Building a Risk Machine, Part 1: What is a Risk Machine?
At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.
Understanding risk is the name of the game in insurance. When an insurance company differentiates between good and bad risks they can provide their best customers with lower prices while improving portfolio risk and profitability. That’s why we obsess over understanding cybersecurity risk.
At At-Bay our challenge is to build a system that can evaluate the cybersecurity risk of any company in the world. We call this system our risk machine — a combination of technology, process, and human judgment that receives a potential client as an input and produces an insurance quote (or a decision to decline) as an output. It needs to operate quickly, accurately, and economically. As it turns out, building a risk machine is a challenging and multi-disciplinary problem.
This is part one of a three-part series exploring the challenges of building our risk machine:
Part 1: What is a risk machine?
Part 2: At-Bay’s cyber risk machine
Part 3: Scaling our risk machine
Forget cyber. Let’s talk about car insurance
Suppose you offer car insurance in a world where the following two things are true:
- The only thing that matters for car insurance risk is the driver’s ability to drive safely.
- There are only two types of drivers: good drivers and bad ones.
If the insurer can tell between good and bad drivers, good drivers will be able to get lower prices because they pose a lower risk.
Unfortunately drivers don’t announce if they’re bad or good — they just say they’re looking for insurance. It is the insurer’s job to find data about the applicant that can differentiate between good and bad drivers. One example of this data is the age of the driver. It is common for car insurers to offer young drivers more expensive premiums because younger drivers are riskier on average.
This approach is an example of a simple risk machine. They first collect and verify a driver’s age. Next, they treat any driver younger than 21 as a higher risk. Finally, they increase prices for drivers below that threshold.
In fact, every insurance risk machine has these same fundamental parts:
- Data collection involves gathering and verifying relevant applicant attributes that help the insurer discern risk type. Insurers collect data through application forms and additional procedures such as background checks or independent evaluations.
- Interpretation turns raw data into a judgement of how much any given attribute increases or decreases risk.
- Aggregation and pricing takes all of your interpreted findings and turns it into a quote. (or a decision to decline)
How can you improve the risk machine?
The objective of the risk machine is to discover the true type of risk at hand. It’s one thing to know the overall rate of accidents, but it’s much harder to determine the quality of any given driver. A driver’s age brings us one step closer to the truth, but while age is easy data to collect and verify it’s also a pretty blunt differentiator. We still have a large variance in driving skills among people of the same age. A new insurer might come along and try to lure in young-yet-safe drivers with lower premiums if they can tell them apart from young-yet-risky drivers. In other words, if the new entrant can develop a better risk machine.
As a new insurer you would need a new underwriting approach to produce more accurate risk assessments. In many cases, this means collecting more data, interpreting data in a new way, or both. In our car insurance example you might speculate that young men drive more recklessly than young women. Or that drivers in areas with higher speed limits crash more frequently.
Unfortunately data acquisition is costly. Every additional question on an application form reduces the number of applicants that complete it. Collecting data outside of an application form, such as a background check, consumes time and money. To work, new data must increase accuracy enough to provide more value than the cost associated with acquiring that data in the first place.
Innovation happens when insurers design a risk machine that is more accurate at the same cost or equally accurate for less. Technology can make risk machines more efficient by finding new ways to collect, interpret and aggregate data. In car insurance, one example would be integrating with the driver’s navigation app to collect data on actual driving speeds.
This is what we’re doing to cyber insurance — leveraging technology to build a more accurate and efficient risk machine. We will explore how in Part 2: At-Bay’s cyber risk machine.
