Tag Archives: innovationt

Better Way to Assess Cyber Risks?

As the saying goes, there are two kinds of motorcyclists: Those who have fallen off their bikes and those who will.

The insurance industry assesses the corporate world’s cybersecurity risk much the same way. Everyone is equally at risk, and, therefore, everyone pays the price for higher insurance premiums.

Not a day seems to go by without news of a high-profile security breach. It’s no surprise, then, that the cybersecurity insurance market is expected to rise to $7.5 billion by 2020, according to PwC. Even worse, the industry does not have effective actuarial models for corporate cybersecurity, say Mike Baukes and Alan Sharp-Paul, the co-founders and co-CEOs of UpGuard.

The two audacious Australians have developed what they say is a better way to assess the risk for cybersecurity breaches.


Alan Sharp-Paul (L) and Mike Baukes (R), Co-Founders and CO-CEOs, UpGuard

The pair’s company recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages because of misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.

According to Baukes and Sharp-Paul, many companies forego available policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and endpoint fixes slapped onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and, as a result, no way to understand how at-risk they are for hacks. With CSTAR, businesses are able to regain transparency into their own stack and take the appropriate steps to bolster their cybersecurity. Insurance carriers, meanwhile, can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses.

After spending years in financial services in Australia and the U.K. and witnessing the disarray of corporate IT, Up-Guard’s two co-founders decided they could make a difference by developing a better way for corporations to understand their software portfolios and their associated potential risk for security breaches. Baukes says, “Our experience showed that that there were thousands of applications and thousands of machines powering all of this critical infrastructure. And the thing that we learned throughout all this was just how hard it is for an IT organization to understand and get a handle on what they’ve got.”

“Today, everything is out in the cloud,” Sharp-Paul says. “We’re all more connected. Employees are connected 24 hours a day, seven days a week. Now what keeps CIOs and CEOs up at night is, ‘If we get breached, I could get thrown in jail. I could get sued.’ It’s a very, very different world we live in today. We built a system to help companies understand and prevent downtime, and helping them save on project costs is just as relevant today from a security perspective.”

The two initially started a consulting company to help companies catalogue and manage their software platforms and applications. According to Sharp-Paul, “We realized the biggest problem companies have from an IT perspective is that they don’t really have appropriate visibility into what they’ve got and how it’s changing because so many things are changing daily in these environments that it’s really hard for them to know what ‘good’ looks like.”

Sharp-Paul and Baukes’s consulting led them to develop software to automate the process, providing the means to quickly and effectively crawl every server and software application to present a profile of what needed to be updated or patched and to identify the system holes that allowed for security breaches.

As Baukes tells it, “Getting that all to mix well and be safe, secure and capable of pinpointing where problems go wrong really quickly is an incredibly difficult task. So, we built up the first commercial version of the product—a very rudimentary version—and we shopped it around, and people were very excited at the time.”

From there, the pair realized their software had commercial potential and implications more far-reaching than what they had first thought. “We started with that very simple version with a few sales and no sales force—just Alan and [me] at the time—growing to the point now where we now have 3,000-plus customers, and the team is steadily being built,” Baukes says.

Now, the company has nearly 50 employees and is growing fast. The Mountain View, CA–based company attracted early seed funding from the likes of Peter Thiel, Dave McClure and Scott Petry, leading to a near $9 million Series A funding underwritten by August Capital.

The co-CEOs admit the co-managing arrangement is unconventional and would be challenging to make work under different circumstances. However, Baukes and Sharp-Paul feel their skills and temperament complement each other.

“To be honest, when people ask us about it, my first response is always that it’s a terrible idea,” Sharp-Paul says. “And that’s not because it’s been a horrible experience for us. It’s because I kind of think we’re really the exception. And the only reason I say that is that I know the unique things we went through and the type of people we are that makes this work. I can’t imagine that being a common thing at all.”

