New risks present new opportunities for insurers, but different risks may require different approaches. That’s the case with cyber risk, according to Roman Itskovich, co-founder and Chief Risk Officer of At-Bay, a San Francisco-based insurance distributor specializing in digital risk. The company seeks to set a new standard of underwriting and managing cyber risk and has adopted Guidewire Cyence (San Mateo, Calif.) to help it do so.
In a conversation at the InsureTech Connect conference in Las Vegas in late September, Itskovich stressed that an adequate approach to cyber risk requires an understanding of the dynamic character of the risk, an understanding of the technology relevant to the exposure, and capabilities for actively responding to cyber risk and quantifying both risk and countermeasures.
To illustrate what’s different about cyber risk, Itskovich compared it to natural catastrophe risk. NATCAT losses are mostly geographically driven: a hurricane may affect a swath of territory in the Gulf of Mexico or the Southeast. A cyberattack manifests around clusters of technology users, which are not necessarily clustered geographically.
“Cyber risk or catastrophe differs from NATCAT in that when you underwrite a risk portfolio in the latter category,your only possible risk mitigation is praying that an event doesn’t materialize,” noted Itskovich. “In the case of cyber risk, we don’t need to pray—we can actually do something about it.”
At-Bay calls that intervention “active CAT management,” consisting of proactive management of cyber risk through a kind of continuous monitoring and reacting. Whereas insurers typically review a risk once or twice a year to reevaluate traditional risks, cyber risk moves too fast for that approach. “Data collection and engagement have to be continuous,” Itskovich said. “It’s not just monitoring but also responding to the risk—like having an active conversation.”
At-Bay seeks to go beyond merely executing that active conversation to being able to quantify its effects on cyber CAT. .
“We want to have a number to say, “Here’s what it’s worth,” for reinsurance purchasing, but also to start people getting used to seeing this number so that they’ll accept it as an industry standard,” Itskovich added. “We want to translate active CAT management into an insurance standard metric, that doesn’t currently exist in the market.”
That’s where Guidewire Cyence comes in. At-Bay began a selection process in July 2022 and signed a contract roughly a month later.
“Cyence came head and shoulders over other vendors, so wasn’t a very difficult decision,” Itskovch commented. “Cyence has the strongest data collection capabilities in terms of depth and frequency, and specifically with regard keeping current.”
In addition to the quality of its offering, Itskovish said the Guidewire Cyence team is very open to collaborating on the creation of the capability to quantify active CAT management.
Quantified View of Exposure
Itskovich noted at the InsureTech Connect conference that it had been about a month since At-Bay had signed a contract with Guidewire Cyence. “The integration is quite significant, but the result we expect is to come up with our portfolio’s quantified view of exposure,” he said.
Itskovich suggests that the big reinsurers remain anxious about cyber risk precisely because the capability to quantify active mitigation efforts hasn’t existed in the industry. “Underwriting cyber without active cat management is very risky,” he comments. “I understand why big reinsurers are anxious about cyber because this capability doesn’t exist. We’re the only ones doing this as far as I know.”
“This becoming standard will serve the insured by avoiding large events,” Itskovich adds. “It will help reinsurers and capital providers more generally to avoid volatility—it’s like moving a property out of the path of a hurricane.”