In this episode, Matthew Grant discusses the challenges in building a cyber model for insurance pricing and portfolio management with Pascal Millaire, CEO of CyberCube over from the US visiting his UK office. CyberCube was launched in 2018 as a spin-out from Symantec. Since being launched, CyberCube has signed up major insurers and brokers as clients, including CNA, Chubb, Munich Re, Guy Carpenter and JLT Re.
The issue, according to Pascal, isn't a lack of data. It's just that that data is hard to come by, hard to cleanse and hard to make sense of for someone trying to underwrite a risk, or manage cyber aggregation. He discusses the benefit of having behind-the-firewall data access from partners such as Symantec, and the ability to offer a forward-looking view of risk before trends become claims.
CyberCube were also one of the speakers at the InsTech London Cyber event in October 2018 and full details of the event and videos from the night can be found here.
For more information on the developing cyber market, read Matthew Grant's article Cyber risk: insurance black hole or a massive opportunity?
To find out what we have coming up for future InsTech London events, and to read what we have to say in our weekly newsletter find us at www.instech.london.
Transcript for this podcast
00:09 Matthew Grant: Hello and welcome to the InsTech London Podcast. This is Matthew Grant, one of the partners at InsTech London. Today, we're delighted to bring you an interview with Pascal Millaire. Pascal is the CEO of the fast-growing cyber-modelling company CyberCube, who in the last year have already signed out contracts with some of the major insurers and reinsurers including Munich Re, Chubb, CNA, as well as a couple of brokers, such as Guy Carpenter and JLT.
00:45 MG: Pascal, welcome to London and thanks for joining the InsTech London Podcast. Are you a podcast listener yourself?
00:51 Pascal Millaire: You know, I'm not. The only podcast I listen to is The New York Times, The Daily. But I suspect by the end of this interview, I'll also be subscribing to your one.
01:02 MG: Good, well so, CyberCube, you sort of came out of, I guess, stealth mode last year. You've got a background in Symantec. It would be helpful to hear a little bit about what it is you're focusing on at CyberCube in terms of what you're offering to the marketplace?
01:18 PM: Sure. Well, perhaps we'll start with a bit of context, which is in 2015 it became apparent that cyber insurance was the fastest growing line of insurance to emerge in many decades. And that growth was showing no signs of abating. So, Symantec as the world's largest cybersecurity company, wanted to know if there was an opportunity for Symantec to participate in that growth. And in particular, given the company operates one of the world's largest civilian intelligence networks with a lot of data, the CyberCube business unit was set up in 2015 to try to make sense of that data with some of the hardest problems that insurers were facing as they were seeking to insure, to underwrite, and to model this very new risk.
02:08 MG: Given all the attention around cyber, although again I want to come back to the lack maybe, of large CAPS cyber events in the last couple of years and what that means in the market. But there was a report recently from Willis, which was focusing on cyber, it had 70 companies listed in there. Interestingly, I think it missed out two of your main competitors. But as you position yourself in the market and you talk to insurance companies that are seeing a lot of activity in this space, how do you differentiate CyberCube and what you're doing in a way that you can actually get to decision makers in those organisations?
02:45 PM: We play a very, very specific and quite niche role that we think is really critical to the future of this entire industry. We're not an MGA. We're not a start-up insurer seeking to disrupt incumbents. We're playing a very unique role within that ecosystem, where our role through our software as a service analytics platform is really to enable controlled growth in incumbent insurers and reinsurers. So, I think as you look at this landscape and you look at the investment that's going on to disrupt the insurance industry, I think no doubt there will be disruption, but equally there's a critical role to be played for companies like CyberCube that partner with incumbent insurers and re-insurers, and in our case enable them to grow in a controlled way, in one of their fastest growing, most important and most strategic risks that they're going after.
03:55 PM: And I think we're in a really unique position to do that quite distinctively. And one of the reasons for that is, I believe, any good modelling really lies on the foundation of having very good data. And so the fact that CyberCube continues to have exclusive, behind-the-firewall data access from partners such as Symantec, that means that we're able to offer a forward-looking view of risk before trends become claims. And that's a really, really important thing for insurers to do if they're trying to model this risk and understand it. I think in the cyberspace it's not enough just to rely on historical claims. It's lots of near-miss data, if you like, coming from the cybersecurity landscape, that I think is really very, very important.
