This is the audio version of pwn the future, post #5, originally posted on June 21st. Pwn the future is a blog covering the startup ideas I’ve been considering at the intersection of industrial control systems and cybersecurity. If you missed the article in June, I’ve copied it in full, below:
always mark the exits
Working at the “Fight House,” is an exercise in simultaneous multi-threaded short-, medium-, and long-term thinking. In addition to driving multiple national and global initiatives at any given time, NSC Senior Staff can also be hauled into the National Security Advisor’s office or the Oval, and unceremoniously fired on the spot. It leads to two oft-repeated tropes for those working in the White House:
First: Always leave work via the “Navy Steps” of the EEOB (most staffers work here), which look East, over the White House, and take it all in. Because every day could be your last.
Second: Always have an exit plan.
By early 2019 I had done a good job with the first. And a terrible job with the second.
this way out
When I first took the job in early 2017, I wrote down six big goals on my office white board. Three years in, my team and I were closing in on completion of all six; I finally allowed myself to think about what I would do next.
Having been at the focal point of the U.S. government’s national cybersecurity coordination and policymaking apparatus through WannaCry, NotPetya, and any number of other incidents, near-misses, and significant events, I wanted to find a way to continue securing the world’s most important and sensitive infrastructures, both commercial and governmental.
The answer seemed simple: insurance.
risky business
The idea was to insure the industrial control systems, sometimes called operational technology (“OT”), of big companies against cyber attack. My first task, therefore, was to learn about insurance.
A mentor who had previously built and sold an insurance company recommended this textbook, which I purchased secondhand, highlighted thoroughly, and retained just enough to have high-level exploratory conversations with experts in my personal network who worked in, or were knowledgeable about, insurance.
Those early conversations helped me understand that the company could start out as a “Managing General Agent,” (MGA), a type of entity that enters into agreements with big insurance companies. MGAs can write insurance policies within a set of pre-agreed parameters, on behalf of major insurance companies, similar to the way an investor at a VC firm deploys capital on behalf of an LP, through the structure of the VC fund. This MGA would sell policies through insurance brokers, who maintain client relationships.
dipping a toe in the risk pool
After a few more weeks of investigation, I started to see the following patterns:
Limited OT cyber expertise in the insurance industry.
Opaque pricing, paired with significant (1-3x) year-over-year price increases.
Rumors of significant litigation when policyholders seek to cover major damages, especially when those damages are being claimed under a non cyber policy.
Lack of clarity over whether existing cyber insurance policies covering IT were also covering risks to OT. The experts I spoke with said damage could in theory be covered by a business interruption (“BI” or “property policy”), errors and omissions(“E&O”), or cyber policy.
Customers were similarly concerned and confused: I asked them about what risk transfer tools they were using to address cyber risk to their OT systems, and the most often response was “good question, I need to look into that.”
This information was actually favorable in my mind: a small team of OT cybersecurity experts paired with open-minded insurance professionals could build simple risk models around OT networks that would allow us to score risk.
Additionally, it meant we could try to create an entirely new class of insurance policy (“OT cyber insurance”). Why would this happen? Because, as friendly industry experts told us, they expect OT cyber attacks to be litigated, settled, and, eventually, “excluded” from other types of insurance policies — meaning annually renewed policies (whether E&O, BI, or Cyber). Given that each of those types of insurance cover specific types of damages and losses, it is likely that, over time, novel cyber-specific events would come to be carved out as not covered. This might create an opportunity to create a new kind of insurance specifically for OT cyber, which we would be able to price and sell.
I even built a very, very rudimentary MVP for OT cyber risk scoring by picking out ten indicators of vulnerability, and breaking down what a 1-10 risk score might look like. This yielded a very basic, 0-to-100 score.
So far, so good.
whose risk is it, anyway?
And after a few more weeks of discussions with insurance experts, I came to two big conclusions:
Cutting edge insurance companies like Coalition are insurance companies first, and providers of other services (e.g. cybersecurity technology) second; they offer all types of insurance coverage for a full range of companies (up to $3bn). Even if they take losses on their cyber policies, they make predictable revenue from other policies, buy reinsurance policies, and can adjust their cyber premiums over time as they get better at both calculating, and minimizing client risk.
Putting my cyber hat back on, I realized that beyond basic risk mitigation (e.g. ensuring use of best practices), it would be very hard to calculate cyber risks to OT, as they’re likely “fat-tailed.” Just like NotPetya, which exploited a globally-present vulnerability to cause tens (if not hundreds) of billions of dollars of damage, incidents affecting OT systems and networks would likely be intermittent, unpredictable, systemic, and potentially catastrophic.
brown turkey, or black swan?
The more I mulled this over, the more I realized that an OT-specific cyber insurance company might fall prey to the “turkey problem,” operating profitably for months or even years, then experiencing catastrophic losses during a single incident.
Insurance startups specializing in cyber insure diversified and unconnected risks, from hail damage to slip-and-fall litigation. But specializing in only OT cyber risk would ultimately mean insuring against cyber threats to perhaps 5,000-10,000 specific SKU’s of equipment made by ~100 OEM’s, with significant overlap across clients, regardless of industry. Malware using a (zero-day or otherwise) vulnerability affecting a single, widely-used piece of equipment could have wide-ranging effects across a broad range of customers.
This took a few days to sink in. Even though the problem of catastrophic losses could be solved by working with reinsurance firms, I ultimately decided that building an OT cyber insurance firm would draw me into the world of insurance, as opposed to the world of securing industrial control systems. It was time to move on...
You’ve got to be kidding me: insurance + blockchain?
Right when I was about to throw in the towel on economic risk management tools, another entrepreneur introduced me to some insurance industry insiders who told me about a relatively obscure and novel mechanism called “Parametrics.” My curiosity was piqued hearing phrases like “verifiable event,” and started reading up on these next-generation policies that paid automatically once certain conditions were met.
Parametrics reminded me of certain conversations I was having with my crypto friends, and so I mentioned the concept to a friend deep in the crypto world, and got together to eat steak, and whiteboard out the potential for building cybersecurity “oracles.” The prospect of building a next-generation, potentially on-chain, economic risk management tool now had my interest.
How, exactly? Stay tuned: I’ll cover that idea that in the next post.
*audio version* - what happened to insurance? (startup idea #1)