Cyence, an economic modeling platform designed to assess cyber risk has been getting a lot of attention in the insurance industry, as it already raised $40 million in funding and has collaborated with Marsh to form its Cyber View and Cyber Monitor services. CB Insights had the opportunity to sit down with CEO Arvind Parthasarathi to discuss cyber insurance and cybersecurity risk rating providers.
Parthasarathi explains that Cyence focuses on key components. The first addresses the cybersecurity problem and the fact that spending money on cybersecurity cannot guarantee protection from a cyber-event and therefore, it must be thought of as a risk. Next, cyber provides an opportunity for growth while potentially exposing an organization simultaneously. An economic risk model must allow insurers to address the opportunities and perils of cyber. Third, there is a plethora of cyber ratings programs designed to rate an organization’s cybersecurity practices (which generally focuses on protecting individual companies), but none are catered specifically for the insurance industry (which generally looks at things in aggregate terms, from an economic view). This is how Cyence differentiates itself with the competitors. Lastly, Parthasarathi explained that cyber economic modeling is not always a technology problem, as many cyber-events and claims are a result of insiders, accidents, and privacy violations. Cyber insurance largely focuses on cybersecurity and technology when in reality, much of the problem revolves around human behavior and “being able to have an effective model that can have capital deployed on it.”
In regards to security ratings in the cyber insurance industry, there is much information about an organizations cyber posture that can be gathered in two ways – by “selling into the end customer” and “vender management.” However, Parthasarathi believes that’s very different than saying, “You know what, I believe this is the number and here’s my capital that I’m going to be against it.” In the end, ratings about an organization’s cybersecurity gathered from botnets, vulnerabilities and spam can provide great insight. But the insurance industry, Parthasarathi explains, “is looking for dollars, severity curves and probable maximum loss, which is removed from where the industry is around technical ratings.”