04:52 PM: One of my pet peeve topics in this space is when people say that the big problem with cyber insurance is the lack of data. And I really disagree with that point because I would argue there's actually never been a line of insurance, of P&C insurance, with more data available to it. The issue isn't a lack of data. It's just that that data is really hard to come by, really hard to cleanse, really hard to make sense of in a way that someone trying to price this risk, underwrite this risk, or manage cyber aggregation needs to do.
05:37 MG: If it's possible to narrow it down this way, what do you see as the one or the two key problems that insurers are asking you to solve? It's not an MGA so clearly you're not acting as distribution, you're not looking at their capital, but what are they hoping that you can help them solve or make better decisions on?
05:58 PM: Two of the things that are really important to a cyber insurer in this market today; the first is underwriting or single-risk selection. Insurers are turning to CyberCube to help them really look at a more technical and data-driven risk analysis to help them choose who to offer cyber insurance to, and at what price? And critically, to allow them to understand the difference between attritional risk or cat risk loads that they might wish to layer on top of a cyber insurance policy that they are selling. So the first thing that we're really helping insurers with is single-risk underwriting.
06:49 PM: The second is on enterprise capital management. I think as insurers are selling 1000, 10,000, tens of thousands of these policies, there is real risk of accumulation and aggregation and insurers need data-driven tools to be able to understand that aggregation and accumulation for their own internal reporting, for regulators, for rating agencies, for reinsurance transfer purposes. And so, those are two areas, underwriting risk and modelling catastrophic cyber aggregation, that we're helping insurers with.
07:33 PM: And I would say that equally important is to serve insurers on those topics, we've really found that insurers don't want separate tools to run and manage this risk, in the same way that perhaps for other lines of business, you can treat cat risk separately from some of those more attritional losses. This is a space where you really need the same data, the same assumptions, the same models, and you need to make sure that that data is delivered, and those analytics are delivered to that enterprise risk management individual, or that underwriter, in a form that they can understand, which is often not the kind of technical data and technical analysis that a cybersecurity or technology company might be feeding to an insurer. Because the insurance industry really needs very different things packaged in very different ways.
08:29 MG: Yes, because ultimately, it's your key inputs to underwriting; you need to give people information where they can make a decision on it so you can provide as much data as someone could possibly ever get. But if they can't actually make a decision on it, then they're actually no better off, or maybe even worse off than if they didn't have that data. Just to come back to you, you talked earlier about behind-the-firewall. Can you just explain that a little bit more, about what that means versus the other ways of people characterising cyber models?
09:02 PM: Sure. So one of the more common ways to access data that I think startups and other technology companies are starting to use in this space is outside-in, publicly-available data scraped from the internet and from IP traffic, for example. And we think that's a very important component of modelling, and it's certainly very helpful to be able to see something from the outside. Saying that, we also believe it's simply not enough to credibly model the space. So as an example, you need to actually get behind the firewall and see information from the inside. To give you some examples, given around half of claims that our clients are seeing today come from email - email phishing - you simply can't have a perspective on email phishing attacks and trends without seeing email data, which is behind the firewall. So we're very fortunate to be an exclusive data partner of Symantec, which scans a considerable position of the world's enterprise emails every day.
10:21 PM: Similarly, when we look at cat events and catastrophic cyber events, ultimately, some of the very worst events are infections at the endpoint: Malware, viruses that self-replicate and spread really rapidly. Well, if you really want to understand that and model that, you need to get behind-the-firewall data from those endpoints that help you discern to what extent are those endpoints under attack, and how you model the spread of malware once it starts spreading. So we think that that behind-the-firewall data is a really crucial part to credibly modelling this risk. And we're very fortunate to now be working with more than just Symantec as a data partner to help us credibly model this for insurers.
