Cyber Insurance Summer Series: Quantifying Risk with Safe Security’s Steven Schwartz

This is a companion blog to the “The SafeHouse” podcast dated July 3, 2025.

Understanding and managing cyber risk has become a critical priority for organizations of all sizes. In this article, we explore the essential concept of cyber risk quantification (CRQ) as explained by Steven Schwartz, Chief Insurance Officer at Safe Security. Steven shares valuable insights on why translating cyber risk into financial terms is vital for making informed decisions about cyber insurance and overall cybersecurity strategy. Whether you are a CEO, CISO, or security leader, this guide will help you grasp how to approach cyber risk with a data-driven mindset and prepare for the evolving cyber insurance landscape.

Listen to the original podcast here: https://safehouseinitiative.org/cyber-insurance-summer-series-quantifying-risk-with-safe-securitys-steven-schwartz/

What Is Cyber Risk Quantification and Why Does It Matter?

Cyber risk quantification is the process of translating complex cybersecurity metrics into understandable financial terms that resonate with business leaders. Steven Schwartz explains:

“If I’m a board member, if I’m a CEO, CFO and our security leader or third-party MSP provides me a report saying that we resolved a thousand vulnerabilities and our risk is amber versus red, what does it mean for the business?”

Traditional approaches to cyber insurance often rely on arbitrary metrics, such as basing insurance limits on a percentage of revenue or simply benchmarking against competitors. However, every organization’s risk profile is unique, shaped by factors like industry, data sensitivity, and operational dependencies. Steven points out the limitations of these outdated methods:

“The reality is every organization’s so unique… a hundred-million-dollar healthcare entity A may have 10 million records versus a hundred million healthcare entity B which has a thousand records. Both are in healthcare but totally different profiles.”

Cyber risk quantification helps bridge the gap between technical cybersecurity details and business decisions by assessing what assets are truly at risk, the likelihood of incidents, and potential financial impact. This enables organizations to determine appropriate insurance limits and balance what risk to mitigate, transfer, or accept.

The FAIR Institute and Practical Strategies for Cyber Risk Quantification

One of the globally recognized standards for CRQ is the FAIR (Factor Analysis of Information Risk) methodology, supported by the FAIR Institute. Steven highlights its significance:

“FAIR is the only recognized standard globally for quantifying cyber risk… and it’s an open standard with more than 16,000 members globally.”

For organizations starting their cyber risk quantification journey, here are practical steps Steven recommends:

• Understand your business context: Identify your industry, revenue, employee count, and geographic footprint.
• Assess sensitive data volume: How many personal identifiable information (PII) records or protected health information (PHI) do you hold?
• Use public breach cost data: Leverage resources from Ponemon, IBM, Verizon, and others to estimate average breach costs per record.
• Evaluate business interruption risks: Consider how downtime affects revenue, especially if reliant on third-party vendors or online services.

Steven cautions that business interruption is often underestimated:

“It’s not just when you get back up and operating, it’s when you’re back up to 100% operations, which can be two very different things.”

He gives the example of StubHub, where even after resuming operations, regaining full business activity and customer trust may take much longer.

Commonly Overlooked Cyber Risks

While technical controls are important, Steven emphasizes the persistent vulnerability posed by human factors and third-party relationships. Some of the most frequently overlooked cyber risks include:

• Third-party vendor vulnerabilities: Increasingly common sources of security incidents.
• Social engineering and business email compromise: The highest volume of cyber claims stem from these human-targeted attacks.
• Invoice manipulation and phishing: Exploiting employee trust to bypass controls.
• Shadow IT and AI usage: Employees adopting AI tools without organizational oversight, risking data leakage.

Steven summarizes the human element challenge:

“Humans will always be the weakest link and easier to exploit than technology, especially now with the advent of AI.”

He also stresses that no organization is too small to be a target:

“If you’re valuable, you’re visible, and if you’re visible, you’re vulnerable. Even a $1 million company is valuable and easier to exploit than a major enterprise.”

Alternatives and Innovations in Cyber Risk Financing

Beyond traditional standalone cyber insurance policies, Steven highlights emerging alternatives that offer faster and more transparent risk transfer solutions:

Security Warranties

These warranties act as financial guarantees embedded within cybersecurity products or services, paying out if certain protections fail. Steven explains:

“If our firewall fails to prevent unauthorized access which leads to a business email compromise or data breach, we will pay you. It’s like an if-then statement.”

This model offers quicker payouts (within 72 hours) compared to traditional insurance claims, which can take weeks or months involving legal and forensic investigations. Security warranties can also function as deductible buy-downs, reducing an organization’s out-of-pocket expenses in the event of a claim.

Insurtech Managing General Agents (MGAs)

For small and medium-sized businesses (SMBs), Insurtech MGAs such as Coalition, Box, Corvis, Resilience, and Cowbell provide streamlined, affordable cyber insurance policies. These platforms simplify underwriting and offer valuable incident response services, making cyber insurance more accessible.

Steven notes the value of these policies goes beyond monetary coverage:

“The value is really in the services that are provided and covered via the insurance policy. When you have that event, your first call should be to your attorney or to your insurance company who will bring in experts to help you through the process.”

The Key to Driving Change: Speak the Language of Risk

Ultimately, the most impactful advice Steven offers to security leaders is to quantify cyber risk in financial terms. This approach transforms cybersecurity from a purely technical discussion into a business conversation that resonates with executives and boards:

“If you really want to start to make smarter decisions and drive change as an IT or security leader, then you need to start to quantify the risk. Then the conversation with your CEO and board stops being about an IT problem and becomes about dollars and cents.”

This shift is critical for securing resources, prioritizing investments, and fostering a culture of cybersecurity resilience across the organization.

Conclusion

Cyber risk quantification is no longer optional—it’s a foundational step for any organization serious about managing cyber threats and making informed decisions about insurance and risk mitigation. By understanding what assets are at risk, leveraging standards like the FAIR methodology, and adopting a data-driven approach, businesses can set appropriate insurance limits and strengthen their overall security posture.

The cyber insurance market continues to evolve with innovations like security warranties and Insurtech MGAs, offering new options to tailor risk financing to organizational needs. However, no matter the tools or policies, the human factor remains a critical vulnerability that requires ongoing attention.

As Steven Schwartz puts it, the key to advancing cybersecurity within any organization lies in speaking the language of risk and value—translating technical details into business impact. With this mindset, leaders can better protect their organizations and navigate the complex cyber landscape with confidence.

For more information about the SafeHouse Initiative and how you can protect your organization, visit safehouseinitiative.org.