Managing general agents for reinsurance are rare. Reinsurance MGAs that write cyber are even rarer, which is the world that Envelop Risk inhabits.
“We think we’re the only insurtech firm involved in cyber reinsurance from an underwriting perspective,” said Jonathan Spry, CEO and co-founder of London-based Envelop Risk. He acknowledged there are companies, such as CyberCube, which focus on analytics, as well a small number of MGAs that underwrite cyber reinsurance, but he believes Envelop Risk is the only insurtech in the cyber reinsurance underwriting space.
Cyber is a risk that many reinsurers are wary of given the potential for a global, systemic cyber event, akin to a cyber pandemic. After all, it’s hard to diversify and control aggregates if a risk doesn’t respect geographic boundaries.
Spry, however, said his company relies on machine learning tools and its data-driven underwriting approach to select better risks and better insurance underwriters, which ultimately protects the balance sheets of reinsurance capacity partners.
“We certainly model the risk and ultimately would expect to have a catastrophe for cyber. There’s never really been a true cyber catastrophe, but one day that will come,” Spry affirmed.
“We still think cyber reinsurance will be profitable. It may suffer unprofitable years when there is high cyber catastrophe, in the same way that property cat reinsurance will have a couple of very bad years every 10 years or so, but then take profits in the other years,” he said. “There is that potential for such volatility, but it hasn’t happened yet in cyber.”
While some large traditional reinsurers focus on carriers that write smaller corporates in order to limit their exposures, Spry noted that insured “company size is not the largest determinant of risk.”
“Certainly, if you’ve got a big portfolio of SMEs, that is likely to be better diversified. However, I think those that have a big portfolio of SMEs, which all get hit by a ransomware attack, could see a large exposure,” he added. “Actually, some of the larger corporates are better protected against ransomware. So, I think the idea that you can avoid risk by just having SMEs is actually a bit of a fools’ paradise.”
What Envelop Risk has found is there is still good underwriting margin in some of the larger businesses, but perhaps not the very largest, Spry confirmed. “With larger businesses, you have to be very, very focused on what the potential exposure is, but we would certainly include both small and midsize enterprises and larger corporates in the portfolio, and we think that’s the best way to get spread.”
Envelop Risk is using “a sophisticated machine-learning approach to assess risk, which is way beyond the kind of heuristics of just selecting by company size and industry and so on,” he continued. That approach informs Envelop Risk’s Bermuda business, which operates as a reinsurance MGA, while its UK parent is focused on analytics and providing platforms for new areas of underwriting for insurers and reinsurers.
There are actually a lot of other characteristics to consider beyond the size and industry heuristics, such as looking at the company’s footprint, the nature of the company, what people have said about them, how well-known they are and how likely they are to be a cyber target, Spry explained. “Do people really know about them and their vulnerabilities? Are there known vulnerabilities within the cybersecurity industry, and what makes them attractive as a target?”
Spry said the cedents in Envelop’s reinsurance book write a spread of risk across many industries and geographies in Europe, the UK and the U.S., helping to increase risk diversification for the reinsurance capacity providers.
“Further, we have some skin in the game, effectively, through our structure, our compensation structure, the commissions, so we are incentivized to seek and select only the better risks for our portfolio. We also like the idea of reinsurance as a service—where we provide feedback to our clients and share some of our risk thinking and technology with them.”
Envelop Risk’s principal source of cyber reinsurance capacity is MS Amlin, which also shares the risk with four or five other insurers, although those companies are not publicly disclosed. “There is quite a lot of risk sharing. We put in a lot of structures to protect MS Amlin’s balance sheet in terms of the different types of business we’ve underwritten and the diversification in the portfolio,” Spry said.
For example, Envelop’s reinsurance structures mostly sit excess of loss, he said, explaining that the reinsured entity retains the first tranche of losses before the MS Amlin reinsurance kicks in.
Spry wouldn’t disclose Envelop’s capacity levels for its cyber underwriting, other than to say that it is “quite a large capacity, which, on a per-deal basis, is one of the largest in the industry, particularly for excess of loss.”
“The larger reinsurers may offer a little bit higher levels for proportional risk, but certainly in the excess market for reinsurance, we believe we’re the leading player—perhaps in the top two, maybe three reinsurers of cyber.”
MS Amlin announced that it purchased a strategic stake in Envelop Risk in May 2019. In May of this year, Envelop Risk announced a Series A investment of approximately $6 million, led by AI-specialist investor Alpha Intelligence Capital, which is being used to expand Envelop Risk’s investment in proprietary machine-learning and data-driven underwriting activity in London and Bermuda, as well as fueling growth into new global markets.
At the Beginning
With 20 years’ experience in reinsurance and investment banking, Spry decided about six years ago to become an entrepreneur. “I began by doing some advisory work, which led me to a team who were working in risk analytics, some of whom came out of Lockheed Martin, and another guy who had been doing consulting work with the likes of NASA,” Spry recalled.
“They told me they had an approach to risk using machine learning, and they thought it could be very useful for cyber risk and for cyber insurance,” he said. “About four years ago, we jointly decided the opportunity was so compelling that we should just clear our desks of everything else we were doing and concentrate on building a new company.”
So, rather than being a software company with bright analytics guys knocking on the doors of insurers with great tools to license, as many insurtechs have done, “we figured we would actually try and use these proprietary pricing tools ourselves.”
“That led us to decide that we could function as a reinsurance MGA in Bermuda. We got to know MS Amlin and decided we would partner with them,” he said. “We realized that by entering the market through reinsurance we could scale quickly and best utilize the core competitive advantage we had in the use of machine learning and portfolio risk analytics.”
After its Series A financing, Envelop Risk is looking at new lines of business and other potential capacity partners to work with as well.
Changing Risk Profile with COVID Crisis
Spry expects that the pandemic will change the risk profile of cyber. “With everybody working from home, there is much more use of online transactions, payments and business in general. The exposure has grown.”
“We think probably the recognition, visibility and need for cyber insurance has grown along with the growth of digital working. We actually expect there’ll be more demand for the underlying insurance products as a result of the COVID era,” Spry emphasized.
“We haven’t yet seen a big uptake in reinsurance, but we think that may be coming because we know that the demand for insurance is increasing as people see the value of cyber products.”
Envelop Risk only will reinsure affirmative cyber cover, via a standalone policy or as an explicit add-on or endorsement to another policy, but where there is a separate premium, he said, noting that the company avoids so-called “silent cyber exposure” by refusing to reinsure a property or casualty portfolio that does not separate and remove the cyber risk.
“The best way to deal with silent cyber is just to get rid of it. People should not be putting in badly worded exclusions that may or may not cover cyber. The better way to do it is to strip it out and deal with it as an affirmative product,” he said. “We’ve seen some really good momentum building around that philosophy; a lot of brokers share that belief too.”
The cleanup of silent cyber is well under way at Lloyd’s, in some of the larger European insurers as well as some of the larger U.S. primary insurers. “Cyber is now more likely to be excluded from property policies, particularly, which means there is a greater push to sell standalone affirmative cyber. This is a very, very useful thing for certainty and for the development of cyber insurance,” Spry said.
The three articles in this special series are:
Was this article valuable?
Here are more articles you may enjoy.