Reposted, as it is Chinese New Year for Zarc Gin, our regular Insurtech Expert based in China.
Why do Banks exist? That is not some deep, philosophical question about the role of money in society. Banks exist to protect your assets from thieves. Because they do a good job of this, they can make a lot of money lending some multiple of what they store in the vaults. The only difference now is that the modern version of Butch Cassidy and the Sundance Kid are getting monitor tans as they cyber-attack the vaults from their computers.
Money is one asset to protect. Data is another. So is data about assets. In the digital age, it is all about data. And data is easy to steal.
All the good things that we write about on Daily Fintech – all that agility/productivity enabled by data and connectivity – also benefit Butch Cassidy and the Sundance Kid.
Cyber Risk is one nerdy subject that gets Board level attention because the risk is so high. Global 2000 companies can lose $ billions from a single hack. The problem is that cyber security is also an intensely complex subject technically.
One reason that so many influential leaders subscribe to Daily Fintech is that we are good at translating Fin to Tech and Tech to Fin. So we are attracted to the challenge of translating Cyber Security Nerd-Speak to Boardroom-Speak. It is one of the toughest translation jobs around. Even with a lot of technical experience, Cyber Security can be daunting. Even with a lot of business experience, understanding how a Global 2000 Board thinks can be daunting. Both are tough on their own. Translating between the two is even tougher, because they could not be further apart.
That translation, though hard, is ultra-critical. The Board has to really understand Cyber Security and they are currently failing at this task. This article on LeadingBoards describes the problem very well
Cyber Security technology = big budgets & bigger risk
The global cybersecurity market reached $75 billion in 2015 and is expected to hit $170 billion in 2020 (source, Forbes).
This is one market where the “you never get fired for buying (insert Big Tech vendor)” mantra breaks down. In most other enterprise technology markets, the big vendors tend to win because the Boardroom does not really care who is picked. So the senior IT managers making the decision go for the vendor that is competent enough to do the job and big enough that if it all goes wrong they can say “but all our well-respected peers made the same decision”.
That defence breaks down in Cyber Security because the risk is so high. Nor can a Board simply say “the CISO who made the decision has already been fired”. The Board has to take direct responsibility. Which means the Board has to understand Cyber Security.
How is the Board supposed to understand something as nerdy as Cyber Security?
We take a lot of briefings on cyber security technology, because we know how important it is. Listening to all these super-smart tech guys explaining the latest cyber security teaches us that a) it is hugely complex and b) there is no silver bullet.
We use a simple mental map that translates Cyber Security to the analog world:
- Perimeter Security is where most money is spent. Think fences, guards, dogs. The fundamental problem is that somebody will always get through. The bad guys also benefit from Moore’s Law and can use SMAC (Social Mobile Analytics Cloud) to collaborate and share (what has been dubbed Crime As A Service). You can be the biggest bank or the biggest government and you still get hacked.
- Digital ID. Think body part scanners (finger, eye, voice etc) that determine who can get into the building. We have written a lot about Digital ID technology and it is improving at a remarkable pace. The problem is collusion with a trusted inside-person who is part of the crime gang; the person with perfect Digital ID is a criminal.
- Protect from the inside. This assumes that both Perimeter Security and Digital ID is imperfect. One way to protect from the inside is process controls (for example needing more than one person to send a wire). This also suffers from the collusion problem, but it is better as it is harder for criminals to corrupt the two individuals in a process. Another way is to write code that is secure. The problem is that both better process and better code hit the agility/efficiency problem. Banks have to move fast and efficiently to beat competition AND be secure. One alone is not enough. For example, Banks want to use high level languages and tools that enable rapid time to market even if that means the developers are not thinking much about security.
- Protect when data leaves the vault. This assumes that all three methods above will fail. The analogy here is marked banknotes used in a kidnap ransom. Again, the bad guys have very sophisticated technology to get rid of these markings, so this is yet another arms race.
If you cannot measure it, you cannot manage it
That is one of the oldest truisms of business. If you listen to the pitches of any Cyber Security vendor, you will hear that they have the solution. The problem – as any reasonable attentive business person can observe – is that even companies with all this smart technology still get hacked. The empirical evidence is that there is no silver bullet.
Insurance has historically worked on statistical models. This works fine – until it no longer works. When something fundamental changes, the models become deeply flawed. We have tracked this as it relates to catastrophes created by climate. The use of data and connectivity by cyber-criminals is analogous. The risk went up in unpredictable ways. It is no longer good enough to rely on historical models. Cyber Risk is like Climate Risk – the historical models do not predict the future accurately enough.
What companies want is something as simple as a cyber security safety rating. Insurance Companies have the right motivation to give an honest rating (unlike credit rating agencies that are paid by the seller). Insurance Companies won’t award a AAA cyber security safety rating to a BBB company, because they will pay in claims for getting it wrong.
That means Insurance Companies need to turn into cyber security experts. A tech vendor may say “we have the secret sauce” to change your rating from BBB to AAA and thus lower your premiums. The Board will say “sure, if you can convince our Insurance Company that this will lower our premiums, we have a deal.”
Startups in this risk metrics space include Cyence, BitSight and Security Scorecard.
Cyber Risk Insurance is a data game and that is a problem
Cyber Risk is one of the fastest growing parts of the Insurance market, accounting for over $3 billion in premiums.
Banks are in better shape than others. Protecting against thieves has been a core competency for longer.
Cyber Risk Insurance people differentiate between Micro and Macro. The latter is the news-worthy hacking between governments (cue image of the nerdy young Q in recent James Bond movies). Our concern is the more boring Micro Cyber Risk Insurance – exciting enough as this is about whether huge companies can lose $ billions from a single hack. The Micro could become the Macro if a number of Micro hacks led to a crisis of confidence in the financial system akin to September 2008.
Talking to experts in this relatively new field it is hard to get a lot of on the record quotes. That indicates a market that is nascent enough that the solutions are not obvious. To entrepreneurs that signals opportunity.
Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is the author of The Blockchain Economy and CEO of Daily Fintech.
Check out our advisory services (how we pay for this free original research).
To schedule an hour of Bernard’s time for CHF380 please click here to send an email.