What inhibits insurers always wanting the best security? writes Prof Martin Gill, pictured, of Perpetuity Research.
It has often been viewed as something of a common-sense impression that insurers will always be a big supporter of the best security, always being prepared to endorse good initiatives that are aimed at reducing crime with cheaper insurance premiums for example. After all aren’t insurance companies one of the key commercial benefactors of good security? Logically, better security means lower crime, means fewer claims, which equals more profit, right? In this paper I want to argue why such an argument is simplistic. This paper explores some of the potential reasons and posits some thoughts for change. It is based on a small sample of five interviews – and therefore only a small part of the insurance sector – and is therefore intended to stimulate thinking and debate rather than suggest definitive positions.
Context
It has long been recognised that ‘security’ covers a wide variety of activities, the same is true for ‘insurers’ even when discussing roles in relation to security. For example, some insurance companies have their own security personnel to protect them against different risks. This may involve a single individual or a whole department. In a different way underwriters will be involved in assessing clients or potential clients on their risk profile and this may include threat assessments and required (security) response. Insurance brokers may employ or engage security expertise to assess their clients’ risks and help them to improve their response to attract a lower premium. These groups, and others besides, will vary considerably in their knowledge of and experience in security-related risks. Terrorism is something of a specialist area but what about more routine threats? What factors can be identified to explain why insurers might not seek the best security in every incidence?
In the interviews two contrasting examples were evidenced. In this first case the interviewee reflects a depth of knowledge and contacts:
My guys have 25 years experience and they know a lot of companies, we will have specific security companies and all will be audited, and can even be under formal contract. Take empty premises, we have dealt with (a) single contractor for a few years, we stipulate what we want. We know that empty buildings can be like that for a minimum 8-10 weeks, and most contractors will have an install cost and under our contract there is no installation cost, we can typically have this in place for any evening by calling at 3pm that day. So straight away we are distinguished from other insurers. (Ins 1)
Contrast this with another interviewee who admitted that some security risk assessments that are undertaken are less than excellent:
We don’t have a set of questions about security. When we send our surveyors there are certain things they will ask about, and will ask about risks and then zoom in about the security that affects those, but we don’t ask certain questions every time about security, we should perhaps. We might have certain questions to ask but we don’t write them down anywhere. (Ins 3)
Another point made was that sometimes the expertise of the assessor may be less than that of the person he or she meets on site to discuss risks, and that may limit the ability to probe or recognise when answers given are weak or inaccurate:
… Even when you go to site, it may depend on who you meet and how much the person knows. (Ins 3)
There is a commercial imperative.
Insurers have to make judgments, business is about taking risks, and insurers may make assessments that the risks are low or affordable however bad the security.
Another interviewee noted that the commercial imperative can mean that insurers cut corners on security requirements. He was no longer involved in front line work but admitted that in the past he and colleagues had been encouraged to ‘be commercial’ and recognise that what would be ideal may not be necessary in a competitive environment. He summed up the position this way:
In the insurance business in relation to crime, you can never underestimate the importance of the market; there is so much competition, it is difficult to make a profit. What I hear more and more is that this is the new normal and it is ongoing … So they may have a report that the customer should spend more on protection and they will write letters to their client and then the Broker will say we have a cheaper premium and they drop all that for this year. There is only so much business … each insurer is there to make a profit and being specific about this and standing on ceremony would just not work. (Ins 4)
Often the best security will not be necessary, or at least the requirement to have it can impose a cost which might drive clients elsewhere:
The core industry is afflicted with this problem of the customer walking away of the policy is too expensive. The insurance industry may speak against security improvements because it will add costs. (Ins 4)
Security is not the key concern for insurers anyway.
A more general point that was raised was that crime threats – and in particular burglary – are so much lower today than they were in previous years. As such insurers interest in and concerns about security are much lower than in the past. Indeed, generally other risks feature much more prominently, for example fire. There were at least two key points made here. The first was that fires are generally much more costly than crime incidents in part because more products and parts of the property are affected:
Fire costs more … Also with fire you have an interruption to business, that also costs money, you may not even be able to trade from the business, but a break-in is generally much less intrusive and so costs less. Once you put security in it stays there and the changes are less frequent. (Ins 1)
Second, fire risks were considered easier to assess:
… there are certain things about fire that are standard, what you need, processes and controls, claims experience it is straightforward … It is easier to have different views on security. Knowing the risks is not so easy. (Ins 3)
Other interviewees noted the prominence of other risks that are much higher up the agenda, such as storm or flood damage. This raises the question as to whether security is committed enough to showing how it helps prevent the types of concerns most important to insurers:
However what they are really worried about are losses that cause an insurance pay out. So protecting systems may matter, an air conditioning system hacked is a serious loss if it means staff cant come to work, and lifts not working meaning people cant get to the right parts of the organization matters. Theft is not a big deal. So security of systems that do matter can make a difference. Does security say what it can do to protect them? (Ins 5)
Where is there scope for thinking differently?
