Insurer Cyber Strategy In a Cyber-Forming New World (V 1.0) (Minimally updated March 27, 2024)

Posted on by Barry

Strategy: a concept loaded with many facets and meanings

I know there are different views, definitions, and descriptions of strategy: what is it, what does it mean, why does a corporation need a strategy, and how does a corporation create a strategy are only a few questions about strategy. I don’t plan to answer any of those questions. There are thousands (tens of thousands?) of books dedicated to the topic.

When I became a management consultant in the late 1980s, I thought “strategy” meant that a corporation had a unique value proposition (UVP) to distinguish themselves from their current or potentially future competition. A few years later, I was taught scenario planning from Global Business Networks and learned how scenario planning assisted corporations create their strategy.

I also discovered that corporations use the word “strategy” at what I think of as an operational level as “we have a strategic business system solution for our underwriting (or marketing or sales or [you can insert your favorite insurance functional] process.” Really? Is that really strategy?

I admit that I’m partial to creating – and infrequently changing – a strategy of creating a unique value proposition. However, for the purposes of this blog post, I’m looking to Richard Rumelt’s experience and expertise as a strategist. He is an American emeritus professor at the University of California, Los Angeles Anderson School of Management. (From Wikipedia.)

His definition of strategy: ” strategy is a set of objectives, policies and plans that, taken together, define the scope of the enterprise and its approach to survival and success.”

I want to share some selections from one of his strategy books: Good Strategy Bad Strategy: The Difference and Why it Matters, by Richard P. Rumelt, 2011, Crown Business, ISBN 9780307886231:

  • “A good strategy has coherence, coordinating actions, policies, and resources so as to accomplish an important end.”
  • “Good strategy requires leaders who are willing and able to say no to a wide variety of actions and interests. Strategy is at least as much about what an organization does not do as it is about what it does.” [My note: I really like this point specifically as it applies to insurers not selling cyber insurance.]
  • “Bad strategy fails to recognize or define the challenge. When you cannot define the challenge, you cannot evaluate a strategy or improve it. [My note: How many (re)insurers really know the current and future challenges of current and yet-to-emerge cyber risks?]
  • “Many bad strategies are just statements of desire rather than plans for overcoming obstacles.” [My note: How many of you have seen that Strategy or Vision Statement on the walls of a corporation – or on the walls of your company?]
  • “Bad strategy is long on goals and short on policy or action.”

I wonder how many (re)insurers have: 1) created a cyber strategy, and 2) are following it as the cyber attack space continues to expand in multiple dimensions and concomitant cyber attacks have occurred and are emerging through the evolution of the (extremely) dynamic Cyber Age? I also wonder what their cyber strategy is (other than some words on a wall in their company)?

Before considering any aspects of an insurance cyber strategy, I believe it is important to discuss some background that has brought society to the current Cyber Age and its interrelated and continuing cyber-forming world.

Selling, Knowing the Territory, and The Steady State Machine Model Marketplace

Regardless of what you are selling, the salesmen who sang “ya gotta know the territory” on the train in the opening song from the heart-warming 1957 musical “The Music Man” by Meredith Willson were correct. Or to state it in another manner, expounding – even in song – about “territory” was correct based on the mental models of the marketplace (e.g., customers, sales, marketing, and distribution professionals) then.

I submit that at that time people and businesses were thinking in three dimensions (distance, location, and time). Moreover, this three dimensional mental model persisted during the period from the Agricultural Age through the Industrial Age. I hypothesize that it continues to this day even though what I called “The Interconnected Era” in my first book* should have, at least, planted seeds of needing to create sales, service (and risk management / mitigation) mental models of higher dimensions. (* From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology)

These three dimensional mental models of society, during most of those decades until the current Cyber Age (which I’ll discuss shortly), encompassed machine operations including “if this, then that”, and/or “one thing at a time” thinking. Corporations had (and unfortunately still do) segmented governance models (e.g., multiple SBUs, multiple divisions, multiple functional departments), hierarchical corporate governance structures, and siloed business technology systems / solutions) with a severe case of data myopia and cling-worthy (or should that be cringe-worthy?) territorial ownership.

