Insurance was out. Or was it?
The math around industrial control systems cybersecurity insurance wasn’t adding up. Unpredictable risk profiles and the prospect of constantly litigating payouts had me ready to walk away. But at the last minute I was introduced to a group of insurance veterans who had an exciting vision for the industry. And so I started investigating a second second possible business model.
Towards a cyber parametric
“It’s all hosed up,” Gerry Kennedy, CEO of Observatory Strategic Management, explained. From cyber to pandemics, insurance companies were increasing litigating instead of paying. “The industry is in a very risky position.”
What was the answer, I asked.
“What if claims are paid out instantly?”
Parametrics are essentially options contracts. Two parties agree on an “index” (e.g. a certain weather station); if a certain set of parameters are ever met (e.g. 30 inches of rain over any given 48 hour period), the policy pays immediately.
Gerry’s partner Rogan pointed to Parametrix Insurance, a new entity creating such contracts that paid in case of cloud services downtime.
Their proposal was simple: I would put together a team to build the technology that would enable Observatory to build parametric around cybersecurity events; they could create the financial instrument. It was interesting to say the least. Talking to the Observatory team, I got Mark Baum vibes (or at least the vibes one gets from watching Steve Carrell play Mark Baum). And it was exciting!
The idea percolated in my mind for a few days, while on a trip to San Francisco.
Enter the blockchain
Standing in a friend’s kitchen in the South Bay, I started explaining parametrics as we peeled garlic, while our steaks marinated.
“It sounds to me like you are trying to build an oracle.”
“What’s that?” I asked.
“Follow me.”
Into his back yard, to his converted shed that served as his office with a wall of monitors, a wall of whiteboard space, and a wall of doors. The markers came out, and he explained how oracles are tools that can enable a blockchain to interact with external data.
For cybersecurity, an example of this this could be a sort of “integrity canary” for a system, that beacons constantly as it verifies that a certain piece of software (say, the operating system of a computer) remained un-compromised.
Structured thinking
I flew home, thinking about combining these two concepts together: an oracle that could trigger a parametric when it achieved a certain state (think “pays out when computer is hit by ransomware”). I circled back with the team from Observatory, and confirmed that this was what they were interested in.
To help me think through the idea, I decided to run some simple SWOT analysis.
I ran this exercise for every startup idea (only six more to go). And if you’re on the same journey, I recommend it, if only to give you a mental starting place.
Here’s what came of it:
The not-so-strenghts
As I look back now, in June, at the “strengths” I listed in February (domain expertise, customers with ability to pay) are more about “founder” and “market”, and not the idea itself. And reading the “clear business model” point, I now disagree. The model is a “two-step,” which a mentor of mine in the weeks after would describe as a very, very bad startup model. Two-step is when you say “I’m going to do X, so that then I can do Y.” In this case: build an oracle for industrial control systems, so that a new type of insurance company can convince people that they should shift their risk management strategies to a new type of tool (parametrics). “It’s hard enough to do one thing. But to do one thing in order to try to do another thing is nearly impossible.”
With that said, let’s go through the two major weaknesses I identified at the time:
New Market
I did some calls to risk managers, but couldn’t find anybody asking or interested in parametric cyber insurance for industrial control systems. The industry is just trying to get a handle on ICS cyber risk. Would it be useful or efficient? Sure. But nobody was asking for it.
Current parametric insurance (e.g. travel insurance) is interesting, but the market has a long way to go before these types of tools are adopted by corporate risk managers.
A parametric cyber insurance company would need to go out and generate the demand for the product well before a customer even thought about a buying decision. And that wasn’t even what was on offer, which was to build the foundational technical tools necessary to facilitate such an insurance structure.
Complex Sales Cycle
Even if I could put together a hardware/software team to build an oracle, sell it to original equipment manufacturers (OEM’s - think Rockwell, Siemens, General Electric, etc.), or to operational teams at companies to convince them to somehow integrate the new piece of hardware it into their ICS networks, it would still require yet another sales pitch to the risk management team to shift their strategy away from a traditional policy and over to parametrics.
Furthermore, the parametric would be run by another company. The hardware could end up being be “new budget,” meaning that we would need to fight within prospective customers’ corporate bureaucracies to purchase the tool, or it would be wrapped up in the price of the insurance policy.
Not ready for prime time
I continued to think through the concept of building parametric insurance technology for a few more days, but ultimately passed. Not because it’s a bad idea, but because (like many ideas), it’s not ready. Here are two things that I think will, if they come to pass, indicate that parametric cyber insurance could work.
Growth of parametrics as a risk management tool. The appeal of parametric insurance is that it pays automatically, rather than after an investigation. There’s a huge growth opportunity in traditional insurance lines for this type of risk management tool, and I think it will continue to grow, especially as policyholders continue to find themselves litigating claims with their insurers will potentially spur corporate risk managers to change their buying behavior.
Loss of confidence in traditional cyber insurance policies. As risk managers start looking at their industrial control systems, then look at traditional insurance, then get frustrated as those claims get litigated, I think parametrics for industrial control systems cybersecurity could work. Given the way in which ICS are built and maintained, oracles may be easier to build for them. But that is probably a long way off.
Technology. This was the bigger one. Though many friends helped me brainstorm what potential oracles could look like, the hard part was thinking through what information could be verified, and written in real-time, such that it would enable a policy to be written around it. Parametric cyber insurance policies like Parametrix most likely use publicly-available data sources (like DownDetector) to make their determinations. It’s possible that technologies like Mighty (“thin client” browsers essentially running in the cloud) could enable the type of visibility to enable the building of these types of oracles (browser operating system = possibly easier to determine if the system is functioning normally), but I couldn’t see a way forward in the near term.
On to the next idea: risk management technology
I phoned a friend. A mentor, really. We talked for a few minutes about ICS cybersecurity, about insurance, and about the parametric technology concept. And when I conveyed where things were (i.e. that my latest idea was a bust), he jumped in.
“What about risk-scoring industrial control systems?”
And with that, it was on to the next idea.
*audio version* security on the chain (startup idea #2)