Baukes is generally a more aggressive and strategic thinker, while Sharp-Paul describes himself as more pragmatic and conservative.

Sharp-Paul and Baukes first worked together at the Colonial First State Investment firm back in Sydney, where the two lived the DevOps experience before DevOps became the buzzy concept that it is today. There, Sharp-Paul was a web developer, and Baukes was a systems administrator, and they talked a lot about things like continuous integration and continuous delivery.

“Now these are all fantastic things,” Sharp-Paul says. “But you need a foundation or a basis of understanding what you have. I mean, we like to say you can’t automate what you don’t understand. Or you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there, but companies and vendors in particular weren’t helping businesses on the journey there.”

Baukes says, “Once you have that base understanding of what you have, then that opens everything else up. You can think about DevOps. You can think about automation. At the time, we were thinking, ‘Why hasn’t anyone thought to do this before?’ It seemed like such a foundational, basic thing. It was almost like it was so foundational that everyone just moved past it, and they were looking at the next shiny thing down the road. I think that was the white space. That was our opportunity. We jumped on it.”

As it turns out, in the world of corporate IT, applications never get retired. Even worse, the people who manage them move on because the life cycle of an employee at a company is short. As as result, the institutional knowledge about these applications is lost.

“Corporate memory is so short typically,” Sharp-Paul says. “They often get to this point five years down the track where they rediscover this server or this application, and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads. We come across that all the time.”

Sharp-Paul and Baukes had always seemed destined to do something on their own.

“I always had a healthy disrespect for authority. Throughout my corporate life, I was looking outside to see what else is [WAS?] out there,” Sharp-Paul says. “I actually started the first step of creating a business on my own—with something as mundane as a French language website that I used when I moved overseas for a couple of years. … It taught me that I can actually build something myself that makes money.”

Baukes agrees.

“The big difference is that I grew up in an immigrant family in the middle of nowhere, effectively. I won’t say the Australian Outback, but really rural,” he says. “We built everything ourselves. My father was a great wheeler and dealer. So, I learned a lot of from him. I fell into all of this by playing computer games and was really good at it, frankly. For me, that was a springboard into an accidental corporate life. I always knew that I would do something else.”

Now, for the future?

Baukes says, “It makes good business sense to quantify the risk in your company’s IT systems and report it effectively. And I think that for us, we could continue growing our business with that in mind—giving people visibility, helping them get to the truth of what they’ve got, teaching them how to configure it, and showing them if they’re vulnerable. That is beginning to accelerate for us, and we’re incredibly proud of that.

“We truly believe that, over time, CSTAR will be adopted as an industry standard that companies and carriers alike can rely on to make critical coverage and cybersecurity decisions.”

The Real Root of Innovation? Insurance

Humanity’s innate urge for creativity coupled, perhaps, with the promise of fame and riches have been important drivers of innovation throughout history. But what has served as the foundation for innovation? What has helped individuals make the leap from coming up with a great idea to executing it?

In one way, the answer is insurance. Insurance and risk transfer are key historical inventions that contributed to the rise of innovation around the Industrial Revolution. Legal and financial advancements, such as modern insurance policies, have been just as significant to innovation as technological breakthroughs. They have allowed humanity to view risky situations as opportunities to progress.

Before the Industrial Revolution, creative risks were, well, a lot riskier. In the days of hunter-gatherers and early agriculture, individuals or small family groups bore total responsibility for any consequences should a new crop be unsuccessful or sickness spread because an unproven concept failed. (Starvation and death are steep prices to pay.) As time progressed, hierarchical systems ensured the ruling classes quickly claimed and controlled any innovation devised by those low on the totem pole. Historically, oppression has rarely served to spark advancement at all, let alone at a decent pace.

When formalized insurance came along, in addition to stocks, bonds, patents and other financial tools, it allowed people to share the risks and rewards of their personal creativity. Because the downside of failure was no longer as excessive, people were empowered to take bigger leaps. Insurance and its associated analytics removed many of the unknowns from taking a chance on a risk.

