Tag Archives: fico

Better Way to Assess Cyber Risks?

As the saying goes, there are two kinds of motorcyclists: Those who have fallen off their bikes and those who will.

The insurance industry assesses the corporate world’s cybersecurity risk much the same way. Everyone is equally at risk, and, therefore, everyone pays the price for higher insurance premiums.

Not a day seems to go by without news of a high-profile security breach. It’s no surprise, then, that the cybersecurity insurance market is expected to rise to $7.5 billion by 2020, according to PwC. Even worse, the industry does not have effective actuarial models for corporate cybersecurity, say Mike Baukes and Alan Sharp-Paul, the co-founders and co-CEOs of UpGuard.

The two audacious Australians have developed what they say is a better way to assess the risk for cybersecurity breaches.

peep

Alan Sharp-Paul (L) and Mike Baukes (R), Co-Founders and CO-CEOs, UpGuard

The pair’s company recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages because of misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.

According to Baukes and Sharp-Paul, many companies forego available policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and endpoint fixes slapped onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and, as a result, no way to understand how at-risk they are for hacks. With CSTAR, businesses are able to regain transparency into their own stack and take the appropriate steps to bolster their cybersecurity. Insurance carriers, meanwhile, can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses.

After spending years in financial services in Australia and the U.K. and witnessing the disarray of corporate IT, Up-Guard’s two co-founders decided they could make a difference by developing a better way for corporations to understand their software portfolios and their associated potential risk for security breaches. Baukes says, “Our experience showed that that there were thousands of applications and thousands of machines powering all of this critical infrastructure. And the thing that we learned throughout all this was just how hard it is for an IT organization to understand and get a handle on what they’ve got.”

“Today, everything is out in the cloud,” Sharp-Paul says. “We’re all more connected. Employees are connected 24 hours a day, seven days a week. Now what keeps CIOs and CEOs up at night is, ‘If we get breached, I could get thrown in jail. I could get sued.’ It’s a very, very different world we live in today. We built a system to help companies understand and prevent downtime, and helping them save on project costs is just as relevant today from a security perspective.”

The two initially started a consulting company to help companies catalogue and manage their software platforms and applications. According to Sharp-Paul, “We realized the biggest problem companies have from an IT perspective is that they don’t really have appropriate visibility into what they’ve got and how it’s changing because so many things are changing daily in these environments that it’s really hard for them to know what ‘good’ looks like.”

Sharp-Paul and Baukes’s consulting led them to develop software to automate the process, providing the means to quickly and effectively crawl every server and software application to present a profile of what needed to be updated or patched and to identify the system holes that allowed for security breaches.

As Baukes tells it, “Getting that all to mix well and be safe, secure and capable of pinpointing where problems go wrong really quickly is an incredibly difficult task. So, we built up the first commercial version of the product—a very rudimentary version—and we shopped it around, and people were very excited at the time.”

From there, the pair realized their software had commercial potential and implications more far-reaching than what they had first thought. “We started with that very simple version with a few sales and no sales force—just Alan and [me] at the time—growing to the point now where we now have 3,000-plus customers, and the team is steadily being built,” Baukes says.

Now, the company has nearly 50 employees and is growing fast. The Mountain View, CA–based company attracted early seed funding from the likes of Peter Thiel, Dave McClure and Scott Petry, leading to a near $9 million Series A funding underwritten by August Capital.

The co-CEOs admit the co-managing arrangement is unconventional and would be challenging to make work under different circumstances. However, Baukes and Sharp-Paul feel their skills and temperament complement each other.

“To be honest, when people ask us about it, my first response is always that it’s a terrible idea,” Sharp-Paul says. “And that’s not because it’s been a horrible experience for us. It’s because I kind of think we’re really the exception. And the only reason I say that is that I know the unique things we went through and the type of people we are that makes this work. I can’t imagine that being a common thing at all.”

Baukes is generally a more aggressive and strategic thinker, while Sharp-Paul describes himself as more pragmatic and conservative.

Sharp-Paul and Baukes first worked together at the Colonial First State Investment firm back in Sydney, where the two lived the DevOps experience before DevOps became the buzzy concept that it is today. There, Sharp-Paul was a web developer, and Baukes was a systems administrator, and they talked a lot about things like continuous integration and continuous delivery.

