back to article Insurance companies must start buying security companies

The Insurance industry encompasses a very odd paradox: it wouldn’t exist without risk, yet does everything in its power to remove any risks for its policy-holders. Insurers only make money if they don’t pay out, and they won’t pay out if they can keep you from doing any of the things they’ve identified as risky. We’re already …

  1. Mark 85

    Theoretically this is a sound idea.

    However, having worked for a health insurance company it's not real-world. There's only so many AV or security firms around. After the best get bought up.. that leaves the "other" ones.

    The other thing is costs... they will roll their hiring practices of the AV firm into theirs and look for the cheapest not the best. If the AV isn't making money (profit-center) it's a cost-center and gets flushed away or just allowed to wither away.

    I should point out that is local experience but the I can speak of bases the IT budget not on the number users/seats, income, or profit, but on the number of customers which puts a strain on the entire IT staff when the customer base drops a few points.

    The smart ones will follow the good advice you gave, and stick with it. The ones run by shareholders won't.

    1. Peter2 Silver badge

      Re: Theoretically this is a sound idea.

      Additionally, it misses a major point.

      You know when management (usually pointlessly) goes to an external consultancy and spends a lot of money on business advice and then hangs off of every word?

      If they employed the consultant then as an employee that person would be a subordinate. What happens to subordinates who know more about what needs doing than existing management? As you mention in your article insurance companies are truly excellent at removing risks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Theoretically this is a sound idea.

        I currently work for a very large insurance company, judging by the speed that we are capable of getting projects up and running, Cyber Security should be the last thing that we attempt to do..

        Insurance companies usually eventually do good work but it is done very, very slowly, you need meetings, lot's of meetings just to decide even the colour of the Coffee Machine... The words "Dynamic and Action" are forbidden within the boundary of the building.

        Good people often leave these companies because of the incapacity to move at real-world operating speeds.. which is most definitely a requirement in the Cyber Security world.

  2. Anonymous Coward
    Anonymous Coward

    So, when will Kaiser buy Oracle?

    Surely Larry needs a 2nd island, and a bridge between them.

  3. Tony S

    Vicious circle

    "Insurance IT would be seen as dull, routine, and unfulfilling."

    Not just insurance; many other big business have the same issue. (And sadly, probably true in many cases)

    "This rapidly becomes a self-perpetuating cycle, because without a constant inflow of talent and ideas, a business will not even know it has to take risks to adapt to change"

    It will continue to be that way until the PTB stop thinking of IT purely as a cost centre to be kept to a minimum, and start to see it as something that gives them the competitive edge.

    "An insurance company that reframes itself as the whitest-of-white hats, dedicated to nurturing talent that wants to protect and defend against cyber threats, will see the resumes flood in.

    The same is true for many other businesses. All too often, it is a short term fad that gets dropped within a year; then they wonder why it didn't deliver the hoped for improvements.

    Sorry for being such a miserable bugger so early in the morning.

  4. P. Lee

    Do you have to buy a business to understand it?

    Do they do that for all other industries they insure?

    Shipping? Buy a boat; satellites...? Mobile phones? This is going to get expensive.

    I think a few Best Practise documents and some internal dog-fooding might suffice.

    I'm going to be a bit unhappy if my insurance company owns AVG and I get higher premiums if I don't install AVG.

    1. James Micallef Silver badge

      Re: Do you have to buy a business to understand it?

      Insurances don't buy shipping companies etc because risks to shipping, automobiles, life, health, natural disasters and so on have been around for a very long time. Shipping insurance was the very first type of insurance and has been around since the times of Colombus. So insurance companies already have tons of in-house experience with the risks involved in all these domains.

      Digital threats are something far newer, and most insurance companies do not have any idea how to calculate risks and potential liabilities. So they simply don't supply this form of insurance (which is why it's possible to insure your physical laptop but not the data inside it). In this sense, buying in the necessary expertise is a shortcut to having to build up that capability internally.

      Regarding the 'coolness' of IT, having worked at an insurer myself I know that most of it is the 'same old' boring stuff. But there are divisions (such as natural disaster forecasting*) that are doing real bleeding edge IT.