Insurance and risk management are now so ingrained in the innovation process that we take it for granted as just another step on the way to progress. When you hear about modern space travel, for example, you don’t hear about the insurance policies that make it possible for entrepreneurs to launch ambitious new projects. Unfortunately, the only time we make the connection between insurance and innovative efforts is when something goes wrong. Case in point: It was only when an unmanned commercial rocket exploded last fall that many articles rushed to note it was insured for about $200 million.

Today, insurance is stepping in to lower innovators’ risks in other creative ways. One example is a firm that created insurance protection from “patent trolls.” While patents are supposed to protect inventors, some people have found ways to exploit the patent system to enrich themselves instead, while also limiting actual innovation. The high litigation price of defending a patent has caused many start-ups to stall out. Patent trolls have forced even established companies like Apple, Google and Samsung to spend massive quantities of capital addressing seemingly gratuitous patent claims. The new solution steps in to help organizations keep creating.

Recently, some insurance companies have begun to offer protection for the bitcoin business. The virtual currency has had its fair share of troubles in the last year or so, with cyber attacks and technical snafus costing investors millions upon millions of dollars. With the advent of protections similar to those offered by the long-established Federal Deposit Insurance Corporation, these organizations are making it possible for the bitcoin industry to mature, potentially ushering in a new, all-digital era for commerce.

The New York Times Magazine recently dedicated an entire issue to the subject of innovation. It cited prominent M.I.T. economist Daron Acemoglu directly linking the advancement of society to the necessity of insurance and risk management.

In other words, the better we manage risk, the more risks we take and the better off we may all be.

This article was originally published on IAmagazine.com.

Time to Rethink Usage-Based Insurance

“Do no harm.” That’s part of the doctor’s oath, and it was the underlying thinking behind Progressive’s launch of usage-based insurance (UBI) into the U.S. insurance market back in 2010. The message was straightforward – try our Snapshot device, and your insurance premium can only go down; how far down depends on how well you drive.

Fast forward five years of “Flo” hammering way at the virtues of UBI: Progressive claims $2.5 billion in annual premium emanates from UBI, and nearly every tier 1 carrier emulates Progressive’s format…and Progressive has announced, in March 2015, that it is going to charge higher premiums for the worst-behaving drivers, effectively dumping the concept of “Do no harm.”


And why not? As the pioneer of UBI in the U.S., Progressive has accumulated the trip data of millions and millions of customers over a number of years – tens of billions of miles of journey data coupled with hundreds of thousands of claims – giving the company unique insights into the behaviors that cause accidents. Based on listening to customers, the marketing program has now shifted from “Plug it in. Drive. Save.” to the concept of “Rate suckers” – bad drivers getting a free ride on the premium that safe drivers pay.

Progressive’s research showed that 89% of drivers would be upset to find out that their premiums were subsidizing bad drivers. So loading the premiums of bad drivers backs up the marketing message and should further fuel the positive selection of good drivers moving to Progressive, while chasing away the bad drivers to cheaper, less-data-savvy carriers. This adverse selection for Progressive’s competitors will eventually move the market to fully data-driven underwriting over the medium term.

All this goes to show is that UBI is not your typical Insurance product. Key to success for Progressive has been:

  1. the ability to accurately model the risk and develop a compelling pricing model based on the new data made available from the telematics device
  2. creating an attractive customer proposition and educating the market in the benefits of the proposition with a targeted campaign
  3. implementing the operational processes that deliver on the promise of the marketing message

Many insurers get dazzled by the telematics gadget and technology and lose sight of the fact that success really turns on delivering a compelling customer proposition fueled by deep customer insight. I find it intriguing that many UBI programs are still being run by IT departments, as the proposition will only be truly successful when the strategy, marketing, product development and operations teams become involved.