“Now these are all fantastic things,” Sharp-Paul says. “But you need a foundation or a basis of understanding what you have. I mean, we like to say you can’t automate what you don’t understand. Or you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there, but companies and vendors in particular weren’t helping businesses on the journey there.”

Baukes says, “Once you have that base understanding of what you have, then that opens everything else up. You can think about DevOps. You can think about automation. At the time, we were thinking, ‘Why hasn’t anyone thought to do this before?’ It seemed like such a foundational, basic thing. It was almost like it was so foundational that everyone just moved past it, and they were looking at the next shiny thing down the road. I think that was the white space. That was our opportunity. We jumped on it.”

As it turns out, in the world of corporate IT, applications never get retired. Even worse, the people who manage them move on because the life cycle of an employee at a company is short. As as result, the institutional knowledge about these applications is lost.

“Corporate memory is so short typically,” Sharp-Paul says. “They often get to this point five years down the track where they rediscover this server or this application, and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads. We come across that all the time.”

Sharp-Paul and Baukes had always seemed destined to do something on their own.

“I always had a healthy disrespect for authority. Throughout my corporate life, I was looking outside to see what else is [WAS?] out there,” Sharp-Paul says. “I actually started the first step of creating a business on my own—with something as mundane as a French language website that I used when I moved overseas for a couple of years. … It taught me that I can actually build something myself that makes money.”

Baukes agrees.

“The big difference is that I grew up in an immigrant family in the middle of nowhere, effectively. I won’t say the Australian Outback, but really rural,” he says. “We built everything ourselves. My father was a great wheeler and dealer. So, I learned a lot of from him. I fell into all of this by playing computer games and was really good at it, frankly. For me, that was a springboard into an accidental corporate life. I always knew that I would do something else.”

Now, for the future?

Baukes says, “It makes good business sense to quantify the risk in your company’s IT systems and report it effectively. And I think that for us, we could continue growing our business with that in mind—giving people visibility, helping them get to the truth of what they’ve got, teaching them how to configure it, and showing them if they’re vulnerable. That is beginning to accelerate for us, and we’re incredibly proud of that.

“We truly believe that, over time, CSTAR will be adopted as an industry standard that companies and carriers alike can rely on to make critical coverage and cybersecurity decisions.”

How to Remove the Roadblock for UBI

Once upon a time, the auto insurance industry relied on motor vehicle reports, drivers’ records, business addresses, financial credit reports, claims histories, policyholder-stated VIN and mileage information, etc. to make an underwriting and rating decision. This scant information provided a fuzzy picture of risk, at best, so insurers built in a pricing cushion to protect against losses and figured it all out at the end of the year.

Fast forward to today, and insurers have volumes of real-world driving data at their fingertips to inform more precise underwriting and pricing. With the proliferation of telematics devices, whether after-market or factory-installed, and mobile tracking and recording apps, we now can know where, when and how an individual vehicle is driven. We can know area and hours of operation, driving behavior, route histories, vehicle performance characteristics and much, much more. We can even re-create collisions using the data.

With data-driven usage-based insurance (UBI), we now can formulate a clear picture of driving risk and remove the guesswork. In short, we have the potential to write for a group of one, based on observable, verifiable data.

Some numbers to consider:

  • Currently nearly 30% of all commercial vehicles have some form of telematics device installed. This figure is expected to reach 70% in 2017. (C.J. Driscoll & Associates)
  • Today’s telematics devices record nearly 300 billion miles of driving data annually.
  • 94% of all small businesses report using smartphones in their businesses. (2014 AT&T-SBE Council Small Business Technology Poll)
  • Approximately 30 auto manufacturers (original equipment manufacturers, or OEMs) are busily equipping vehicles with data devices today.
  • More than 70 telematics service provider (TSP) fleet management services companies in the U.S. are equipping trucks, cars and utility vehicles with telematics.
  • More than half of small fleet managers are likely to stay with their current insurance carriers if their insurer offers UBI (Lexis Nexis’ 2015 Commercial Usage-Based Insurance Study)
  • Global sales of insurance telematics products are projected to grow at a compound annual growth rate (CAGR) of 80% from 2013-2018, and the subscriber base is expected to reach 85.5 million in 2018. (Research & Markets).

We are quickly reaching a tipping point for UBI programs that rely on data collection and analysis as the basis for a “pay how you drive” approach to auto insurance.