A visual of machines replete with many pulleys, wheels, levers, and cogs is a poster image of that time.

Visual from Bing.com: Pulleys, Levers, Wheels, and Cogs

Customer perspective during the ‘machine marketplace model” period

From a customer perspective, society was bound by geographic location, time (e.g., calendar ‘time’, time of the work day, and time to travel), and limited communication options with lag-time response paths during those decades. These boundaries kept the metabolism of the market at a mostly predictable “slow-and-steady” rhythm.

Risk generation during the ‘machine marketplace model’ period

Throughout most (all?) of these decades, the basis of the ‘reality of the risk landscape’ was to identify and manage risks impacting people (as well as corporations and organizations), whether they resulted from some combination of actions (or inactions) of at least on one of:

  • people (inclusive of the actions and behaviors of corporations / organizations);
  • physical artifacts;
  • nature.

Focusing the ‘reality of the risk landscape’ on people will prove to be short-sighted for insurer’s profitability and risk management professional’s responsibilities to manage / mitigate risks to their corporations in the now current Cyber Age.

The Cyber Age – the evolution of tools

One major theme of human’s existence has been our species’ continual creation of tools to augment, enhance, or otherwise assist fulfilling humans’ objectives. These objectives encompass, but are not limited to, human activities in communication, commerce, agriculture, transportation, manufacturing, construction, media, entertainment, and warfare.

Another major theme is the tools that humans have created sometimes (often times?) replace human labor so that the objective is completed more quickly or more effectively.

Since the Agricultural Age to now, there has been an evolution of “tools” which are essentially, to use modern terms, the vast growing variety of technologies and their associated applications to serve these, and other, human purposes.

Four technologies, and more specifically the fusion of the four technologies and their applications created, and are strengthening and expanding the capabilities of, The Cyber Age:

  1. Digitalization: Inclusive of the spectrum of data types from numbers to text to still pictures to video to sound;
  2. Mobility: Inclusive of communication standards and architectures such as 3G, 4G, 5G, and future standards as well as wireless modalities and communication devices;
  3. Internet: Inclusive of its graphic user interface called the web;
  4. Cloud: Inclusive of the variations of on-premises and off-premises (as well as single tenancy and multi-tenancy).

One quick way to think about the Cyber Age is that it is a continuing result of the ongoing fusion of data, information technology, and telecommunications technologies.

Unlike the various technologies and applications in previous “Ages”, I view the Cyber Age as simultaneously enabling and creating a dynamic cornucopia of technologies and concomitant robust connective, penetrating, and immersive applications. It is this continual, penetrating, immersive robust ‘connectiveness’ that must inform the insurance industry’s cyber strategy and corresponding tactical initiatives. But I’m getting ahead of myself.

(I think the next Age, the Biologic Age, will be the result of a fusion of biologics – such as specific genetic data [of animals, including humans, and plants] with data, IT, Telco technologies, and biotechnologies. The Biologic Age risk landscape and attendant insurance decisions of whether and how to offer insurance coverage is a topic for a blog post to come in many, many months. )

Cyber-Forming a global immersive environment

Each of the “Core Four” technologies (Digitization, Mobility, Cloud, and Internet) and their associated applications is extremely formidable by themselves given the significant impact each has on society on its own.

However, taken together as an integrated bundle of technologies, the Core Four’s growing panoply of applications are significantly redefining the nature of risk while simultaneously making it increasingly more difficult, if not impossible, for insurers to accurately estimate the probable maximum loss of the cyber insurance policies they sell for the current and yet-to-emerge cyber risks.

The Core Four are doing this by creating “a territory” that is quickening society’s abilities to interconnect in real-time with any person, process, information system, telecommunications system, and information flow. This real-time interconnection is due to the unintentional consequence from the deployment of the Core Four’s applications that is cyber-forming every aspect of humanity’s interactions with physical artifacts, digital artifacts, people, and nature throughout the entirety of planet.

Cyber-forming?

