Insurance companies must start buying security companies

The Insurance industry encompasses a very odd paradox: it wouldn’t exist without risk, yet does everything in its power to remove any risks for its policy-holders. Insurers only make money if they don’t pay out, and they won’t pay out if they can keep you from doing any of the things they’ve identified as risky.

We’re already seeing how the drive to autonomous vehicles will be spearheaded by insurers, simply because - on current evidence - a self-driving car gets into at least an order of magnitude fewer accidents than a human-operated automobile. Most likely, within a few years your car will be equipped with a meter, and as you slip back and forth between autonomous and human driver modes, your insurance rates will fall and rise in perfect synchrony. In a generation, our kids will probably wonder why we ever did anything as dangerous and expensive as driving ourselves around.

But everything has risks, and even now insurers are only dimly aware of the risks of the connected world. It’s still practically impossible to get a policy to cover the data on your mass storage devices - those physical devices can be insured against loss, but does an insurer know how to value your data? And, more importantly, how can they make sure they never have to pay out?

The good news is that insurers are thinking about these things. Last month, I spent a day at the AON Benfield Hazards Conference, a biannual event where insurers get together to scare each other with presentations about geopolitical risks, climatological risks, earthquake risks, and - more recently - ‘cyber’ risks. (Yes, they still use that term, bless them.)

I gave them a Hollywood-style ‘Rise of the Machines’ scenario, predicting a ‘Great Hack’, a Stuxnet-like virus simultaneously infecting and subverting millions of connected devices - including a large percentage of autonomous vehicles. What happens when your self-driving Volvo XC90 decides it wants to cruise down the footpath at 100 kmh? And how can you keep that from happening?

The bad news is that insurers haven’t the faintest idea. They know there’s a world of cyber risks, and they know there’s quite a bit of money to be made insuring against these risks, but they have no capacity to help their clients mitigate those risks.

How did this happen? Forty years ago insurance companies took the lead in ‘big iron’ adoption, creating some of the first data centres. IT leadership in insurance meant IT leadership, full stop. But after a beautiful beginning, it never went anywhere. IT became infrastructure and maintenance, supporting a corporate structure, but growing increasingly remote from business transformations throughout the rest of the world.

In the questions that followed my talk, one insurance executive noted that it would never enter the minds of the best talents in IT to go to work in insurance. Insurance IT would be seen as dull, routine, and unfulfilling. This rapidly becomes a self-perpetuating cycle, because without a constant inflow of talent and ideas, a business will not even know it has to take risks to adapt to change.

That’s brought us to the present moment: a world full of connected risks and no capacity within the insurance industry to assess or mitigate those risks. This pain point impacts the insurance business, but it’s worse for IT innovators - a business that can’t insure against risks will not take as many risks. Innovation stifles because - at the highest levels of the organisation - the costs of failure loom too large.

How does insurance break this cycle of decreasing capacity? How do we get to a world where connected risks can be assessed and managed?

It must begin with insurance firms reimagining themselves. If an insurance company wants to write cyber policies, they’re going to need deep knowledge of information security threats and preventative practices. In house. So - as I suggested to the conference - it makes sense for an insurance company to buy an anti-virus software company, and an infosec firm, using both as the foundations for a new core business unit in cyber insurance.

A lot of people at the conference thought I was joking. Yet businesses buy other businesses all the time when they want to establish leadership in an area where they’ve clearly identified a weakness. Shouldn’t insurance companies busily buy up every infosec company out there? Aren’t those marriages made in business heaven?

These matches would transform the image of insurance within the IT community from boring and unimportant to exciting and vital. An insurance company that reframes itself as the whitest-of-white hats, dedicated to nurturing talent that wants to protect and defend against cyber threats, will see the resumes flood in.

There are plenty of talented people who want to make the world a better and safer place. Right now there are too few opportunities for all of that talent. Insurance needs that talent, and that talent needs the resources of the insurance industry to commence the huge infrastructure changes needed to de-risk the connected world.

The first insurance company to build these deep capacities in security will create a business monster the likes of which we haven’t seen since IBM. ®