      *a bit off topic here, but I've always thought that insurances are a good place to find some home truths about climate change. These guys really need to forecast the possibility of disasters and their potential cost correctly or they're out of business. Seeing how these guys treat climate change scenarios is one more pointer that man-made climate change is real and it's costly**

      **for me the jury is still out on whether that's more costly than the 'anti-carbon' efforts. Probably not, though

  5. Philip Virgo

    Why buy? Already the big UK Insurance Companies are more sophisticated in their approaches to Cyber risk than almost anyone else. The delete it from the policy unless you take out a specific policy which mandates best practice and, even then, covers only the cost of implementing a pre-agreed incident management plan - which commonly includes using a mix of leading security forensics consultancies to identify who attacked you and how so that they can decide whether to fund an "asset recovery" programme along the attack vectors used (including to launder the proceeds). .

  6. tony2heads

    Insurance companies and security

    We had an home insurance company that gave away fire alarms for the home and subsidized fire extinguishers.

    That is not so wildly different to this concept.

  7. Doctor Syntax Silver badge

    There's an implicit assumption here is that if you want to build expertise in a big company you buy in a company that already has that expertise. What about just going out and recruiting people? apart from anything else the people you recruit must have at least a vague preference for working for you. The people you buy in? not necessarily.

  8. allthecoolshortnamesweretaken

    "The Insurance industry encompasses a very odd paradox: it wouldn’t exist without risk, yet does everything in its power to remove any risks for its policy-holders. Insurers only make money if they don’t pay out, and they won’t pay out if they can keep you from doing any of the things they’ve identified as risky."

    "We’re already seeing how the drive to autonomous vehicles will be spearheaded by insurers, simply because - on current evidence - a self-driving car gets into at least an order of magnitude fewer accidents than a human-operated automobile."

    Well... if any risk is truly and completely removed, there is no need to buy insurance anymore. I can't see the insurers invalidate their own business model. The trick is

    a) to lower the risks to a sort of break-even point where the risk of 'something bad happening' is still high enough to be an incentive to buy insurance - but low enough in terms of 'times something bad happens' and 'size of damage' so that the odd payout doesn't cripple the insurer (also, there are insurance companies that sell insurance to insurance companies)

    b) understanding the risks involved, i.e. how likely it is something will happen, how large will the damage done be, etc. Insurance companies usually have the experts they need for that, including the mathematicians. For example, companies selling life insurance have a pretty good read on life expectancies.

    All these factors (plus some others, like running costs and ROI-targets, etc.) eventually determine the price the customer has to pay.

    There is a market for insuring 'cyber risks' (whatever that means). Insurance companies will want to tap that market. So they will buy or rent the expertise they need. (Trivial, really.) They will not invalidate their business model (which has been working for a couple of centuries by now), they will merely adapt it.

    1. Tom 13


      Yep, insurance companies are the ultimate freakanomics type statisticians. They don't really care about the gory details of how it happens, all they really care about is that there IS a correlation. If you pay out more in insurance for red cars, red cars cost more to insure. If you're more likely to die the closer you live to 42 degrees north latitude, the more expensive life insurance is.

      So if the insurance industry isn't insuring for cyber-risk, what it means is either there are no good correlations, or there isn't enough history yet on payouts to build a business model. I'd give a slight edge to the latter for sole cause with a decent chances there's a fair bit of both.

  9. kenc

    What about the other way round?

    Is n't is possible that at some point one of the tech companies will decide that the thing limiting their growth is the lack of insurance on offer for their particular product and decide to offer it because they know how to mitigate the risk?

  10. Kev99 Silver badge

    Wouldn't it be safer and cheaper to go back to dedicated networks? They got us to the moon and beyond. They're what IBM & AT&T were built on. Prudential and Met grew to megalithic insurers on them. And they aren't open for all the world to see.

  11. Bob Dole (tm)

    Off your rocker

    Honestly, I think you are 100% completely off your rocker.

    Yes, the insurance industry needs to be reimagined. Have you actually taken a look at how insurance companies run? They are a morass of red tape, with entire business units purposely designed in such a way as to reduce interdepartmental communication. Their rules and regulations are intentionally misleading and confusing, not just to their clients but to their own staff. All ahead SLOW is the order of the day and god forbid they hire someone highly efficient at their job - those people don't last long.

    That type of approach is completely anathema to the world of IT security. Security done right has to be clear, readily apparent and highly efficient. It has to be highly responsive to changing situations and flexible. None of these attributes can be found in an existing insurance company.

