20 mins read

Driving Profitable Growth Through Digital Risk Flows in Cyber Underwriting

by Juan de Castro, COO, Cytora

This is a shortened version of the Making Risk Flow podcast, episode “Driving Profitable Growth Through Digital Risk Flows in Cyber Underwriting” with Roman Itskovich, Co-founder and Chief Risk Officer at At-Bay, and Jay Rajendra, Chief Strategy and Innovation Officer at Arch Capital Group, – a panel at ITC Vegas 2022

You can listen to the full episode here

Juan: A few weeks ago, I attended ITC in Vegas. ITC is the largest insurance technology conference in the world, with over 5,000 attendees between insurance companies, MGAs, reinsurers, brokers, and technology providers. One of the hot topics this year was Cyber. Cyber is a fast-evolving line of business with growing demand for cyber protection, while at the same time, facing profitability challenges and rates going up, and supply going down. This perfect storm represents significant challenges for underwriters as they’re swamped with high submission volume often quite complex. What we hear from most underwriters is that they don’t have the capacity to process all the submissions they receive, let alone are able to spot the good risks. It’s pretty much like finding a needle in a haystack type of environment. In this episode, I chat with Roman from At-Bay and Jay from Arch. We discuss the reviews on how they’re solving these challenges, and their vision to win in this line of business.

I think we’ve got a great panel today, we’ve got Roman from At-Bay, so digital native, Cyber MGA. Then we’ve got Jay from Arch, which is the more traditional insurer, but you’re doing a lot of interesting things in cyber underwriting. Should we start with a brief introduction? Jay, do you want to go first?

Jay: Hi, everyone. I’m Jay Rajendra, I’m Chief Strategy and Innovation Officer for Arch Capital Group. Arch is an $18 billion multinational insurer and reinsurer. Part of my job is being responsible for embedding data science, digital distribution, and automation into our global underwriting activities.

Juan: Roman.

Roman: Hi, guys. I’m Roman Itskovich. I’m a co-founder at At-Bay. At-Bay is Cyber MGA. We underwrite cyber risk for companies in the US. We also provide security services, which for us is a core part of the value proposition, to help businesses stay safe regardless of coverage.

At At-Bay, I oversee our insurance products, risk, analytics, modelling, and everything that goes into understanding what the risk is and how you provide a good service while being profitable on the insurance side.

Juan: Thank you. They touched on this in the previous session, where is the cyber industry right now? It would be helpful just to spend a couple of minutes there to set the scene for the rest of the discussion.

If you want to start perhaps, Roman, with how do you see the cyber industry today? What are some of the opportunities and challenges?

Roman: Sure, happy to. Look, this panel is about profitable growth and cyber, so if you take the profitability lens, cyber was incredibly profitable six, seven years ago, everyone thought, “Let’s do more of it. There’s no risk. This is printing money.” ’19 and ’20 were years that proved, I think, that that’s not how it works. Profitability went down, and today, we’re in a place where prices went up significantly, and coverage was restricted significantly.

We see the industry coming back to profitability, so reinsurers are happier and carriers are happier. The product to customers is now worse because customers are paying more. That said, I think that the industry also is starting to recognise much more the teases that we have, which is you can’t do just cyber insurance, you have to bundle it with risk mitigation as a way to create sustainability and service for the insured, but also to reduce the volatility of the line from the capital provider standpoint.

We are at the stage where we have some recognition of that. A small part of the market is pursuing those strategies. We and other MGAs are pretty keen on this part, but most of the market is still not doing it.

There’s a bit more comfort now because just the prices are up. When prices are up, everyone on the capital side is happy. That’s what I would say.

Juan: Jay, you and I were talking about this earlier, this cycle of a profitable line of business, everybody getting to the line of business, then insurers starting to pull out, or there’s some fear in the market, prices going up. We’ve seen this before in other lines of business and I think you made an interesting reflection.

Jay: I think you’re right. In many ways, what we’re seeing right now is in response to two things. One is this increase in ransomware claims that Roman mentioned in 2019 and 2020, which hit a lot of incumbents and a lot of other people who were writing cyber in fairly primitive ways.

Secondly, a lot of these headline-grabbing claims and hacks for large companies, whether it be Capital One, most recently, Uber. All of that basically challenges some of the conventional orthodoxies of the view of how we’re assessing cyber risk in the industry. We’ve seen that before. It’s not the first time. I think it’s most similar to what happened in property CAT in 1992, following Hurricane Andrew. The industry hadn’t seen a hurricane that big hit Florida. In today’s terms, it would probably be a $100 billion event. It made people realise back then that the simple models and assumptions that they were using to assess their hurricane risk weren’t adequate.