There have been science fiction stories and movies that discuss terraforming as an important plot point. Wikipedia describes terraforming this way:

“Terraforming or terraformation is the hypothetical process of deliberately modifying the atmosphere, temperature, surface topography or ecology of a planet, moon, or other body to be similar to the environment of Earth to make it habitable for humans (or invading aliens in some stories or movies) to live on.”

But … Cyber-forming is neither science fiction nor hypothetical. Cyber-forming is reality. Cyber-forming is happening now and will not stop at any point in the future.

The Cyber-Forming Immersive Risk Landscape

The “territory” of 2023 (and really since the beginning of the Cyber Age) encompasses not one but two risk landscapes which insurers must manage: the traditional, non-cyber influenced but still changing risk landscape and a new, immersive (and interconnected and interdependent) risk landscape continuously changing and expanding plethora of risks generated by the cyber-forming actions on society (and nature) by the Core Four.

The “territory” – or cyber-formed risk landscape – is no longer driven by some combination of nature, physical artifacts, and people. Believing that remains true for the cyber-driven risk landscape is a harmful mental artifact of risk from the “Information Era” or worse, from the “Industrial Revolution Era”.

The cyber-formed risk landscape encompasses cyber risks impacting people (as well as corporations / organizations) acting with some combination of digital artifacts, physical artifacts, and nature. The main force of this second risk landscape is cyber risks rather than people. People are the main factor of the traditional non-cyber influenced risk landscape.

The cyber-forming immersive risk landscape should drive its own insurance coverage decisions (at a minimum: whether to offer insurance or not; what segments to offer cyber insurance; with what terms, conditions, and restrictions; at what costs; how best to protect the insurer’s financial capacity – With ILS cyber cat bonds? With cyber captives?, with what reinsurance or other financial capitalization requirements to a cyber insurance policy) separate and distinct from the traditional non-cyber influenced changing risk landscape insurance professionals have been quite familiar with for decades before the Cyber Age.

A reality emerging from the cyber-formed risk landscape for insurers and corporate risk managers: risks come from some combination of the actions (or inactions) of digital assets interacting (even unknowingly) with people, and/or with physical artifacts (e.g., physical assets with IP-sensors or digital content embedded in them and connected to the web), and/or with physical assets connected to the web, and/or with nature.

A visual of a continually expanding hyper-dimensional space replete with known, unknown and unknowable cyber attack spaces is a poster image of our current Cyber Age. (Personally I don’t think the image below does justice to an always-expanding, never-ending multi-dimensional space.)

Visual from Bing.com: multi-dimensional space

Composition and attributes of a cyber-forming immersive risk landscape

Composition

A critical factor of the cyber-forming immersive risk landscape is the infinite set of a cyber attack spaces that will continue to expand in multiple dimensions and multiple degrees of fluidity. The cyber attack spaces will expand unabated into new topographies that are uncountable and unmeasurable every moment:

  • a new digital artifact is created and connected to the web;
  • an existing digital artifact is enhanced and connected to the web;
  • a physical artifact gets an IP sensor attached to it;
  • an animal gets an IP sensor attached to it or embedded in it;
  • a human gets an IP sensor attached to them or embedded in them (including a pill with a sensor that digitally tracks if patients have ingested their medication).

For me, the always-expanding multi-dimensional cyber attack spaces consists of the growing, never-ending set of interconnections and interdependencies among and between digital artifacts (or digital assets or intangible assets if you prefer), physical artifacts with digital content (yes, IoT devices), and physical artifacts.

Getting more specific about what elements strengthen the cyber-forming world, here is a select list of which several (most?) could be or already are interconnected and/or interdependent with other risks on the cyber-forming risk landscape and/or the traditional risk landscape:

  • Any corporate IT business system, OT / Industrial Control system / SCADA ** (e.g., Operational Technology, Supervisory Control and Data Acquisition systems), medical systems, payment systems, banking systems, or investment management systems linked to the web;
  • Home appliances or personal automobile systems or commercial vehicles or hospital devices linked to the web;
  • Social media, online entertainment media, personal-use rich media systems (e.g., Apple Vision Pro; Meta Quest 2) linked to the web;
  • Any medical device embedded into a person or any medicine with an IP sensor swallowed by a person linked to the web;
  • Any personal or company processes stored in the cloud (regardless of whether deployed as a single or multiple tenancy in the public or hybrid or private cloud);
  • Drones;
  • Robots;
  • EVs;
  • AVs;
  • Routers, servers, hubs used by a household or a company;
  • Wireless infrastructure used by a household or a company;
  • Internet Protocol used by a household or a company to access the web;
  • Smart devices (e.g., smartphones, tablets, laptop computers, desktop computers) used by a household or a company;
  • Browsers used by a household or a company to access the web.