11:19 MG: And that behind-the-firewall, and the resolution of data you get there, is that important because underwriters are now looking to do individual account-based underwriting, and they want to know, for example, what is the risk to BMW? Or is there something different that's happening with the data that is important, that is less directed towards the individual account underwriting? Because I think one of the questions and one of the risks of anybody building a model is the balance between, does an underwriter or a company want to use it at the portfolio level, versus are they going to use it for risk selection? Two very different approaches, two different levels of capital that are going to be behind; a cat risk versus a whole portfolio. So in terms of what you're offering for CyberCube, are you giving people the ability to go into that individual account level, or are you more at the portfolio level?
12:13 PM: So we offer both. And I think some of the most distinctive analyses for us end up coming at the micro-segment level. Because what we're able to do with our modelling is to say, "Okay, well let's look at a particular industry like online retailers. Let's look at a particular geography country like Germany. Let's look at a particular revenue band. So, in excess of $100 million in revenue. And then let's look at that micro-segment and really understand from a behind-the-firewall perspective, to what extent is that a segment that adversaries are targeting? To what extent is that a segment that has really good patching cadences, for example?" And I think that micro-segment information is just absolutely critical if you're an underwriter, trying to understand this risk and trying to understand the differences between perhaps another micro-segment like a West Coast United States hospital system, for example.
13:31 PM: So, I think at CyberCube, we endeavour to provide information at all levels. I would say one of the challenges is always differentiating the signal from the noise. We have a lot of data points that are available on an outside-in, publicly-scraped basis, rather than at that behind-the-firewall micro-segment basis, about companies. And a lot of that we do think is noise, frankly, but there are also signals that we think are very, very important in terms of differentiating single risks and single companies. For example, if you're wanting to understand the relative web security of a company, I won't tell you it's very easy, but certainly, there's a very, very direct link to the observable SSL security of the web assets that they have, and the security posture of the website of that particular company.
14:45 MG: I'm sorry, just for anybody who's not familiar with the terminology – SSL - what does that stand for?
14:51 PM: Right, so that basically is a form of secure, encrypted internet traffic.
14:58 MG: How do companies assess the right choice? There's a choice around the functionality of the tool, there's a choice around the reputation of the business, but a lot of companies these days employ smart people, and sometimes they actually build the models. How do you help educate your clients in what you're actually doing? How do you find that balance between how much information you reveal and things that may be proprietary or confidential, because you don't want it to get out into the competitive market? So, how do you provide enough information for people to get confidence that they can understand what you're doing? And in particular with modelling, understand the assumptions - they don't expect them to be right - but not give away too much?
15:43 PM: Right, I actually don't see that as a major concern, giving away too much in this particular space. So, transparency is really important to us in terms of our inputs and outputs. And I think what we've found, quite contrary to where you're going a bit with that question, in terms of revealing what's proprietary, the more layers that we show to our insurance clients and re-insurance clients, and the more that they see the incredible amount of work that goes into the modelling that we're doing, the incredible number of data sources that we pull from, and the sophistication of the models, the more they find that they absolutely don't want to do this themselves and realise the value of what we're providing. So, actually, we take quite the contrary view of actually, really going very, very deep into our models, as deep as our clients wish to go in terms of those inputs and outputs.
16:45 PM: Saying that though, I think it's also really important that clients really do own their own view of risk. Because ultimately, if you're a carrier that has hundreds of millions of dollars in premium, going on billions of dollars in premium, tens of billions of dollars of total some insured, you really need to understand the tools that you're using. So, some Silicon Valley companies like to talk about providing a solution, and I really shy away from that term. I actually like to think about what we're providing as a tool and a set of tools, but ultimately, carriers need to understand those tools, understand how to use those tools, understand the limitations of those tools, and really develop their own capability in-house to really get up to speed on what is a very, very important new risk.