The same thing is happening in cyber right now. What happened back then is the same thing that we’re seeing right now, which is that insurers and reinsurers got scared, they pull back on capacity, so supply goes down. At the same time, insured and insurers realise just how much exposure they have to hurricane risk, so demand went up. You got supply coming down, demand going up, and you get that typical hard market. That’s what we’re seeing right now in cyber.

Juan: These types of analogies always help a lot to understand, we don’t need to reimagine the future. We’ve seen this in a number of lines of business. Using the same analogy, what do you think are the implications of the way cyber is underwritten in the next few years?

Jay: I think it can be very similar. If we look back at what happened back then is that insurers and reinsurers moved away from these simple models, simple assumptions, simple ways of understanding risk, and developed much more sophisticated models. Models that looked at how well buildings were protected and what their vulnerabilities would be to a hurricane. That’s exactly what we’re doing right now in cyber. That’s what everyone has now realised we have to do in cyber, which is to look at an account and look at risk and understand what protections it has in place and what are its vulnerabilities to an attack. That could be, obviously, MFA, multi-factor authentication. It could be patch and vulnerability management. It could be security and encryption. It could be EDR, endpoint detection and response. All of these different technologies and core tools and capabilities are now standard as an understanding of how you appreciate cyber risk.

Juan: It’s an evolution towards a much more data-driven cyber underwriting, and this is part of your core vision, Roman.

Roman: Yes. Look, I think that that’s absolutely true. I think that the main difference from Nat Cat, from our standpoint, is Nat Cat is where you get more information, you build your portfolio ideally with better risks, and you diversify it so that one event doesn’t hit the whole portfolio. You did that before hurricane season, and then you leave the portfolio and go to pray during hurricane season. Then once it’s over, you count your losses and try to price better for next year and build a better portfolio for next year. The view is static as the event unfolds.

I think in cyber, what we’re seeing and doing is we call it Active CAT Management, which is you try to identify events we will have a significant disruption in the portfolio, and then you actively try to manage them.

The metaphor you should think about is a pandemic. When COVID broke, everyone in the world was vulnerable, but not everyone was sick. It takes time for the virus to spread, and you can do things. You can wear masks, you can stop international travel, and you can develop vaccines, so that even if there’s a wide vulnerability, eventually, fewer people get sick because you used the time to prepare. We see a very similar dynamic with cyber, where as events start, we can develop detection capabilities and work with companies through this active engagement to contain it. I think that that’s something that is pretty new in the industry. It requires some capabilities that are more difficult. It’s not only the data, it’s also the relationship with the insured, the ability to respond, knowing what to prioritise, and knowledge to foresee attacker tactics. I think that that’s the main difference, which gives me hope that as this becomes more standard, we are going to be less worried about CAT and cyber, and have proactive ways to manage it.

Juan: I think that that point about active risk management, I remember when I was back at Hiscox. It was not Nat Cat, but it was for our personal lines, we said, “The biggest source of loss is a water leak in households. To actively manage that, we’re going to send our clients a device that detects water leaks, et cetera.” To some extent, it was a failure as an initiative. It did require clients to actively mitigate, and  manage the risk. I think the approach you’re describing, actually, you do that active management yourself. You’re not imposing active management from the client, right?

Roman: Yes. I think there’s an important point that Jay here mentioned, which is, the market is high, and there is more demand. When there is more demand, as an insured, you’re trying to buy insurance, it’s difficult. You are asked to do all those controls. One of the things we ask our insureds is to be responsive to this type of engagement. Again, if capacity was widespread, you don’t need to do anything. Like back in 2015, you have a name of business, here’s your coverage, no questions asked, and it’s cheap. That’s very hard to do now.

Today, we’re in a different world where I think there is a much bigger recognition of the importance of cyber controls. Also, a lot more motivation driven by insurance terms to actually do something about those controls. I think that as an insurer, we’re fortunate to have a more open response to what we’re asking.

Juan: Perhaps now shifting gears towards how the underwriting workflow looks like? We’re talking about increased demand, and more data. You and I were talking about three levels of maturity of how cyber underwriting could look like. I think you made a fantastic framework. I would ask you to share that.

Roman: Sure. I didn’t invent anything, but if I can, I tend to recommend books. If you need to make automatic decisions anywhere, there’s a really good book called The Army of None, which describes the uses of AI in military application in the US military. The way they think about it is, there are basically three ways to make decisions that could involve a machine as part of that process. There is a human in the loop, meaning the human reviews and makes every decision. There is a human on the loop, in which a machine makes a decision, but there’s close monitoring of what that decision is and improvement of the decision process. There’s a human outside of the loop, in which a machine does everything and maybe someone checks in once in a long while. I think this is applicable to insurance because at insurance, traditionally, we’re used to one of two models. Either an underwriter looks and makes every decision, which is a human-in-the-loop situation, or there is a portfolio underwriting approach, and then we might review the results once every quarter or six months, which is a human outside-of-the-loop.

