Cyber-Insurance is the next great frontier for insurers as more and more companies buy protection in the age of massive and regular cyber-attacks.
PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.
When looking at CyberInsurance, a solid provider would have to cover the basic of an insurance policy like liability but would also have to add additional cyber specific support like:
- Crisis Management - Covers the cost of managing the incident including customer notification, credit monitoring and implementation of a public relations campaign to rebuild the organizations reputation. Additionally they would help manage the entire response from detection to resolution through a breach coach and agreements with other cyber support functions like (call centers, mailer companies, forensic specialists, cyber extortion negotiators, etc)
- Cyber Extortion - Covers the payment to resolve a cyber blackmail situation and provides the technical expertise to help track down the blackmailers
We all know Google is the sultan of search and has an unmatched view of the internet as a whole. It can see into dark crevasses of the internet no one else can.
- Cash - Google generates more cash per quarter than most insurers (e.g. Chubb, AIG, Travelers, etc). It therefore has enough "cash" to payout customers and support them if a policy is executed.
- Profitable - Under the new CFO, Google is working on profitability by killing many moonshots and concentrating on activities that can provide interesting returns. Obviously insurance is a numbers gave and Google can make it profitable.
- Data Science - Insurance has always been a math problem and no one does math better than Google
- Visibility - Three of the key metrics in the risk equation are likelihood, Impact and velocity. Most insurers make best guess estimates based on past experience with some modification for future changes. Google sees the entire attack surface of the Internet and can make very educated guesses about who is likely to be targeted, when and how.
- Support - More important that money, most victims look to their cyber-insurer for support during the incident. They need help understanding who is doing it (attribution), how they are doing it (reverse engineering), what else they could have compromised (Indicators of Compromise) and how to clean it up. Google has the technical experts to support companies through the entire process. Of particular interest is the reverse engineering and attribution pieces that only a handful of companies can do really well.
- Customers - Google has a tone of consumer products and has incredible name brand recognition. Google is once again the #2 most valuable brand in the world (link).
As reported in the NY Times, Sony's life insurance business is what is helping it survive.
So Google has the motive (a renewed push for profitability) and the capability (cash and technical). The only unknown is do they have the desire? Only time will tell but I think this is something they will branch out into sooner or later