VIEW 12
Fish gotta swim...
Many countries have a traditional foodstuff that is a national delicacy, but which outsiders find hard to stomach. So much so, that it can be used as a test as to whether you are a real local or not. In Taiwan it is “stinking tofu,” in Iceland it is rotten shark meat called “hakarl,” and in Japan it is smelly fermented soybeans called “natto.”
In Japan in the 1980s, I once asked a waitress for a natto maki. “No,” she replied, “you will have a ham sandwich because foreigners prefer ham.” “But I am a foreigner and I like natto,” I said. “No,” she said again, “you will have ham because foreigners prefer it.”
The point of the story is that once I had been categorized as a foreigner, a number of other things followed, regardless of the situation or the context. Categorization is a useful summarizing tool, but since it leaves context behind it can also be dangerous.

A question like, “What is the best chess move in the world?” is meaningless because the best move is wholly dependent upon the context of the board at that moment.
Biology is a science of categorization, into species, phylum, genus, and class. “Fish gotta swim, birds gotta fly…” go the lyrics to a famous song in the Broadway musical Showboat. But there are birds that swim, like a penguin, and there are flying fish. So, categorizing something as a bird and assuming that it must fly can sometimes be misleading. Categorization transforms the real world into a statistical data set. While it is true that “if you can’t measure it, you can’t manage it,” it’s also important to acknowledge that sometimes the things that you can count, don’t count.
Cyber risks are primarily categorized by insurers based on industry classification. While a useful first step, it can be a dangerous oversimplification. Two companies could be classified as being in the warehousing sector. But if one is a fully automated, robotic warehouse, and the other a shed with a couple of workers with clipboards, then these are two very different risks from a cyber perspective.
In cyber, perhaps more than in any other line of insurance business, context is important. That’s why application forms have become so detailed. Beyond just the industry sector, the specifics of how a company conducts its business are also required.
- How dependent on the web are they to make sales?
- Do they make heavy usage of the cloud? If so, for what processes?
- How are the corporate networks configured? What are the backup strategies?
- Do they keep credit card data?
These are the type of questions that give greater insight into the level of cyber risk. Context enables “underwriting through understanding.”