Insurance companies must start buying security companies

Insurers have no idea how to protect the digital realm. So they need to buy those who do

The Insurance industry encompasses a very odd paradox: it wouldn’t exist without risk, yet does everything in its power to remove any risks for its policy-holders. Insurers only make money if they don’t pay out, and they won’t pay out if they can keep you from doing any of the things they’ve identified as risky.

We’re already seeing how the drive to autonomous vehicles will be spearheaded by insurers, simply because - on current evidence - a self-driving car gets into at least an order of magnitude fewer accidents than a human-operated automobile. Most likely, within a few years your car will be equipped with a meter, and as you slip back and forth between autonomous and human driver modes, your insurance rates will fall and rise in perfect synchrony. In a generation, our kids will probably wonder why we ever did anything as dangerous and expensive as driving ourselves around.

But everything has risks, and even now insurers are only dimly aware of the risks of the connected world. It’s still practically impossible to get a policy to cover the data on your mass storage devices - those physical devices can be insured against loss, but does an insurer know how to value your data? And, more importantly, how can they make sure they never have to pay out?

The good news is that insurers are thinking about these things. Last month, I spent a day at the AON Benfield Hazards Conference, a biannual event where insurers get together to scare each other with presentations about geopolitical risks, climatological risks, earthquake risks, and - more recently - ‘cyber’ risks. (Yes, they still use that term, bless them.)

I gave them a Hollywood-style ‘Rise of the Machines’ scenario, predicting a ‘Great Hack’, a Stuxnet-like virus simultaneously infecting and subverting millions of connected devices - including a large percentage of autonomous vehicles. What happens when your self-driving Volvo XC90 decides it wants to cruise down the footpath at 100 kmh? And how can you keep that from happening?

The bad news is that insurers haven’t the faintest idea. They know there’s a world of cyber risks, and they know there’s quite a bit of money to be made insuring against these risks, but they have no capacity to help their clients mitigate those risks.

How did this happen? Forty years ago insurance companies took the lead in ‘big iron’ adoption, creating some of the first data centres. IT leadership in insurance meant IT leadership, full stop. But after a beautiful beginning, it never went anywhere. IT became infrastructure and maintenance, supporting a corporate structure, but growing increasingly remote from business transformations throughout the rest of the world.

In the questions that followed my talk, one insurance executive noted that it would never enter the minds of the best talents in IT to go to work in insurance. Insurance IT would be seen as dull, routine, and unfulfilling. This rapidly becomes a self-perpetuating cycle, because without a constant inflow of talent and ideas, a business will not even know it has to take risks to adapt to change.

That’s brought us to the present moment: a world full of connected risks and no capacity within the insurance industry to assess or mitigate those risks. This pain point impacts the insurance business, but it’s worse for IT innovators - a business that can’t insure against risks will not take as many risks. Innovation stifles because - at the highest levels of the organisation - the costs of failure loom too large.

How does insurance break this cycle of decreasing capacity? How do we get to a world where connected risks can be assessed and managed?

It must begin with insurance firms reimagining themselves. If an insurance company wants to write cyber policies, they’re going to need deep knowledge of information security threats and preventative practices. In house. So - as I suggested to the conference - it makes sense for an insurance company to buy an anti-virus software company, and an infosec firm, using both as the foundations for a new core business unit in cyber insurance.

A lot of people at the conference thought I was joking. Yet businesses buy other businesses all the time when they want to establish leadership in an area where they’ve clearly identified a weakness. Shouldn’t insurance companies busily buy up every infosec company out there? Aren’t those marriages made in business heaven?

These matches would transform the image of insurance within the IT community from boring and unimportant to exciting and vital. An insurance company that reframes itself as the whitest-of-white hats, dedicated to nurturing talent that wants to protect and defend against cyber threats, will see the resumes flood in.

There are plenty of talented people who want to make the world a better and safer place. Right now there are too few opportunities for all of that talent. Insurance needs that talent, and that talent needs the resources of the insurance industry to commence the huge infrastructure changes needed to de-risk the connected world.

The first insurance company to build these deep capacities in security will create a business monster the likes of which we haven’t seen since IBM. ®

Other stories you might like

  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading

Biting the hand that feeds IT © 1998–2021