My point about the above – and other – elements of the cyber-driven risk landscape is that no person, no company, no business system, no industrial control system is an island onto itself. The more elements are connected, interconnected really, the more that cyber attacks are actually systemic cyber attacks. Society is a nest of interconnected systems yet some (far too many) people mistakenly believe most cyber attack are an “isolated” event.

Attributes

The cyber-forming risk landscape has many attributes. Here is a list of a few of them:

  • Most, if not all of the risks on the cyber-forming risk landscape, can, and will, occur in real-time or close to real-time;
  • Most of the risks are interconnected and interdependent with other cyber-risks or with risks on the ‘traditional’ risk landscape;
  • Collecting more data to better estimate the cyber losses associated with the cyber risks is only helpful to a point – and that would be the point of modeling cyber losses that have already happened for cyber risks that have already emerged at a specific point (or points) of the known cyber attack space;
  • Collecting more data for cyber risks that have yet-to-emerge on points or areas of the cyber attack space which has still not expanded – but will expand – into unknown dimensions can’t be done. Modelers with hubris will state, strongly, that they can do it – how many (re)insurers want to put their financial capacity at risk based on hubris?
  • Some (most?) of the cyber risks are ‘immersive’ meaning that the person or place that will be cyber attacked is essentially within an ecosystem or within a supply chain of entities that the cyber attack will cascade through and impact a multiplicity of people and/or processes and/or physical artifacts (e.g., systemic cyber events are happening more frequently than insurance professionals either think or want to believe);
  • All of the cyber risks are exposed to attacks from anywhere at any time;
  • All of the cyber risks are exposed to cyber hackers who could be humans or could be software code created by cyber hackers using AI Technology applications and released to spread, like a biological virus with no available vaccine, to impact both risks on the traditional and cyber-driven risk landscape;
  • Neither the ever-expanding cyber attack spaces or the yet-to-emerge cyber risks on the ever-expanding cyber attack spaces are like any other risk on the traditional risk landscape that insurers have identified and managed through the industry’s extremely long history. (No, cyber risks are not like hurricanes, tsunamis, or other severe weather risks to humans and/or property.)

Hurdles to creating a successful insurance company cyber strategy

Creating – and implementing – a corporate strategy always faces hurdles. I believe that the hurdles that creating an insurance company cyber strategy faces more hurdles than usual.

Here are some of the hurdles to creating a successful insurance company cyber strategy:

  • Almost all humans think linearly rather than in multiple dimensions;
  • Humans don’t have any concept of what the shape of a cyber-formed society in the decades to come will be;
  • Almost all humans do not have any concept of the panoply of implications and impact of living and working in a world shaped by mobile, digital, web-enabled, cloud-accessible capabilities;
  • Too many of us have been surrounded primarily by physical artifacts most of our lives and base our methods of managing cyber risks on that history;
  • Too many insurance professionals falsely believe that if the insurance industry could handle severe weather or floods then the industry can also handle cyber risks;
  • Too many insurance professionals falsely believe that cyber risks are just another risk in the very long history of risks the industry has successfully managed;
  • Too many insurance professionals falsely believe all they need is to collect more data for cyber loss models so corporations and their insurers can “get a handle” on the probable cyber losses of existing (maybe) and emerging cyber attacks (probably not);
  • Too many people falsely believe that governments’ cyber regulations will help slow down (or possibly stop) cyber attacks from happening.