I have run a number of telematics engagements, and the technology is quite straightforward. Arguably, the hardest part is finding where to plug in the telematics sensor on the vehicle. Usually, data starts to flow almost immediately, and drivers start getting scores the following day.

However, that UBI plugging-in and data flow marks a “moon landing,” as your relationship with the insurance customer will be forever changed.


Let’s face it, in the past a customer usually shopped for the cheapest price of motor insurance, bought it and then tucked the policy away in the glove compartment of the vehicle with little or no contact with the insurer until it came time to claim or renew. With UBI, the insurer provides customers with a companion mobile app (and website) that gives daily feedback on their driving skills and opens up a range of value-added services like:

  • Real-time vehicle location viewing
  • Teen safety monitoring (geo-fencing)
  • Driver feedback (rating, score) — continuing tips to improve driving style and reduce accident risk
  • Trip replay capability, with mapping
  • Driver behavior indicators (harsh braking, reckless driving, acceleration) within trip
  • Logbook – trip information – tax and fuel log expense claims
  • Parking meter reminder
  • Vehicle fault notifications
  • eCall (emergency/panic button) and bCall (breakdown)

You may have noticed I have skirted the issue of “push” marketing offers, which this connectedness will certainly open up. If handled with the mindset of truly benefiting the customer, then this could be a good thing, but it’s a fine line between good and “spam.” I have advocated elsewhere that dynamic affinity offers, when coupled with a high degree of personalization, will present much greater value to the customer rather than the scatter-gun coupon books that typically prevail today.

In China, over the last 18 months, quite a few insurers have piloted UBI propositions in advance of the deregulation, and affinity offers – value-added services – have figured prominently. Most have offered a flat 10% insurance discount for simply trying out UBI.

PICC, in partnership with Tencent and Shell, launched the “Lubao” box in early 2014. It’s a plug-in device that connects to a mobile App that displays the current status of the car, runs routine diagnostics, offers advice on fuel-saving driving techniques, provides discounts on Shell products, provides road-side assistance and funnels all that data back to the insurance company and its partners. Seems like a dress rehearsal for rolling out a full “Progressive-style” pay-how-you-drive insurance program when regulations allow.

Other insurers have offered time-saving features like streamlining the payment of traffic violations, which I am told can be quite inconvenient in China.

In some Asian markets, women’s safety while driving has been seen as a good landing place for the UBI proposition, with a “panic” button being built into the app. In other markets, where organized fraud is rampant, UBI provides the data to effectively be a silent witness to what really happened and protect the interest of the customer and the insurer. In Ireland, a fraud ring was systematically targeting drivers on country-side round-abouts and making phony whiplash claims at more than $20,000 per person. The data from the UBI device would help stamp out those kinds of claims, sparing the customer from the resulting increased premiums and months and months of mental anguish during the claim settlement process.

In several markets, the advent of UBI has been the key to making insurance affordable for young drivers and families with young drivers. And in Europe, where discrimination based on gender was banned several years ago, a new insurer, Drive-like-a-Girl, launched a telematics proposition quite similar to Progressive’s, where anyone with good driving habits (driving like a girl) earns a discount, eliminating the need for proxy rating factors such as age and gender.

The UBI proposition winds up being quite beneficial all around. Firstly, the community wins with improved road safety and easier-to-understand motor insurance contracts – pay for what you use. Secondly, customers win with cheaper insurance, with the ability to control the cost by improving their skills, plus they get a whole range of new features from vehicle fault monitoring through to faster claims settlement. Finally the insurer wins, as it accurately monitors risk and uses data to find new ways to engage customers – moving the conversation from price to value and establishing life-time brand associations with customers.

Do no harm. It’s certainly a good starting place as it gets you thinking from the customer’s perspective, but UBI presents a whole lot of value simply waiting to be unleashed for everyone. Just find what’s most important for your customers, and you should have a success when you launch your own UBI proposition.

See you in the parking lot. 🙂