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! FISASCORE is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.