Property/casualty insurers continue to explore ways to better insure cyber risk. Cyence digs deeper, modeling the financial impact cyber events can cause.
Launched a little over two years ago in Silicon Valley, Cyence’s debut product is an analytics platform that quantifies and models the financial impact of cyber risk. Cyence came out of stealth mode only in September 2016, with news that it raised $40 million in venture funding from investors including New Enterprise Associates, IVP and Dowling Capital Partners.
Nearly 100 people work for the San Mateo, Calif.-based company today.
How did Cyence come about? What are the company’s longer-term plans and goals. Carrier Management Editor Mark Hollmer addressed these questions and others with Cyence co-founder and CEO Arvind Parthasarathi. Below are highlights of his email responses, edited for publication.
Q: Are you a founder in an investor sense or did you come up with the cyber modeling technology?
Parthasarathi: I’m a software engineer specializing in data analytics. Since graduating from MIT, I’ve spent over 20 years working for companies like Oracle and Informatica, applying data analytics to real-world problems.
As I was doing market research, I noticed cybersecurity was an existential risk in the 21st century. While the entire cybersecurity industry was focused on building products and services to help organizations defend themselves, I saw an opportunity to look at cyber risk in a completely new way—in dollars and probabilities.
My co-founder [Cyence CTO George Ng] was the chief data scientist at my previous company, and we built Cyence from the ground up with a single focus: to create an economic risk model for cyber risk. We conceived and developed our economic risk modeling technology, onboarded a dream team spanning two very different disciplines that had never come together before—cybersecurity experts and economists/risk modelers—and then built our platform, secured customers and empowered them to be successful.
Q: Why was a cyber risk modeling platform necessary, in your opinion? What do you hope to accomplish with it?
Parthasarathi: In the wake of several high-profile breaches over the past few years, cyber is moving from just an IT problem to a profound business risk. Businesses are quickly realizing that cyber attacks are the norm, rather than the exception, and cybersecurity technology defenses cannot guarantee protection against this ever-growing threat. To wit, is there any amount of money an organization can spend on cybersecurity to guarantee it will not be breached?
When risk prevention and mitigation can only go so far, organizations begin to look for risk management and transfer (i.e., insurance).
As a result, the cyber insurance market is growing rapidly. Recent PwC research estimates that premiums in the space will rise from $2.5 billion in 2015 to over $7.5 billion in 2020. However, the challenge for the insurance industry is how to quantify cyber risk—from risk selection to accumulation management.
The insurance industry has built extensive economic and risk modeling capabilities for a range of other types of risk, such as property, auto, natural catastrophes, etc. Cyber risk, however, requires a fundamentally different modeling approach due to four important issues:
- There is no authoritative data source—like the U.S. Geological Survey or UK Met Office—and the data to build a cyber risk model has to be collected.
- Cyber risk is constantly changing and the threat vector continuously evolving.
- Cyber is essentially a human risk where human behavior, in the shape of people and processes, has to be modeled just as much as technology.
- Cyber has a myriad number of paths of accumulation that need to be evaluated.
Cyence is the industry’s first and leading platform to quantify cyber risk in dollars and probabilities. Cyence’s solutions help the insurance industry more effectively manage cyber risk—from prospecting and selecting to assessment and pricing to managing portfolios, exposures and accumulations.
Cyence is building an economic risk model robust enough that insurers can deploy capital against it. Most of the cybersecurity technology is targeted at the world’s largest companies, who are also the most resilient to a cyber attack if it happens since they have the balance sheet to weather the storm.
That said, most of the world’s companies are much smaller and don’t have the resources, expertise or budget for the latest cybersecurity technologies—yet the cyber risk for these smaller companies is existential since they can basically go out of business with a cyber event. That’s where the insurance industry comes in since it can enable most of the world’s companies to continue to do business in the 21st century through risk transfer/management. It’s interesting to think that for many of the world’s companies, the solution to this 21st century problem is coming from insurance that has been popular since the 17th century!
Q: What is your target market?
Parthasarathi: Cyence is focused on the insurance industry, and our customers span the insurance value chain from brokers to carriers to reinsurers to rating agencies.
Q: Do you have clients yet? If so, who?
Parthasarathi: Cyence customers span a who’s who of the insurance industry. For example, Marsh is the world’s largest insurance broker and is using Cyence to provide a range of risk advisory services to its clients, as well as develop unique insurance products to bring needed capacity to their more challenging customer segments. In another example, A.M. Best, the insurance industry’s leading rating agency, works with Cyence to better understand the risk exposure of insurers’ portfolios and move the cyber risk discussion to the critical topics of probabilities and dollars, severity curves, and probable maximum loss. Many of our insurance customers are using Cyence to launch new products to market.
Q: You recently named an advisory board. Is that typical for modelers (i.e., more traditional catastrophe modelers) to have this?
Parthasarathi: The challenge with cyber risk is that it requires bridging two very different disciplines: cybersecurity and economics/risk modeling. The catastrophe modeling firms do not have expertise in cybersecurity, and the cybersecurity companies don’t have expertise in risk modeling. It’s a question of company DNA, not just hiring a few people from the other side.
Cyence was built on the twin pillars of cybersecurity and economics/risk modeling. Our CTO, George Ng, is a Cal Berkeley graduate with a Ph.D. in Economics, and he also worked on cybersecurity at DARPA and DHS. That’s a rare combination, and we have built an entire company around that kind of expertise spanning economics/risk modeling and cybersecurity.
Even our advisory board spans cybersecurity and economics/risk modeling. Our board members bring a depth of expertise across cybersecurity, risk modeling and insurance that is absolutely invaluable as we continue to innovate quickly and develop deep partnerships with our clients necessary to achieve our strategic goals.
Q: What kind of data do you use to create a cyber modeling scenario. How does the process work, in layman’s terms?
Parthasarathi: Because of the numerous event methods in cyber, there are multiple, wide-ranging factors that are germane in determining cyber risk. The dynamic nature of cyber risk requires this data be regularly collected and new candidate factors and models be explored. Many elements help determine a company’s risk profile, including but not limited to user profiles, web traffic, technology stack, malware protection, internal processes for protecting secure information and response to events, human behavior and expertise, training, and so on. While some of this information is accessible through surveys, the concerns with reporting accuracy and at-scale comparability make it challenging to leverage this data in driving risk models. Cyence has created a diverse and scalable data engine to non-invasively collect human and machine data to create comparable and objective factor measures to drive the Cyence risk models.
Something we have learned is that no one data source is a silver bullet, and no data source stands by itself. Our core IP revolves around collecting and integrating multiple data sources to create model-ready inputs from the raw data seamlessly while extracting the most robust and actuarially relevant signal to better project forward risk.
Q: Are you widely selling product at this point?
Parthasarathi: Yes, the Cyence platform is in general availability and already in use by our customers, which include brokers, ratings agencies, insurers and reinsurers.
Q: What upcoming business move can you tell us about?
Parthasarathi: Cyence is working with our customers on a variety of new and innovative programs and products. We’re also expanding our customer base to include some exciting new verticals and with that, increasing our headcount with the right executives to further our mission of helping insurers quantify cyber risk in probabilities and dollars. Stay tuned!