    Due to those disparate core values, the only way an insurance company could be successful with buying an InfoSec firm is if they are willing to completely revamp their business. That isn't likely to happen.

    A far better path would be for infosec companies to hire some actuaries and start running the numbers to see how to make this work.

  12. Anonymous Coward
    Anonymous Coward

    The auto insurance industry might just disappear instead

    Why should you and I buy policies for our self driving car? Shouldn't that be included in the purchase price, or more likely as part of a subscription that provides you updates, warranty, service, etc. Basically we'll be buying "transportation as a service". The automaker will either be self-insuring, or it'll offload part of the risk onto a reinsurer like Berkshire Hathaway.

    1. Alan Brown Silver badge

      Re: The auto insurance industry might just disappear instead

      "Why should you and I buy policies for our self driving car?"

      Theft, vandalism, hit'n'run drivers, falling trees....

      1. Anonymous Coward
        Anonymous Coward

        Re: The auto insurance industry might just disappear instead

        Why should we ever buy boring-ass self-driving cars at all? If they ever make it out of alpha testing, and that's a humongous IF, they'll all be owned by Google, Amazon, and Uber. In the time it takes you to get your car out of the garage, an idle self-driving car could pull round the block and pick you up. You wouldn't need a garage, license, registration, insurance, car loan... insurance won't be the only industry to disappear.

  13. unredeemed

    I for one think this is a brilliant idea.

    New policies are being created to insure from cyber thefts and attacks. This isn't new. Organizations will decide if they need to insure against this type of scenario.

    As part of the process, the insurer with their acquired security firm, would provide audits, analyze risks, adjust premiums accordingly... All while collecting the premium, but also up-charges or additional revenue from consulting, the audit's, hardening, etc...

    It could be just another arm to an AIG or Zurich.

    This doesn't sound great as a mere person, that you have to spend more. But for a business, or large organization, a necessary evil. For the insurer, another form of revenue.

  14. amanfromMars 1 Silver badge

    A See of Limitless Opportunity and Titanic Reward

    It is an inescapable true fact in all worlds striving to thrive and survive with factions into perpetrating and perpetuating fictions,* that one cannot secure cyber space unless and until one can pwn it ...... and that is much more/just as much a blackest of black hats domain as whitest of white hats one for penetrations testing/zeroday vulnerability exploitation.

    And then there is also the added elemental quantum complication, which has one, able and enabling in the field, capable of doffing both worn hats at the same time to present the creation of something else fundamentally different and quite unique and revolutionary rather than selective evolutionary.

    Can you insure against and mitigate/monetise risk whenever dealing with FutureBuilders? In so doing, are they constructively engaged and anonymously encouraged?

    * Is that not the true current present nature of reality ...... a virtually led imaginative construct made to appear real by the power of shared and implanted thoughts? What happens whenever one delivers novel viable thoughts? Does life take an alien change of direction and production?

    The posit here is that it does easily with IT and Creative CyberSpace Command and Control of Communications and Computers ........ ITs Virtual Ways and Means with Memes.

    And is the prime major decision to be made in the here and now ..... Will it be heralded and remembered as an Eastern Triumph or Western Delight for Fools to Fight over in Search and Service of Heavenly Sight with Devilish Opportunities?

    Have a Nice Day, Y'all.

    1. Anonymous Coward
      Anonymous Coward

      Re: A See of Limitless Opportunity and Titanic Reward

      Have a Nice Day, Y'all

      Yar, right. Reading this just before going to what I laughingly call sleep.

      1. amanfromMars 1 Silver badge

        Re: Re: A See of Limitless Opportunity and Titanic Reward

        Yar, right. Reading this just before going to what I laughingly call sleep. .... Jack of Shadows

        After that comedy of indolence and recharging of the batteries, which be most commonly known as sleep, Jack of Shadows, is there much there to be getting one's teeth into ..... to feast on the beast and live high on/off the hog.

        And to any who would not think far enough and be moved to register a down vote, think again please and further, to realise the present and past are phorms of the future and simple crooked designs in the minds of both fools and tools and Man and Global Operating Devices and which be both carefully and carelessly shared and oft a classified TS/SCI for Expert Exclusive Executive Export.

  15. Michael Wojcik Silver badge

    In a few years?

