The increasing threat from cyber attacks has presented the insurance industry with its biggest opportunity in over a century, according to Pascal Millaire.
The CyberCube CEO joins host Matthew Grant to discuss the expansion of the cyber insurance market since his first podcast appearance in 2019, and why the world’s largest insurance institutions are turning to CyberCube to manage their cyber exposures.
Talking points include:
- Business interruption and lessons from Covid-19
- The role of data, and how to access it, in improving modelling capabilities
- Establishing clear exclusions and lines for cyber risk
- How brokers are engaging with their clients and using analytic tools
- Why regulation is key to tackling cyber risk
- Capital markets and public-private partnerships
If you like what you're hearing, please leave us a review on whichever platform you use, or contact Matthew Grant on LinkedIn.
Sign up to our newsletter for a fresh view on the world every Wednesday morning.
More information about CyberCube is available in our InsTech London members section.
Powering profitable cyber insurance growth - Episode 120 highlights
Matthew: Pascal, it's good to be talking to you again. For those unfamiliar with CyberCube, can you explain what you're doing?
Pascal: We believe that cyber risk presents the greatest opportunity P&C insurers have had in over a century. In a world with billions of IoT devices, the explosion of data and automation of industries, cyber risk will reshape risk, the economy and society, and therefore the entire P&C insurance industry. That's going to require a new breed of analytic tools to price risk, underwrite it, model it and to sell policies. Tools with new interdisciplinary techniques that the industry hasn’t used before.
That’s where CyberCube comes in. We’ve established ourselves as the world’s leading SaaS analytics provider for insurance. Our goal is to be the pre-eminent partner to P&C insurance as cyber risk transforms the industry.
Matthew: Can you give us some examples of companies that you are working with?
Pascal: 17 out of the Top 30 US cyber insurance carriers use our data and analytics to power their cyber insurance growth. We’ve focused on the world’s largest and most sophisticated insurance institutions first. If we can serve those institutions, we can serve the thousands of other brokers and carriers that will need to engage with cyber risk to be relevant in the 21st Century.
Examples include large reinsurers like Munich Re, large carriers like Chubb and reinsurance brokers including Guy Carpenter and Aon. We learn as much from those clients as we teach them. We’re also creating data feedback loops that mean CyberCube customers can access data and analytics that no other ecosystem participant can access.
Matthew: When we spoke in May 2019 you were concerned about people feeling there wasn’t enough data to model cyber. Have things changed since then?
Pascal: The industry has recognised that often there’s too much irrelevant data and too much noise. What it needs is a company that can sift through the noise to find the signal, then undertake the QA, the deduplication, the synching to company names. Then it needs to provide the APIs needed to consume the data in a way that an actuary, underwriter, or modeller can use.
We screened over 100 data partners and ended up with a couple of dozen that provide us with terabytes of data per month. We sift through that, make it usable, and augment it with CyberCube's proprietary signals and data feedback loops from our clients to deliver the right data in the right format.
Matthew: The last time we spoke was before Covid-19. What has changed concerning the awareness of cyber risk, and Covid-related cyber risk?
Pascal: The emergence of Covid-19 reflects a broad theme in cyber insurance of a transition from confidentiality of data, to the availability of data and business interruption.
The pandemic has reinforced that business interruption is an essential risk for enterprises. A factory fire or a natural disaster, although still important, is eclipsed by business interruption from human and computer viruses. It’s a risk that insurers need to rise to the challenge of.
Matthew: It must have had an impact on how people are looking at their cyber policies to understand what they are covered for?
Pascal: That’s right. The industry, particularly on the cyber side, needs to look at the lessons learned from the pandemic around languages, cleaning up languages and looking at silent cyber language.
But the industry also has a lot to be proud of and should be singing from the rooftops in terms of what it has done with the cyber specialty line in particular. If we look at stats from the Association of British Insurers, cyber insurance policies do pay out and it’s more than just writing a cheque. The value from a cyber insurance policy is access to incident response, crisis communications, and regulatory engagement.
The cyber insurance industry has done a fantastic job creating products that work and provide value. It should be marketing that story in a far more forceful way than it does.
Matthew: Another recent event was SolarWinds. Was that a catastrophic cyber loss, or just another warning shot?
Pascal: It’s still too early to know the full extent, but it’s a big deal. SolarWinds was a digital supply chain attack against a company that serves a large portion of the Fortune 500 and US government agencies, with a sophisticated nation-state threat actor sitting behind it.
The difference for the insurance industry is this was an attack on the confidentiality of data, that led to a kind of data loss. When we look at aggregation events that lead to the very worst industry losses, they’re often availability and business interruption attacks, not confidentiality and data loss events.
From a cybersecurity perspective, this was a very important attack that has opened eyes to digital supply chain vulnerabilities. From an insurance perspective, business interruption and availability events typically lead to far greater losses.
Matthew: What's your perception of what's happening with larger MGA cyber providers? In some cases, they are doing the analytics themselves and that’s a big part of pricing the risk and giving the buyer confidence.
Pascal: Cyber presents an opportunity for a golden age of insurance innovation, which makes the industry more relevant than it's ever been. These new tech-enabled MGAs are just one example of that innovation.
Companies can’t be P&C insurers without engaging with internet-connected risk. There is over a trillion dollars’ worth of losses in the market each year due to cyber. I look at the tiny fraction of those losses that are insured and see opportunities for products, new forms of underwriting, automation, risk mitigation and risk management solutions. We're at the very beginning of a renaissance in P&C insurance, driven by cyber risk.
Matthew: Five years ago, Allianz published a report saying there would be £25bn in insured premium for cyber by now. We haven’t reached that level, so is the market not ready? Or is the capacity not there?