First, to establish effective links. Even on an operational level there is a benefit in rekindling some of the contact that once existed:
There use to be (a) relationship (between) the insurance surveyor and security. This was good for all sides. But now teams work from home, and they don’t mix together and with others. Reinstituting this would be good. (Ins 1)
Second, and this follows in the same vein, it was advocated that security personnel take more time to better understand the requirements of insurers:
Security should be asking: what is the requirement of insurers? Via the client they need to get what the actual insurer wants … if you get the insurer specification then you can quote with a lot more certainty. (Ins 1)
This is already commonplace in some contexts but not all.
Third, to make it easier for insurers to recognise good security from bad security. This has a number of dimensions. On one level it requires a better understanding of the different standards and approval bodies and the status they have:
(The) security world could present the different accreditations: it would be helpful. But it would be difficult because there are different opinions and interpretations of things. If the insurer is putting their money down they will decide. (Ins 3)
Related to this is the need to improve the level of security offered. Some saw wisdom in a new industry kitemark, and there would be support for differentiating companies in the Approved Contractor Scheme.
A higher standard we might take notice of and go to specific companies who we know can deliver that. (Ins 1)
On another level it was noted that part of the difficulty of the security world is that it is difficult to communicate with:
There is no one voice big enough. In security it is not all pulled together. It is all fragmented. (Ins 5)
A fourth point invites the security world to rethink its relationship with insurers, specifically by identifying the ways in which the work it does can help prevent and respond to concerns that are more of a priority for insurers. For example, what are the ways in which good security can help prevent fires, or a good security response can be part of an effective contingency should there be a flood? This underlines the importance of showing how good security is more important than just good security; there will always be other benefits. As one interviewee said the security world needs ‘to get across to customers and their insurers that their whole operation would be more resilient if security is good’ (Ins 5). Another interviewee put it this way:
Is security going to step up? Good security can save money, provide a duty of care, keep the regulator off my (insurer’s) back and alleviate regulator’s concerns’. (Ins 2)
Good security is good for the company overall, because it is indicative of a good risk culture, makes them more honest. (Ins 4)
There were other points including the old chestnut that for a breach of fire regulations or health and safety then leaders can be prosecuted and go to prison. Presenting security as a key partner of fire/health and safety and showing how security breaches lead to legal headaches would generate more interest from a range of stakeholders and insurers are likely to be one.
Conclusion
It is important then, when we discuss the broad worlds of insurance and security that we recognise the existence of a complex array of entities fulfilling varying roles with inevitably different interests and expertise (and much more than has been included in this limited study). That said there are a variety of reasons why insurers may sometimes only be a bystander in debates about how to achieve the best security.
At its heart is the reality that insurers cannot be assumed to be knowledgeable about security (although they often are), and sometimes the key security expertise is internally focused rather than towards clients. Then there is the commercial imperative which applies to insurers as it does to any other business savvy stakeholder, and here good security, let alone the best security, may not be commercially viable. Related to this is the fact that security-related risks are rarely the most pressing and will generally take a place in a queue behind fire and floods for example. That said, crime evolves; crime types and targets change so this is a constantly moving space.
There are options for improving the position, such that insurers become a more engaged stakeholder. Suggestions here included more strategic and operational engagement such as the need for security to more routinely understand insurers’ needs. The security world though needs to simplify the process of distinguishing between the good and the average, if not the best and the good. This may involve a new kitemark and differentiating standards within the ACS, it night also be improved by the security sector speaking with a more united voice; its fragmented nature renders it difficult to communicate with. Charlotte Howell and I have argued this case more fully in a ‘Strategy for Change’.
It must be emphasised that this was a limited study aiming to raise issues for further research and debate. What it does do though is provide further evidence that the security sector needs to take responsibility for fuelling a strategy for change that has been set out recently. The opportunity is there to think very differently about security, but we need to overcome much of the current inertia, and those that are well placed to do so need to lead from the front, there has never been a better time.
For more about the Security Research Initiative (SRI), a rolling three-year programme of research, with each year producing a separate study, visit https://perpetuityresearch.com/security-research-initiative/.