However, insurers looking to take advantage of this driving data face some tough questions: Where does all this data come from? How is it collected? How can different data sets be normalized? How can insurers store, analyze and manage such a huge volume of data?

The solution for insurers large and small very likely will be a telematics data clearinghouse.

Multiple Data Sources: OEMs, TSPs, Mobile Apps and More

The first problem insurers face is negotiating with 70 different TSPs and 30 OEMs for their data, which adds complexity, time and expense to the process of acquiring the driving data needed for an effective UBI program. A clearinghouse solves the problem of accessing data on millions of vehicles by aggregating data from available sources. Rather than negotiate with dozens of data suppliers, an insurance carrier merely subscribes to the clearinghouse for access to all of that data, at a single price. 

Multiple Formats: Not All Data Is the Same

With so many data sources, each using different telematics devices and software, pulling data from different types of vehicles, the aggregated data is a jumble of formats, with no two data sets the same. A clearinghouse plays a critical part in scrubbing, authenticating and normalizing this data for handoff to underwriting.

Making Big Data Digestible… One Byte at a Time

UBI represents a monstrously big IT effort for an individual insurer. With nearly 300 billion miles of driving data available, we’re talking about petabytes of data to acquire and analyze. Even the largest insurers must weigh the benefits of devoting precious IT resources to developing and running a complete UBI data collection, storage and analysis effort. In contrast, a clearinghouse is built to manage big data in a big way, delivering a clean, authenticated data set to the insurer, integrated seamlessly into the underwriting process for easy access and use.

Evolution of a Safe-Driving Scoring Standard

With access to data from millions of vehicles, a clearinghouse is also able to provide comparative analytics and calculate a fleet’s safe-driving score, the driving equivalent of a FICO financial credit score and a much more accurate predictor of risk. A complement to current driver score cards offered by many TSPs (which measure individual driving behaviors such as speeding, harsh braking and hard cornering), a fleet score factors in all drivers, as well as the vehicles they drive and the environment in which they drive. The fleet score analyzes variables including weather, time of day, road surface and traffic dynamics. An overall fleet safety score compares fleets of similar SIC codes and territories to derive an indexed score and ranking – a meaningful risk assessment and underwriting tool more powerful than anything else in use today.

Data Privacy and Protection: Permission-Based

Yet another crucial role played by a clearinghouse is data protection and privacy. Clearly, the vehicle owner owns the data generated by that vehicle in the course of a driving trip. But once it is in the UBI transaction chain, how is that data protected? Who sees it, and what is done with it? The clearinghouse serves as gatekeeper. With the consent of the vehicle owner/policyholder, the clearinghouse facilitates the secure sharing of encrypted data with the insurer, allowing the data owner to control who sees the data and why. Such protection encourages voluntary participation by vehicle owners, helping fuel the growth of UBI. 

Data Transparency and Portability: You CAN Take It with You

Data transparency and portability go hand-in-hand with data ownership. As a consent-based data sharing service, the clearinghouse offers complete transparency to the data owner. The vehicle owner knows what data is being requested and has the option of permitting or denying access. The clearinghouse allows the data owner to share his data and driving safety score with multiple insurers.

Data Clearinghouse or Data Exchange: What’s the Difference?

Aggregated driving data services are taking different forms. While all share the purpose of providing a “one-stop” storehouse of driving and vehicle data, they do not all operate in the same manner or provide the same services.

The primary distinction can be explained as an open marketplace vs. a closed system.

As an open market, a clearinghouse merely facilitates the transfer of data from vehicle owner or TSP to insurer. The insurer then underwrites a policy based on this data (and other factors the insurer deems important) and determines a policy premium. In this open system, there are no regulatory filings required; data is used in the insurer’s existing underwriting process, and the insurer retains complete control over pricing, applying credits as warranted. Furthermore, the marketplace determines the value of the data: How much is an insurer willing to pay for detailed trip histories, for example?

In contrast, an exchange uses driving and vehicle data to compute a rating and pricing recommendation for the insurer. Because the exchange is determining price, this rating system must be filed with state regulators. In this closed system, the exchange assumes the role of underwriter and pricing specialist, leaving the insurer with little room for proprietary pricing, segmentation or differentiation. The exchange controls the data and the insurance product.

Data-Driven, UBI: A Return to Profitable Auto Underwriting

UBI offers auto insurance carriers an unprecedented view of vehicle use and driving behavior. Insurers that embrace UBI and develop a data-driven underwriting and ratings process will benefit from more consistent underwriting, improved segmentation and better selection. Those that do not will likely suffer from adverse selection and an underperforming book of business.

