Arvind Parthasarathi, founder and CEO of Cyence, a San Mateo, Calif.-based cyber risk modeler, believes that rising to the demand of cyber threats calls for a completely different way of looking at cybersecurity.
He thinks that to effectively battle the threat and to model for it requires thinking “more in terms of probabilities and dollars, rather than all the firewalls and vulnerabilities.”
He spoke with Don Jergler, Western region editor of Insurance Journal, about the new frontier of cyber risk.
This has been edited for brevity.
Insurance Journal: Can you discuss some trends that you think our insurance community readers and listeners need to know about?
Parthasarathi: Interestingly enough, cybersecurity, and I’m going to start to use cyber for short, is probably a great opportunity and a great threat for the insurance industry. It’s a great opportunity because cyber insurance is a fast-growing market depending upon who you ask. It goes anywhere from $3 to $5 billion, and people see it tripling in the next three years.
On one hand, it is a fast-growing premium opportunity stream. Simultaneously, the section of the market, there’s a tremendous amount of demand happening because cyber insurance is not just being purchased by large companies.
The smallest companies in the world are also the ones that are at risk for some of these cyber threats, and they don’t have the money to invest in technology solutions, and whatnot. That actually turns out to be a great sweet spot for the insurance industry, which is a lot of these small medium businesses.
Simultaneously, while it is an opportunity, it is also a threat. It’s a threat from two different perspectives. The first aspect is what a lot of people are concerned about, the cyber risk to a non-cyber book.
This could be your property book, your D&O, factories, industrial control systems, the Internet of Things, that’s coming up, and all of these now can be triggered by a cyber event. The factory could burn down because a human being sets fire to it. It could also burn down because of a cyber event through an industrial control system.
On one hand, you have all these insurers with billions of dollars on their balance sheets having exposure to cyber. The other component of the cyber threat is for insurers themselves. Increasingly, we’re seeing regulations on both sides of the Atlantic, and a variety of other regulators that are now driving various types of changes, and modalities in insurers themselves. Obviously, the insurance industry itself is a target because of the amount of information there is about clients and customers, and what does that mean in terms of being compromised.
IJ: When evaluating cyber risk, what is one area to look for that often contributes to cyber events?
Parthasarathi: When we think cyber security, immediately our mind focuses on technology, computers and software, and vulnerabilities, and firewalls and all that good stuff. That technology is certainly a source of risk. When modeling cyber risk, the biggest risk at the end of the day are human beings. It’s human behavior.
A lot of what we have to do is start to model the people, and the process associated with cyber, because that is often the vector that is the way an organization gets compromised.
Let me give you a very simple example. On one hand, you may think about hackers from various parts of the world breaking into systems, but a very large portion of cyber claims that the insurance industry is paying out are actually not hackers. They are malicious employees or sometimes, they’re accidents. Imagine somebody losing a laptop on the train.
In some sense, you have to think about the human component, and the behavioral component. We’ve all heard stories about how people build great security systems, and then they type in the password on a Post-It note, and put it on their monitor.
That analogy is what we’re seeing again and again where it’s the human behavior of people, and process that has to be factored in addition to the technology.
IJ: How do you quantify those challenging factors?
Parthasarathi: We need to start to think about this completely differently than other types of insurable risk. If you think about traditional (risk), whether it’s a natural catastrophe or other kinds of risk, the threat is well understood. There’s a lot of history and a lot of data, and most importantly, there is an authoritative source of data. You can go to the U.S. Geological Survey, or you can go to the U.K. Met Office, and you have the exact information of what happened. Whereas in cyber, in order to understand this, there is no authoritative source of data.
The first challenge in some sense is actually collecting data, and being able to collect that data on millions of companies, and doing that at scale because that’s how you’re actually going to be able to build out a compelling model.
Now, you have to start to collect that data, and that data has to inform these risk models. Now, it’s very commonly known that when the new ShakeMaps come out in the U.S., it takes a year or two to make it into the various risk models, whereas in cyber, we don’t have that much time.
Most of the risk that’s happening in, let’s say, 2013 or ’14, is almost irrelevant now. Those tech vectors in the cybersecurity world are not even being used anymore. We need to have a way of not just collecting this data at scale without that authoritative source, but then being able to influence a risk model in that iterative fashion, and as the risk changes, get more data and vice versa.
In some sense, the shift here in how we’re doing the risk modeling is less about collecting data from an authoritative source and modeling it. It’s more about collecting the data yourself, and iterating between the data, and the risk model because cyber is one of those unusual threats which is constantly evolving. It’s constantly changing.
For instance, in 2014, one of the biggest areas of source of risk was a lot of these vendors, your suppliers. Somebody hacks into your supplier and then comes into you. In 2016, we’re seeing completely new sets of threats, and the supplier one is far less compelling. Now, we’re starting to see more around fraudulent wire instructions and so forth.
As the time evolves, we have to change how the models behave and we have to change how the data behaves. That’s the big challenge in the cybersecurity modeling problem.
IJ: What influences changes in how cyber risk is managed via insurance?
Parthasarathi: The big aspect that the insurance industry is bringing to the cyber risk discussion, as I mentioned, is before this, it was all about IT. It was all about information technology. It was a technical problem.
Increasingly, when you start to think about it as a business risk, one of the questions I always ask people to think about is how much money can an organization spend for a guarantee that it will never have a breach? The answer is, it doesn’t exist.
No matter how much you spend, we see organizations spending hundreds of millions of dollars on cybersecurity being breached as we see organizations that spend almost nothing on it.
The moment you start to have that little shift into risk where you start to think about it as dollars and probabilities, the insurance industry then can enable the broader market to actually have a more substantial discussion about risk.
Whenever there is risk, we always balance risk prevention with risk transfer, whether it’s for your house, for your company, or for anything. In cyber security, it’s almost significantly biased towards risk prevention.
By quantifying it in dollars and probabilities, and helping organizations understand, “Well, this is how much I’m spending. How do I balance this with purchasing coverage for various kinds of risk that I cannot control?” it becomes a more healthy conversation.
Especially for the world’s small businesses, because while large companies can afford to buy the latest and greatest technology, a lot of the world’s small businesses cannot afford to do that, but they still have to do business in the 21st century.
In some sense, this is the power of the insurance industry. To be able to help the world’s businesses move on to the 21st century in a way that they actually can be protected because they can’t buy the latest and greatest technology, but they do understand and can buy insurance. That I think is the great opportunity for the insurance industry.
Topics Cyber Tech Market Risk Management
Was this article valuable?
Here are more articles you may enjoy.
JPMorgan Client Who Lost $50 Million Fortune Faces Court Setback 
Investment Funds File New Suits Over Lighthouse Insurance Collapse in 2022 
AIG General Insurance Chairman McElroy to Retire May 1 
South Carolina Ringleader Sentenced to 8 Years for Staged Accidents From This Issue