All of the above hurdles are equal in providing roadblocks to crafting a successful insurance company cyber strategy. But as George Orwell said in his book Animal Farm, ‘some are more equal than others’. And the utmost ‘more equal’ hurdle is the far too many insurance professionals (throughout the insurance value chain) who do not believe that the cyber-formed world exists or is generating risks that are entirely distinct that what the insurance industry has identified and managed throughout its extremely long history.

Fish didn’t discover water !

Insurance professional’s inability to realize that the landscape of risk is being reshaped by the Core Four or that previous methods to manage risks won’t work (e.g., collecting more data, finding an equivalence to current risks being insured; did I mention collecting more data?) reminds me of something Marshall McLuhan said:

“In November 1966 Marshall McLuhan attended a symposium called “Technology and World Trade”, and during a discussion period he employed an instance of the saying, but he specified an anonymous attribution:

Dr. McLuhan: … Someone said once, “We don’t know who discovered water but we are pretty sure it wasn’t a fish!” We are all in this position, being surrounded by some environment or element that blinds us totally; the message of the fish theme is a very important one, and just how to get through to people that way is quite a problem. We have from the moment of birth a fear of the new environment. We always prefer the old one.

Technology and World Trade Symposium, November 1966

The cyber-formed / forming world is the ‘water’ and insurance professionals are the ‘fish’. Insurance professionals must, sooner than later, realize the cyber-forming water they are swimming in to be in a stronger position to better understand what to do to preserve their financial capacity.

I want to double-down on the ‘fish’ discussion with another quote by Dr. McLuhan:

“I call this peculiar form of self-hypnosis Narcissus narcosis, a syndrome whereby man remains as unaware of the psychic and social effects of his new technology as a fish of the water it swims in. As a result, precisely at the point where a new media-induced environment becomes all pervasive and transmogrifies our sensory balance, it also becomes invisible. This problem is doubly acute today because man must, as a simple survival strategy, become aware of what is happening to him, despite the attendant pain of such comprehension.” – Marshall McLuhan, Playboy Interview, 1969

Far too many insurance professionals are unaware of the quickly emerging cyber-forming world. (One LinkedIn member accused me of “now, you’re making something up”. For me, that was an extremely frightening reply. Or perhaps they are aware of the new world of cyber-driven risks but are, “being blinded by the perfume of premium” as another of my LinkedIn members told me.)

Insurance company cyber strategy

Past cyber insurance experience is not useful

I realize that most (re)insurers are currently generating profit from their sales of cyber insurance (e.g., combined ratios under 100%.) But I strongly believe that cyber risks will become increasingly more complex as the cyber attack multi-dimensional spaces expand into (not just known) but also unknown and unknowable directions.

I also realize that insurers have been offering cyber insurance since the late 1990s. Nice, but close to worthless experience on a going-forward basis. For me, it’s like stating that my son or daughter rode a tricycle when they were children and I now fully expect that they will win Formula 1 racing car championships whenever they want even though the racetrack will always abruptly change direction, sometimes going into the ground beneath the course, sometimes going into the air above the course, sometimes going into a nearby lake, and sometimes moving through a worm-hole appears and disappears at will.

Why?

Because the cyber risks of the late 1990s had none of the complexity of the cyber risks of 2023 or of the years to come as the cyber attack multi-dimensional space continues to evolve into increasingly more complex multi-dimensional topographical shapes triggering increasingly more complex cyber attacks.

Cutting off the long(er) tail of cyber insurance losses

If (re)insurers craft their strategies based on a belief that they can (continually) offer cyber insurance ‘fit for purpose’ (e.g., cover all the losses and expenses of their cyber-insured client), I’m not sure any strategy can help them. (It won’t be long before insurance regulators remove them from the insurance market.) Similarly, if (re)insurers decide that they shouldn’t offer cyber insurance at all, then they have no need of a cyber insurance strategy.