In our view, especially for cyber, you want to be in the middle. You want to have machines making decisions. We’re writing a lot of SMB risks. We’re seeing tens of thousands of submissions a month. We just can’t humanly process them with the team.

On the flip side, because the risk might be volatile, you also don’t want to have the machine run for weeks, making decisions with billions of dollars of exposure without any concrete oversight. This middle layer, I think, is what’s required to get comfort around and tools around to be able to actually run this automated flow for underwriting in cyber, but in other lines as well.

Juan: I think that framework is really useful because the human in the loop, the basic level you described, is very much where traditional insurers are. We’ve discussed this, Jay, many times, which is underwriters being swamped with a volume of submissions, having to go one by one, difficulties to find the good risk or difference from the bad risk.

The human on the loop, I think, is your model, Roman, At-Bay. I think that is an interesting framework to understand how underwriting flows evolve. You are a traditional insurer moving from human in the loop to human on the loop. How are you thinking about that?

Jay: For us, it really depends on the complexity of the risk. We think of ourselves as an underwriting company. Unlike the SMB portfolio that Roman’s describing, in the cyber space, both in the US and in London, we tend to operate in the mid to large account space. It’s more in the, let’s call it the human in the loop. We’re really focused on bringing best-in-class data and analytics, capabilities to identify the best and the worst risks as soon as possible for our underwriters. That includes bringing in external data like vulnerability scanning and things like that.

At the same time, even in that large account sector, we are seeing growing demand and higher volumes.

We’re still investing in automation technologies and other things to strip out manual processes.

Thirdly, just because the volumes of cyber that we write in Arch across all of our different entities, we’re a very large and complex organization, is the investment in the total risk management or portfolio management approach to understand our accumulations and our aggregations for cyber, just like we do for hurricane risk or any other kind of peril.

Juan: This is the point of view of many traditional insurers, is like, “We are an underwriting organisation. We want to check every risk.” Which is very fair, I think, in the large segment. Would you, Roman, challenge that? I think the simple stuff, fully automated, very large, absolutely, underwriters want to look at it, but I think there’s a huge mid-market.

Roman: Yes. Maybe challenge is a strong word here because it’s a question of where do you put the line. Where I think if you are more digitally native and you feel more comfortable with machines making decisions, you ask yourself, “Why do I have a human here? What value does a human add? Can I automate that?” In traditional insurance, you would try to have more eyes on larger exposures. I don’t think that that’s going to change, but there’s a question of, what does a human add that is important? The main difference, I would presume, is that I think that traditional carriers would put that line lower because they would be more worried. Versus someone like us would put that line higher because we would ask ourselves, “What does a human add? Do they add anything?” In many cases, you would say, “We’re going to go higher.”

I will tell you that we transact a lot with brokers, and I think you guys as well everywhere. There’s an element of negotiation and discussion and sales that goes into selling any insurance policy. Especially the larger ones, which I think are going to be very difficult to automate. Humans don’t like to negotiate with machines. They find that to be frustrating. You want a human answering when you’re asking questions. Besides very basic things that I think you can check, like when you choose a flight, choosing the time of flight, you don’t need a human. If you want to talk coverage, want to talk mitigating factors, there’s a threshold there that is not necessarily only about value add on risk, on underwriting. It’s about the go-to-market and the relationship, which I think is the real barrier to fully automating the whole stack.

Juan: I think that the way you summarise it, which I fully agree with, is ensuring the underwriting capacity or the humans are deployed where it makes a difference. I think also, Jay, you’re thinking about it that way, too, even in the mid or large, is you want an underwriter to make a final call, but how can you automate all the data collection, all the analysis of the submission?

Jay: We have a very similar view. For us, it depends on the complexity of the risk. The size of the account is sometimes a proxy for that, but obviously not a good measure. Also, how brokers or our partners want to access the business. That’s the ease of doing business piece of it. If customers want to access business digitally, which is zero-touch and through API or whatever, then that’s how we serve them. Whereas if customers want to have a broker experience, talking to an underwriter, they want to visit the client, all that kind of stuff, then that’s how we serve our clients, that way. We’re very comfortable with zero-touch underwriting. We do a billion dollars digitally via API, zero-touch, across Arch. Very unusual for a traditional insurer, but we are a very digitally mature company. We’ve leaned into digital.

Juan: Perhaps a question for you, Roman. In that model you described, or highly automated, still human on the loop sometimes, can you describe to us that underwriting workflow? From a submission coming in into At-Bay, what does it look like?

