Policy Documents

Insurance and the Computer Industry

Bruce Schneier –
March 1, 2001

In the future, the computer security industry will be run by the insurance industry. I don’t mean insurance companies will start selling firewalls, but rather the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.

Consider security and safety in the real world. Businesses don’t install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates. Hotels and office buildings don’t install sprinkler systems because they’re concerned about the welfare of their tenants, but because building codes and insurance policies demand it. These are all risk management decisions, and the risk taker of last resort is the insurance industry.