The key to successful UBI adoption will be access to, normalization of and correct interpretation of all this data. Undoubtedly, auto insurance carriers will be hearing more about the clearinghouse concept and the pivotal role it plays in UBI.

Analytics at the Next Level: Transformation Is in Sight

Although insurance companies are embracing analytics in many forms to a much higher degree than other businesses, adoption by the insurance industry is still only in its adolescent stage. Deployment is broad but inconsistent. The use of analytics may be about to mature considerably, though, based on a recent series of mergers and acquisitions.

Currently, while a majority of large carriers use predictive modeling in one of more lines of business, and mostly in personal lines auto, a smaller percentage use it in their commercial auto and property units. Insurers recognize predictive analytics as a critical tool for improving top-line growth and profitability while managing risk and improving operational efficiency. Insurers believe predictive analytics can create competitive advantage and increase market share.

Fueling even greater excitement – and soon to be driving transformational innovation – is the recent surge of M&A activity by both new and nontraditional players, which have combined risk management and sophisticated analytics expertise with robust and diverse industry database services. The list of recent deals includes:

  • CoreLogic’s 2014 purchase of catastrophe modeling firm Eqecat, following its 2013 acquisition of property data provider Marshall & Swift/Boeckh; a significant minority interest in Symbility, provider of cloud-based and smartphone/tablet-enabled property claims technology for the property and casualty insurance industry; and the credit and flood services units of DataQuick.
  • Statutory and public data provider SNL Insurance’s 2014 purchase of business intelligence and analytics firm iPartners, which serves P&C and life companies.
  • Verisk Analytics’ 2014 acquisition of EagleView Technology, a digital aerial property imaging and measurement solution.
  • LexisNexis Risk Solutions’ 2013 acquisition of Mapflow, a geographic risk assessment technology company with solutions that complement the data, advanced analytics, supercomputing platform and linking capabilities offered by LexisNexis.

Other 2013/2014 transactions that have broad implications for the insurance analytics and information technology ecosystem include:

  • Guidewire Software, a provider of core management system software and related products for property and casualty insurers, acquired Millbrook, a provider of data management and business intelligence and analytic solutions for P&C insurers.
  • IHS, a global leader in critical information and analytics, acquired automotive information database provider R.L. Polk, which owns the vehicle history report provider Carfax. 
  • FICO, a leading provider of analytics and decision management technology, acquired Infoglide Software, a provider of entity resolution and social network analysis solutions used primarily to improve fraud detection, security and compliance.
  • CCC Information Services, a database, software, analytics and solutions provider to the auto insurance claims and collision repair markets, acquired Auto Injury Solutions, a provider of auto injury medical review solutions. This transaction follows CCC’s acquisition of Injury Sciences, which provides insurance carriers with scientifically based analytic tools to help identify fraudulent and exaggerated injury claims associated with automobile accidents.
  • Mitchell International, a provider of technology, connectivity and information solutions to the P&C claims and collision repair industries, plans to acquire Fairpay Solutions, which provides workers’ compensation, liability and auto-cost-containment and payment-integrity services. Fairpay will expand Mitchell’s solution suite of bill review and out-of-network negotiation services and complements its acquisition of National Health Quest in 2012.

Based on these acquisitions and the other trends driving the use of analytics, it will be increasingly possible to:

  • Integrate cloud services, M2M, data mining and analytics to create the ultimate insurance enterprise platform.
  • Identify profitable customers, measure satisfaction and loyalty and drive cross/up-sell programs.
  • Capitalize on emerging technologies to improve pool optimization, create dynamic pricing models and reduce loss and claims payout.
  • Encourage “management by analytics” to overcome departmental or product-specific views of customers, update legacy systems and reduce operating spending over the enterprise.
  • Explore external data sources to better understand customer risk, pricing, attrition and opportunities for exploring emerging markets.                       

As the industry is beginning to understand, the breadth of proven analytics applications and the seemingly unlimited potential to identify even more, coupled with related M&A market activity that will drive transformational innovation, indicates that the growing interest in analytics will be well-rewarded. Those that are paying the most attention will become market leaders.

Stephen will be Chairing Analytics for Insurance USA, Chicago, March 19-20, 2014.