However, if (re)insurers are considering other options, then crafting a cyber insurance strategy is worthwhile. Some of those options focus on ‘cutting off the long(er) tail of cyber insurance losses’ include:

  • Continually lowering the amount of cyber insurance they sell;
  • Continually making their terms, conditions, and restrictions stricter for the cyber insurance they sell;
  • Continually craft and tighten their exclusions of systemic cyber attacks [Unless disapproved by insurance regulators in the jurisdictions the insurers conducts commerce.];
  • Continually craft and tighten their exclusions of cyberwar cyber attacks [Unless disapproved by insurance regulators in the jurisdictions the insurers conducts commerce.];
  • Continually leaving markets (e.g., MSPs, cloud deployment of prospective clients’ business processes, hospitals) that, while profitable now, indicate through insurers’ models that loss ratios, expense ratios, and obviously combined ratios are going to worsen;
  • Sponsoring Insurance Linked Securities (ILS) cyber cat bonds to decrease the amount of their own financial capacity at risk from cyber losses;
  • Fronting Cyber Captives to decrease the amount of their own financial capacity at risk from cyber losses;
  • Using Alternative Risk Transfer mechanisms (other than ILS cyber cat bonds or fronting captives) to decrease the amount of their own financial capacity at risk from cyber losses.

Insurance cyber insurance strategy objectives, questions, and realities

Assuming that (re)insurers are not depending on prior cyber insurance experience or have decided to not sell cyber insurance, there is one objective, a host of questions, and a plethora of realities that the strategy should address. Other than the one objective, I will discuss only a few questions and realities in this post.

Objective

(Re)insurers selling cyber insurance must continually generate profit while simultaneously providing insurance coverage for their clients in their target markets.

Questions

  1. What does a successful cyber strategy look like for our insurance company?
  2. What resources will we have to invest (one-time, continually) to develop products, train underwriters, train our producers, train our claim managers / claim adjudicators, customer service professionals to support our cyber insurance policies?
  3. When and how should we get our in-house legal professionals involved?
  4. How much should we increase our claims reserves to support claimant lawsuits against us?
  5. How will we know our cyber strategy is working (from a financials metric perspective for cyber … and for our total book of business)?

Realities

  1. Just because a risk exists does not mean that any insurance company should offer coverage for that risk;
  2. Regardless of complying with government cyber security regulations or industry cyber security regulations, any company will be cyber-attacked (again and again and …);
  3. Regardless of the cyber advisory and protection services any company leases (or purchases) does not mean the company will not be cyber-attacked (again and again and …);
  4. Regardless of the cyber loss models any company uses does not mean the company will not be cyber-attacked (again and again and …);
  5. Regardless of whatever advice a company follows from outside counsel (or its own corporate lawyers), does not mean that the company will not be cyber-attacked (again and again and …);
  6. Every individual and every organization lives at the center of a multitude of “environments” in a cyber-formed world.

Cyber-forming world is a complex adaptive system

The cyber-forming world is birthing, and will continue to birth, a cyber-driven risk landscape. This cyber-driven risk landscape will create new cyber risks, alter existing cyber risks, and nullify current cyber risks as the cyber-forming world evolves. (And again, this cyber-driven risk landscape is not going to replace the “traditional” evolving (non-cyber driven) risk landscape that (re)insurers have been working with for many decades.)

(Re)insurers opting for a cyber strategy to cut off the long(er) tail of cyber losses should be cognizant of the behaviors of complex adaptive systems.

Complex Adaptive Systems & Ecosystems

The cyber-driven risk landscape will behave like complex adaptive systems and their close relationship of ecosystems.

The questions then become: What is a complex adaptive system? What is an ecosystem?

“A complex adaptive system is a system that is complex in that it is a dynamic network of interactions, but the behavior of the ensemble may not be predictable according to the behavior of the components. It is adaptive in that the individual and collective behavior mutate and self-organize corresponding to the change-initiating micro-event or collection of events. It is a “complex macroscopic collection” of relatively “similar and partially connected micro-structures” formed in order to adapt to the changing environment and increase their survivability as a macro-structure.” (Wikipedia)

Delving into ecosystems

However, the never-ending plethora of the expanding cyber attack spaces are not just complex adaptive systems but also ecosystems and will behave as such. Delving a little deeper into ecosystems, there are four overarching principles and four characteristics that describe ecosystems (whether natural, business, or digital ecosystems). (See visual below.)

Source: “From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology”, by Barry Rabkin June 2022 Wells Media Group, Inc.