Roman: You can access At-Bay through email, through our platform, or through API, and the flow looks different. Let’s take the platform because that’s probably the most common flow. A broker would go in on the platform, they would answer a few questions, mostly the name of the business, revenue, industry, website, a few control questions, click a button, and get a response within about 20 – 25 seconds, with a few quote options. That’s a very highly automated process.

In the back end, we collect data from external sources. We run the machine and the machine can underwrite the account. If the account has issues, or red flags, it will be kicked out for a human review.

That’s a separate flow, but that’s the basic flow. The other thing we found, and by the way, to your comment earlier is, sometimes brokers want to access through email or through platform. We find that sometimes platform adoption requires a push, and once you’re pushed there, you are happier that you are in that space.

For us, pushing brokers to interact more with our platform was to introduce, for example, customisation, so they get a few options. If they want to change limits, retentions, add or reduce coverages, they can do that. Especially on the small risks, that is very, very valuable. That’s how the flow works in general.

Juan: How do you push brokers to use that platform? From a broker perspective, the broker doesn’t want to input the risk information to your platform and 10 others to get 10 quotes.

Roman: Oh, that’s a great question. We just closed the acquisition of a business called Relay back in August. Relay does exactly this. What we found is that brokers, to do their job, need to provide a few quotes. By design, if our platform only provides you with one quote, they need to go and enter the details on a bunch of other platforms and get a bunch of other quotes. Here’s what we call platform fatigue – you just get tired of doing the same thing over and over again. Whereas some business like Relay allows them to enter the information once, and then get quotes from a few markets, which is, in our view, the killer app.

I don’t know about you, but I don’t buy flights or hotels on the hotel chain website. I go to KAYAK. It’s exactly the same thing. The reason for that position is exactly this, we want to make sure that brokers have the best service, and will recognise that it doesn’t matter how good our own platform is, or how good the United website is, you will still go on KAYAK because you want to see other options. That’s the idea.

Juan: Perhaps one final question. Where do you see the industry in the next three, five years? How are you thinking about winning in that environment that you were describing earlier? A question for both of you.

Jay: For us, across Arch, it’s really about deciding how we access business and how we serve our clients in different ways. We write cyber in so many different parts. One way is through MGAs. We have a lot of MGA partnerships. Coalition, we’re just speaking for. They’ve been a really important partner for us over the last few years, and we’ve helped support their growth. There, it’s really about making sure that the companies that we partner with have the right tools and technologies to serve their customers and identify and underwrite risks in the right way in the cyber market. That’s been really useful for us in that SMB segment that Roman was talking about.

In that mid to large account space, where we’re serving our brokers, we have talented underwriting teams in both the US and UK. We’re growing those and investing in the tools that they need more in that human-in-the-loop space that Roman was describing a minute ago, and then in our reinsurance business. We reinsure lots of insurers and MGAs across Arch. Then, again, it’s really about assessing the capabilities that our cedents have and making sure they have the right tools and technologies.

The last thing we have to do is to make sure across the whole of Arch, that we’ve got a really good picture and understanding and a real Arch view of risk for cyber. We’re thinking about it in just the way we would any other peril. Just because it’s a relatively new and immature risk, it still gets the same attention.

Juan: And you, Roman?

Roman: Well, I’ll take a step back. I believe that cyber is the defining commercial risk of our time. I think that this is the number one worry for boards and CFOs, and has been for the last few years. In my view, there is no way this insurance line is going to grow significantly over the next two years. I would also venture to say that if you’re a primary carrier, and you’re not offering cyber as part of the bundle, you would be not relevant in– I don’t know, let’s throw a number out there, in five years. Because of that, the ability to underwrite cyber is incredibly important.

I also think that CAT, is a bigger and bigger part of carriers’ exposures. As long as we’re not doing a good job of quantifying and managing CAT, since this risk is manageable in our view, so Active CAT Management is a thing, I think that not doing that will create a lot of volatility for carriers and for the reinsurers. I think that over time, that would be expected. Just like Nat Cat is something that there’s a lot of focus on, it’s modeled, there’s a lot of discussions, I think that cyber CAT is already top of mind.

I think there are going to be a lot more cyber purchases. I think this is going to be de-facto the main coverage that any business buys. I think there need to be more coverage. I think a lot of businesses are underinsured today, because of prices and because of limits. There’s no need to be evolution on that. I think that Active CAT Management is key to unlocking more capacity coming into the market.

Juan: Going back to your analogy with Nat Cat, right? I think we can learn so much from managing segregation. How do you do much more data-driven risk analysis? I think that’s why I found that analogy quite fascinating, too, because I think it helps to think through the evolution of the industry. The framework that you described the human-in-the-loop, on-the-loop, and out-of-the-loop, I think it’s good food for thought on how to approach cyber underwriting for different segments.