February 18, 2020
A Novel Approach to Cybersecurity
by Paul Carroll
The journey began with a possible purchase on eBay.
Robin Roberson thought to herself, “Wouldn’t it be great if I could have someone go look at the item to make sure the seller is being straight with me?” Robin realized that others might want someone to go look, too, so she founded a company called WeGoLook in 2009 and recruited free-lance “lookers” around the country. She found her way into the insurance market soon enough—why would an insurer have an adjuster drive an hour to take photos of a car accident in a rural area if a “looker” was nearby?—and built her free-lance force up to more than 30,000. Crawford & Co. came calling and bought an 85% stake at the end of 2016 at a price that valued the whole firm at $42.5 million, making Robin one of the early stars of the insurtech movement.
For her next act, Robin has set her sights on, among other things, cybersecurity, and is championing a novel approach that she and a colleague will describe in detail at the Future of Risk, April 1-3, in Chicago. (You can register here. I’m going….) I’ve known Robin for years because some of my former partners at ITL helped steer her toward insurance and even initiated the connection with Crawford, so I caught up with her ahead of her talk to get a sense of where she thinks cybersecurity and cyber insurance need to head.
The issue boils down to “tokenization,” which she and her colleague Alex Pezold, co-founder of TokenEx, have written about a bit for us here. Basically, tokenization replaces the data in a company’s systems with tokens that, given the proper authorization, can be used to summon the actual data.
That may sound rather like encryption but goes beyond it in two ways. First, the tokens bear no mathematical connection to the data they summon, so a hacker can’t simply figure out an encryption key and have access to all your data. Second, with tokenization, the data is taken off-site to a “vault” in the cloud. Hackers would have to break into it, too, and such a vault can be secured in ways that companies find nearly impossible to manage, given all the online connections they have—remember that the huge breach at Target happened because hackers snuck in via its HVAC systems. If hackers do make their way into your systems and grab your data in a tokenized system, all they get are a bunch of tokens that mean nothing to them or anyone else.
“A lot of cyber premium is being left on the table,” says Robin, who has co-founded a boutique consulting firm, Goose & Gander, that works with startups such as TokenEx. “Carriers are concerned that the risks are too great. But if insurers price policies in tiers that encourage tokenization, they can be confident that they aren’t taking on too much risk.”
She adds that tokenization just requires an API (application programming interface) layer. “People don’t understand how easy it is to implement this layer that sits between their systems and their data,” she says.
Robin thinks small to medium-sized businesses could be big beneficiaries because they don’t otherwise have the resources that big companies do when it comes to protecting their data.
Tokenization is already in widespread use with payments. “That’s the cool thing,” Robin says. “This is a solution that comes out of the finance industry.” If you insert your credit card to buy gas, she says, the pump doesn’t collect your card information. The card connects with the payment system, which simply sends a token to the pump saying you’re authorized to pump gas.
The issue has been getting insurers, and their clients, to stretch the use of tokenization beyond payments and into protection of data.
“We’re already seeing some traction,” she says.
Robin says additional data protection will position insurers and their clients to deal more easily with the growing number of privacy laws, including the California Consumer Privacy Act (CCPA), which she’s also covered for us here.
“It would behoove the industry to get ahead of the game and to start planning for all of the changes now,” she said. “When you do, you can be compliant whether you’re in California, or Oklahoma or any state.”
She and Alex will tell us more at the Future of Risk on April 2. I hope to see you there.