Principles of an ecosystem

  1. The ecosystem itself continues to change as various forces act on it (e.g. catastrophes, introduction of new species, the disappearance of existing species) and simultaneously within it (e.g. the continual predator / prey dynamic)
  2. The rules of survival and adaptability change as the ecosystem changes.
  3. Outcomes are unpredictable in terms of scale and scope
  4. The co-evolution (between predator and prey) dynamic itself drives evolution (of predator, of prey, of the ecosystem itself).

Characteristics of an ecosystem

  1. Being Aware: Also known as “sense and respond”. Participants in an ecosystem have to understand the pertinent events happening in the environment – introduction of new competitors, introduction of new technology and its applications, introduction of new applications of existing technology, changed or new regulations, shifting demographics and associated expectations – and develop, possibly pilot, and implement requisite initiatives.
  2. Self-Organizing: Continual realignment with the changing marketplace. Ecosystem participants will develop (are developing!) organic processes independent of central control that enables them to continually alter their current modes of attack.
  3. Creating Perpetual Novelty: Biologists call this characteristic the need for never-ending newness. In the natural ecosystem, prey develops new capabilities to better fend off predators, while successful predators counter with their own evolutionary innovations.
  4. Learning Under Pressure: In the natural ecosystem, biological species survive by adapting as quickly as the rate of transformation of their predators and of the ecosystem. In a business or digital ecosystem, competitive advantage, no matter how short or long a period of time, comes to the firm (firm that has been cyber attacked or the cyber attacker) that learns the most quickly.

Who is going to learn from the principles and characteristics of ecosystems first? And continue to learn – and adapt more quickly? Cyber defenders or Cyber attackers? And why should insurance companies pay for the never-ending ‘difficult, if not impossible to model and measure’ the back-and-forth cyber-driven risk landscape where the odds are ever in favor of the predators? (Apologies to the character Effie Trinket from the “Hunger Games” movie.)

Tactical elements of a cyber strategy

Returning to one of Richard Rumelt’s statements about strategy: “A good strategy has coherence, coordinating actions, policies, and resources so as to accomplish an important end.”

I think of tactics as a set of coordinating actions and policies. In the situation of cyber strategy and associated cyber risks, that translates to, at least, knowing:

  • how the cyber attack spaces are unfolding;
  • how the cyber attack spaces will unfold;
  • where the cyber risks have been;
  • where the cyber risks are currently;
  • where the cyber risks will emerge;
  • the capabilities that cyber-hackers have now;
  • the capabilities the cyber-hackers will have in the future;
  • the objectives of the cyber-hackers;
  • how cyber-hackers get their resources (whether other cyber-hacking colleagues or hacking solutions for specific industries or …).

Visual of six tactical elements of a cyber insurance strategy

I offer a visual of six tactical elements that could support any insurer cyber strategy.

The crux of the tactical elements is “awareness” which is particularly critically important in a cyber-forming world. The pace of change in a cyber-forming world is beyond dynamic: the pace is real-time as more digital artifacts and/or physical artifacts embedded with digital artifacts are continually added to shape-and-reshape the cyber attack multi-dimensional space by existing and prospective cyber insurance clients.

For the purposes of this blog, I’m going to assume that my readers know what each element means. I will discuss each element in my book about the insurance industry and cyber.

Red Pill or Blue Pill ?

We finally get to the end of this blog about insurance cyber strategy.

The question, or challenge, persists for every (re)insurer regarding offering cyber insurance: to take the red pill or the blue pill?

The red pill and blue pill represent a choice between the willingness to learn a potentially unsettling or life-changing truth by taking the red pill or remaining in the contented experience of ordinary reality with the blue pill. The terms originate from the 1999 film The Matrix.

I hope that the (re)insurers quickly take the red pill.

** My experience analyzing the known and potential impact of technologies and their applications on the insurance industry and insurance commerce is entirely IT and Telco focused. I will do some research in OT / Industrial Control Systems for my book about the insurance industry and cyber. But, I would appreciate any guidance that any of you with industrial / industrial security / industrial cyber security can give me.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.