17:46 PM: And so one of the first things that we do when we on-board clients is, we've flown people out to as many as 10 different cities around the world to walk through our methodology, our data sources, our assumptions, so that people know what's going into the model. And it's also why we provide them with the ability, on the output side, to go into enormous amounts of granular detail, particularly on our catastrophe model, so that this isn't a black box. They can look at year loss tables, slice and dice different cost indicators, and even look at loss at the single company level, after running through simulations of the model. So I think that that openness and transparency, and also at times the humility to say what a model can and can't do or what its limitations are, is very, very important. Sometimes, I find something of an inverse correlation between how confidently people talk about their ability to understand and model this risk, and their understanding of it. Because this is very difficult, it is very fast-moving, and it's one that we really partner with our clients to understand how to make the most of the tool that we've created.
19:11 MG: Yes, that makes a lot of sense, certainly in my experience of working with people who are buying the tools, I guess, they often can build models, have built models, and one of the most important things for them is a understanding of the assumptions and awareness, as opposed to somebody having over-confidence, which just scares anybody who knows how to build these things. One of the themes we're hearing a lot about is the artificial intelligence and the potential to actually move away from underwriting altogether, on the basis that your algorithms are correct. Do you see a time, or maybe even this is where you are today, where you provide your tools, you've got the work that's gone into building these in a way that helps the client, so do you see the opportunity moving more and more to that kind of ‘detached’ use of tools, and underwriting no longer needs an underwriter, and as CyberCube gets better, help people just push the button and the results will come out?
20:15 PM: So I think about artificial intelligence a little bit differently than many of my Silicon Valley peers. And I think there are a lot of misnomers around artificial intelligence, including when I hear people talking about it, I hear people having implicit assumptions that artificial intelligence is about using really expensive computers to solve really hard problems that are simply too complicated for the smartest human beings on the planet, when the reality is actually often the opposite. Artificial intelligence exists and is being deployed today, not because, or not with very expensive computers, but because computing power is cheap and abundant. It's not best always deployed with the very hardest problems. It's actually very well suited to very easy problems and not always the most complicated, but often problems that are too monotonous for human beings to really bother with. And in fact, some of the best applications of artificial intelligence aren't for solving problems that the world's smartest human can't solve, but rather solving problems that a fifth-grader might be able to solve, if you had armies of fifth graders. And therefore those are some of the best-use cases for artificial intelligence.
21:55 PM: And it's curious to me that it's a term that has become really trendy recently. But if you go back to the history of Symantec, just use one example. Symantec was founded in the 1980s which makes it something of a dinosaur in Silicon Valley amongst Fortune 500 companies, but it was actually founded within the Stanford Research Institute for Artificial Intelligence. People talk about machine learning, in 1983 Symantec was spun off from the machine intelligence corporation started within Symantec. So actually, artificial intelligence is a term that's been around for a long time, and one that just happens to have become more in vogue recently. And so, although at CyberCube, we are using artificial intelligence, it’s to solve some really interesting problems. For example, we're using AI to train our models to pair lost data and claims data on the one side, to very, very large security datasets on the other, and have some wonderful data scientists doing that, developing world-class models. But actually a lot of the applications of AI within CyberCube end up being for very, very simple problems for which computers are actually a better way to solve very easy problems of scale.
23:39 PM: So to give you an example, our Enterprise Intelligence Layer, (I was about to say EIL but that would have been my second acronym so I avoided that one) is used by insurers, and it might have 10,000 cyber-insurance policies maybe 30,000 or 50,000 cyber-insurance policies. And they want to match the companies that they're selling cyber insurance to, to some relatively basic data, where they're trying to augment that data with the SIC4 code of that industry. And that's actually a relatively basic problem to do, even with a Google search, but one that's actually a really good application for what some might call artificial intelligence, or one I'll also just talk about, modern computing techniques.
24:35 PM: So to come back to your original question though, so what does this mean for an underwriter? What does this mean for a cat modeller? Are they going to be replaced in the future? I think absolutely not. I think what's going to happen is a lot of the monotony of those roles is going to be automated away. They're going to have better tools. And so actually being a cat modeller or being an underwriter becomes a far more interesting profession, when the tools that you're using really allow you to do a lot more and engage your brain in really difficult and interesting problem-solving and teasing out the ‘so-whats’.
