You may have seen the State Farm auto insurance commercial. A car driver named Kim refuses to speed even when she is even going into labor. Speeding would “mess with her discount.”
Kim, and many others, are opting to have their car’s telematics reported to their auto insurance companies. Telematics report driving measures such as driving speed, miles driven, and hard braking and swerving incidents. Companies also collect driving times (miles driven in overnight hours like from midnight to 4 am are more risky). This data can provide a much better estimate of accident risk than the traditional inquiry-based approach. State Farm and other auto insurance companies offer significant insurance discounts based on data gathered from individual driving habits. Auto insurance rates have traditionally been quoted base on around sixteen questions such as the driver age, education level, accident history, and home ownership status, but that is slowly changing as telematics data becomes more available.
In the past, insurers have relied on basic information about the vehicle and driver to craft a policy. With telematics, data gathered from transmitting devices paired with AI and ML work together to create a comprehensive risk analysis, helping insurers write more accurate policies. “All of this data becomes actionable,” said Donaldson. “It can be used immediately at the site of an accident to help the driver get the claims process started immediately. It can be used in accident reconstruction to enable insurers to build a more accurate assessment of what actually happened, rather than relying on witness testimony. And finally, it can be used to develop a more complete and personalized risk profile, which will ultimately have an impact on insurance rates for consumers.”
Because telematics information is gathered from the car’s computing systems, car manufacturers are now dipping their toes into the insurance business. Toyota is partnering with Nationwide to offer an insurance product:
Toyota customers who purchase an auto insurance policy and opt-in to share their driving data automatically receive an initial 10% participation discount. Upon completing the collection of driving data for 90 days, customers can earn up to a 40% final discount.
Tesla also planned to roll out its own insurance product, feeling that the car’s data would give it a risk pricing advantage over traditional insurance offerings.
Now, let’s relate this to cyber.
Cyber security consultants have been arguing for years that security is a business risk management issue, not an IT problem. Organizations are increasingly catching on and are finding ways to understand their cyber risk in terms of business risk. And that is bad news for cyber security consultants. Why? Let’s go back to Tesla. Elon Musk believes Tesla can compete in the auto insurance market because the Tesla’s telematics give them an information arbitrage advantage over the traditional insurance providers.
Cyber security consultants typically perform inquiry-based assessments. Results are presented as nebulous maturity scores or red/yellow/green color charts. Then, a security program is built around improving the maturities and/or fixing gaps. The problem is that the connection between program maturity gaps and business risk (e.g., dollar loss) is never readily apparent. Pen test are often more directly relatable to risk, but are only occasionally performed and the scope is usually limited.
How do we get to a cyber risk model more closely analogous to the auto insurance market? Two things. First, we need to instrument and validate our cyber security posture in a continuous way – more like telematics than asking general questions. Leading organizations are starting to do so, but we have a long way to go. Second, we need to have (or build) a large database of “repair costs” to help us understand and underwrite the cyber incident risk. Cyber incident cost information is hard to get for everyone – except cyber insurers.
Just as continuous instrumentation is revolutionizing the auto insurance market, it will also revolutionize the cyber insurance market. Today, cyber insurance policies are typically written based on questionnaires. As we move forward, these questionnaires will be largely replaced by more continuous instrumentation of the customer’s security posture. This has some important implications.
Cyber insurance companies will have a big information arbitrage advantage in cyber risk, including knowing what cyber controls are most effective at protecting against cyber incidents. They will also therefore know the best way to maximize cyber spending. Cyber insurers have dipped their toes into cyber consulting, and I expect to this trend to accelerate. They have no large legacy assessment and implementation teams to feed and no legacy methodologies to defend.
Vertical integration is always risky, but the cyber services market is quite large. Entering this market either through subsidiaries or partnerships is only going to increase. And it is going to disrupt the cyber consulting market. Further, insurers can immediately justify security expenses by recommending changes that will reduce cyber insurance premiums and expected cyber loss estimates. Who knows, maybe CISOs, when they see bad security practices, will be shouting in the C-suite, “don’t mess with my cyber insurance discount!”
We at Bobcat Cyber are leading the way in the intersection of continuous cyber validation, analytics, and cyber risk. Drop us a line if you’d like to discuss the future of quantitative cyber security.