A conversation with CEO Arvind Parthasarathi on Cyence's broader opportunity, where cyberinsurance is headed, and how he thinks about the rise of startups providing security risk ratings.
Over the last couple years, there have been a growing number of moves by major industry players to invest, acquire, or partner with cyberrisk specialty firms.
The latest was by Aon, which agreed to acquire NY-based cybersecurity specialist Stroz Friedberg to “augment (its) risk-mitigation services, while also providing insights to help insurers expand and create new cyber offerings.” Last year, AIG took a minority stake in cyber investigations firm K2 Intelligence. And earlier, Marsh collaborated with Cyence to power its Cyber View and Cyber Monitor services.
Cyence recently emerged from stealth with $40M from NEA, IVP and Dowling Capital Partners to provide economic modeling of cyber risk for the insurance industry.
We chatted with CEO Arvind Parthasarathi on how to think about Cyence’s broader opportunity, where cyberinsurance is headed, and how he views security risk ratings in the marketplace.
What is Cyence?
There’s four components to how I think about this company. The first is around the cybersecurity problem: there’s lots of great technology that’s out there, but there isn’t any amount of money that you can spend on cybersecurity to give yourself a guarantee that you will not have an event. So how do you actually solve for this problem? It technically can’t be solved, it has to be thought of as a risk.
Secondly, when we talked to people in the industry, we realized cyber is an opportunity and a peril. It’s a fast-moving market for premium growth, but on the other hand, there’s also billions or trillions of dollars of exposure. The insurers need an economic risk model and a framework to deal with both.
In the marketplace, we saw lots of ratings and scorecards that you can get on a company’s cyber posture, but we found the insurance industry wanted a different take on the same problem, which was having an economic view, largely because the insurance industry is looking at things in aggregate, whereas the cybersecurity industry is focused on protecting individual companies…
Finally, in order to be able to do all this economic modeling, we realized this wasn’t a technology a problem. A large portion of the claims that are being paid out have nothing to do with technology: many of them are insiders or accidents or privacy violations. There’s an excessive focus in cyberinsurance on cybersecurity and technology, whereas in reality the problem the industry is solving is really a human behavior problem and being able to have an effective model that can have capital deployed on it.
Our primary marketing mechanism so far has been customer word-of-mouth. That’s changing a bit today because the use cases are all over the map. Pricing depends on the use case. Some use cases are very different because we’re very embedded into how customers think about risk management.
On where cyberinsurance is headed
To me, I think data breach is a great start for the industry. It’s a great market and addresses a core need that insurers have but frankly, cyber is going to permeate everything. The question I often ask is what risk does a P&C carrier writing today have that does not have a cyber component five years from now? The one statement we can all make is the contribution of cyber to overall risk five years from now will be more than four years from now, will be more than three years from now because this is a risk that is only monotonically increasing.
That is the opportunity for the insurance industry because most of the world does not have the ability to buy all the latest gadgets and technologies to make themselves safe and frankly even if you do there’s no guarantee you will prevent the threat.
But for most of the world they can’t even afford it so what insurers will have to do is start to balance risk prevention and mitigation with risk management and transfer to get this stuff off their books and simultaneously charge for it and build a new revenue stream.
On security ratings for the insurance industry
At the end of the day, there’s lots of information about a company’s cybersecurity posture you can get and most of this was designed around two use cases: one was actually selling into the end customer and the second was vendor management. But that’s a very different problem than actually saying, “You know what, I believe this is the number and here’s my capital that I’m going to bet against it.”
I think the insurance industry recognizes that random ratings about a company’s cyber posture from botnets, vulnerabilities and spam and all that is great, but what the industry is really looking for is probabilities. They’re looking for dollars, severity curves and probable maximum loss, which is removed form where the industry is around technical ratings.
Looking for insurance tech startup data and analytics? Sign up free for the CB Insights Venture Capital Database.