25:20 MG: So that's great confidence for anybody listening who is both a modeller or an underwriter, that certainly CyberCube won't be displacing them from their role anytime soon. And maybe that's also, Pascal, part of the reason that in terms of your clients, you've been growing quickly, in the last 12 months, in terms of some of the people you've signed up. It would be interesting just to hear a couple of stories really about why, for example, a big organisation like Munich Re, they make decisions very carefully, often very slowly, have chosen to embrace CyberCube? And also, are you seeing companies going down the multi-model route? Or are they deciding quite carefully who to go with in this area, and then essentially being a single model operator?
26:09 PM: So it's probably a cliché for someone in my position to say this, but we certainly think about not just selling to our clients, who are amongst the world's largest and most sophisticated insurance and reinsurance institutions, some of whom have publicly talked about us, which we're very flattered by. But we really have done, I think, a great job of partnering with our clients. We're really with them all the way, from the highest levels of the organisation, down to perhaps the more entry-level underwriters. And so that's everything from at the C level, at the CUO, CRO level, really helping them with one of their most strategic topics. Putting on events like one we're actually going to be doing in London in June, in association with work undertaken for the World Economic Forum by UC Berkeley to really tease out some of the implications of cyber-esque, global heads of cyber insurance, we've partnered with them with a large delegation of some of the world's largest cyber insurers and reinsurers at the RSA Conference last week, all the way down to frontline users that were putting on webinars, user events and training.
27:37 PM: So we've really been partnering with our clients if they use one model or multiple models, if they have their own internal capability and their own internal models or they're building their own internal models, to deliver a lot of value on the platform with our product. But also, delivering value to them off the platform as well by partnering with those clients all the way and doing whatever we can to really support them. Yes, on the multi-model issue, I do think it's important that insurers build up their own capabilities internally.
28:21 MG: Well, congratulations, Pascal, because like I said, you came out of stealth last year and are making some really strong headway. Just changing tack a little bit, but just as you look at what's made you successful and look at other companies out there that are growing, what advice would you have to somebody else that's starting up a business and trying to grapple with some of these issues, both about how to engage with clients and also how to actually recruit and build business themselves?
28:50 PM: Well, recruiting is the single most important thing that we do. And once people arrive at CyberCube, as a leadership team, we're committed to creating an environment that attracts, retains, excites exceptional people and allows them to do the best work of their careers, which I realise is a very lofty goal, but one that we hold ourselves accountable to. And the challenge in this space for us at CyberCube, is in order to solve the problems that we're trying to solve, we need people with actuarial backgrounds, cybersecurity backgrounds, software engineering backgrounds, data science, commercial insurance, we have multiple cyber economists and people just with good, fundamental problem-solving skills. And that's really very, very tough to get the best and brightest in all of those domains. But I think we've done a really good job of creating a culture at CyberCube that allows those domains to work well together.
29:58 PM: And so, advice that I would have is always be recruiting. Speaking of which, firstname.lastname@example.org, C-Y-B-C-U-B-E.com, see if can you edit this out at the end as a promotional plug, but we are always looking for new talent, for people that have a passion for solving some of the hardest problems in insurance, and people that can work in a cross-disciplinary way. And I think my biggest advice is really to pay an inordinate amount of attention to your people proposition and the culture that you're creating. Because ultimately, if you have a strong, high-functioning team that's going after a hard problem, that's where the magic happens and that's why it's one of the most important things that we do.
30:51 MG: Great. Pascal, it's been tremendous to catch up with you, and no, we will not edit out your recruiting email address. You've been a big supporter of InsTech London and it's the least we can do. We'll actually even put that in the notes of the show as well. So thank you very much, it's been great to catch up. Thank you again for your team support at InsTech London, we had Ollie talking there last year. And we have to see you there or certainly get more of a team there again. But thank you, and safe travels back home to California.
31:20 PM: Wonderful. Well look, it's being great to be a part of the Insurtech community here in London. I think one of the things that makes Silicon Valley special is the ecosystem of different companies that exist that make other companies successful. And I think one of the things that makes London really special as an Insurtech hub and why we're investing in London is that ecosystem. And I think InsTech is becoming a core part of that ecosystem, so it's an absolute pleasure to be a part of it.
31:53 MG: Good, thank you very much.