Pascal: I’d deal with that in two parts. The first is a lot of cyber risk doesn't reside in standalone cyber insurance policies. It resides in Directors’ and Officers’, business interruption and product liability policies. In the NotPetya aggregation events, over 90% of the losses landed on non-cyber insurance policies.
When people just look at the affirmative standalone cyber insurance market, they’re missing just how big cyber risk is to virtually all lines of insurance. That’s led to a dramatic cleaning up of policy language, the introduction of affirmative cyber endorsements, clear exclusions and lines between cyber risk and different policies.
The prospects here look very good. One of the world’s largest reinsurers recently predicted the market tripling over the next five years. The standalone market will become a bigger portion of all lines, and unless we stop connecting the globe to the internet, it’s just going to continue.
Matthew: You've started selling to brokers again in the last few months. Clearly, they see value in what you do, so what have you built and how are they using it?
Pascal: We launched Broking Manager in Q2 of 2020 and took some of the same analytics used by leading insurers and reinsurers to quantify cyber risk and provided a subset to brokers. We've already sold to about a quarter of the top US brokers and expect to be at half the top 50 leading brokers by the end of 2021.
The product extension is a slam dunk for the brokers, who want to know what could happen to them from a cyber perspective and what it could cost. That’s information that CyberCube is uniquely positioned to provide.
In 2013, cyber risk was, according to Allianz, the number 15 risk for enterprise insurance buyers. Last year it was the number one risk. What we found when rolling out Broking Manager was brokers were more willing to have a first-time cyber insurance discussion. When it comes to renewal, they’re finding they should be buying double, triple, quadruple the cyber insurance coverage they’re buying today.
Matthew: Traditionally, the buyer would be the risk manager, but presumably with the size of the companies you’re dealing with, it’s not purely a risk manager’s decision?
Pascal: Those risk managers are now being asked what the company’s cyber exposures are by the CFO, the CEO, and the board. What they want to know isn’t technical information, it’s financial cyber risk and dollars and cents.
By providing the information in dollars and scenarios, we’re speaking the language that others in the organisation use. That resonates with enterprises that want to improve their cybersecurity programme and understand it in financial terms.
Matthew: Regulation is a big driver of business growth. We've seen a lot of activity in the UK with the PRA and equivalent regimes looking at regulatory and rating agency perspectives. Do they understand cyber risk?
Pascal: This is an area that’s experienced tremendous movement in the last 12 months and will see a lot more in the next two years. Regulators and, to a certain extent, rating agencies are really important stakeholders. That’s why CyberCube convened a quarterly regulator dialogue series for regulators from different jurisdictions to share their thinking on cyber regulation and insurance.
It's telling that at last year's Advisen Awards, the Cyber Disruptor of the Year didn’t go to a carrier, it went jointly to the Bank of England and Lloyd’s for the regulatory work they’re doing.
Regulators in other jurisdictions are looking to the UK to inform their cyber regulation. Europe, the US and even Asia are starting to look at the impact of cyber aggregation on the financial solvency of insurers and are finding that a lot of aggregation doesn’t sit in an affirmative underwritten cyber insurance policy, but in other lines of insurance where it's not adequately priced. Regulation is going to be a critical driver of cyber insurance living up to its long-term potential.
Matthew: Hudson Structured Capital is one of your investors. They are a major investor in catastrophe bonds. Are you starting to see third party capital coming in to provide cat bonds for cyber?
Pascal: Given that we're looking at a trillion dollars plus of losses per year, the numbers are so large that capital market participants will need to get involved. In some cases, the numbers are too big even for capital markets and there may need to be public-private partnerships. That is something that C-Suite executives started talking about with some frequency in 2020.
There are some products announced on the cyber ILS (Insurance Linked Security) side. But we need to temper the enormous size of the opportunity with the fact it's very difficult for ILS investors to invest in all-peril, all-region. In the same way that it's difficult for them to invest in an all-peril, all-region nat cat ILS instrument.
Capital markets need to start with targeted offerings focused on business interruption, and contingency business interruption for specific single points of failure. When we get into parametric triggers, we can start to define contracts in very precise terms. It’s also a way to start chipping away at this enormous opportunity, which could exceed the size of the entire nat cat ILS space over time.
Matthew: What are your thoughts on the year ahead? We got some great insights from Rebecca Bole on our predictions event, which are available on Podcast 118. What are you expecting to happen in cyber insurance in 2021?
Pascal: That podcast was great, and building on what Rebecca said, there are three things to look out for in the cyber insurance market. Number one is more thoughtful pricing and underwriting. Attritional losses are starting to ratchet up, driven primarily by the seemingly never-ending rise of ransomware. That's forcing carriers to be far more thoughtful about who they underwrite and how they price them.
Secondly, there will be a renewed focus on catastrophic cyber losses, driven by regulators, rating agencies and board risk committees. A lot of that focus will be on cleaning up the language that exists outside of the affirmative standalone cyber insurance line.
The third thing is innovation. Innovation in terms of new non-damage, business interruption products, new distribution, new bundling. Enterprises will even start to take risk transfer into their own hands as they think about the billions of dollars of liability they might have in the event of a cyber attack. We're still in the very early days of flourishing innovation, driven by cyber risk in the P&C market, and we're going to see a lot more of that in 2021.
Continuing Professional Development - Learning Objectives
InsTech London is accredited by The Chartered Insurance Institute (CII). By listening to an InsTech London podcast, or reading the accompanying transcript, you can claim up to 0.5 CPD hours towards the CII member CPD scheme.
- Claim 0.5 hours for listening to Episode 120 of the InsTech London Podcast