    Most likely, within a few years your car will be equipped with a meter, and as you slip back and forth between autonomous and human driver modes, your insurance rates will fall and rise in perfect synchrony.

    Most likely, it'll be far more than a few years before I have a car that's capable of autonomous operation. It'll be more than a few years before I have a new car, period, because I don't throw away a perfectly good tool.

    And I'll let my insurance company meter my driving when I can't find an insurance company that doesn't.

    In a generation, our kids will probably wonder why we ever did anything as dangerous and expensive as driving ourselves around.

    Yes, because kids never do anything expensive and dangerous.

    The article is not off to a good start. Probably not surprising that I don't find the remaining arguments very persuasive either.

  16. Michael Wojcik Silver badge

    Looks like one big category error to me

    it makes sense for an insurance company to buy an anti-virus software company, and an infosec firm, using both as the foundations for a new core business unit in cyber insurance

    I really don't think it does.

    It might make sense for an insurance company to acquire expertise from some kinds of IT security firms, and in some cases it might make financial sense to do so by acquiring the entire firm.

    But that's hardly a foregone conclusion. Insurance companies for centuries have built statistical models for risk domains that were not well-understood; and in fact we have pretty good understanding of the risks for IT. You don't need to be an active IT security researcher to follow IT security research and news. An insurer could put some IT security professionals (they needn't be researchers) together with a team of statisticians and actuaries, and churn through some historical data, and come up with models that probably work quite well.

    As for AV firms: the work they do is pretty much entirely irrelevant to the insurance business. They seek to alleviate a risk category, and so it's useful to the insurer to have some information about how successful they're likely to be, but actual AV prevention, and even research, is pretty much beside the point.

    And I don't know what AV firms would be worth buying in any case. The better ones are small operations with straightforward systems that aren't especially complex or innovative, because this is not an area where innovation brings much benefit. The big ones are bloated morasses of ill-conceived features and lousy user experiences.

    Sure, it'd be swell if insurance companies decided to start hiring IT security people and drove wages up. I don't see much benefit for the companies or their policyholders, though.

  17. Anonymous Coward
    Anonymous Coward

    Enterprise Agile

    I work for a mid-sized multi-national insurance company in North America. I am an underwriter, marketer, and now by default a web application developer. I absolutely agree with all of this and especially the comment above about moving really, really slowly.

    The challenge with agile methodologies for any financial institution is the risk of a bug or error are too great. i.e. quickly writing a mobile app for getting an insurance policies that doesn't validate that the user is within the territory where you are licensed to operate is not ok compared to a social network where a minor bug of this nature might be ok.

    That can change though. I have a theory of "Financial Enterprise Agile" whereby you establish certain rules for code, applications, firewalls, etc. Those rules can then be developed into a quick security audit framework than can be applied to anything before it goes live. This would, hopefully, allow an organization to be semi-agile at least releasing changes quicker than the current snails pace while hopefully reducing the risk to a tolerable level. It's not perfect but better than the current inaction.

  18. chrismeggs

    And now, Banks!

    It is to be applauded that the insurers of this world have at least a decade or so to claw desperately back from the cataclysmic edge of total systems failure, and even more so if, in the process, they recognise that they MAY not be the country experts in IT.

    Now, is it too late to get the banking fraternity to make the same self discovery?

    We hope not.

  19. MrTuK

    Insurance companies move very, very slowly indeed !

    I used to work for one arm of an Insurance company in London and to say they move very slowly is the understatement of the century !

    I was using Win 7 64 as they were migrating from Win NT 4.0 to XP !

    I was pushing them to get remote access years before they finally gave it to me ?

    Their IT equipment was so far behind the times that I asked when were they going to open a museum to put it all into !

    I had a simple laptop which was so much faster than their desktop systems that it was like a formula 1 driver becoming a milk float driver as a change of career !

    A simple thing like using Win 7 64 with 8GB+ of ram was so much more efficient to work with that a XP PC with 2GB, but they just couldn't grasp that !

    Agreed I am a PC enthusiast so I was always at the bleeding edge of tech, but when you IT manager and several other techy guys were asking me what PC's they should purchase, it really got me worried !

    So yeah I know that in the Insurance business when they say move at full speed they actually mean at about half the speed of a snail but with a lot more red tape than you can ever imagine !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon