Hello, and welcome to today's webinar, "Evolving Cyber Underwriting in the Digital World." My name is Michael Lin, Product Marketing Manager with Guidewire Cyence. Before we get started on the presentation, I would like to take a moment to walk through the webinar console. During the presentation, the audience will be muted, and please submit any questions you have using the Q&A chat function. Our speakers will leave time in the end to answer any questions you have. Next, I would like to introduce our speakers for today. We have Ian Bird, our Business Owner for Cyber Practices with Guidewire Cyence, and Ridhima Kale, Senior Product Manager for Cyber Risk Product Portfolio at Guidewire Cyence. Without further ado, I would like to pass on the presentation to Ridhima and Ian. Ridhima, the presentation is all yours.
Yes, thank you, Michael. Thank you, Michael, and thank you all for joining today. Before we actually get into the presentation, I'd like to understand the audience a little bit more, so we'll start right off with a poll question. How do you today analyze the cyber risk of a company? You should be seeing a window pop up with the option. Do you use an in-house model? Do you use a third-party vendor? Do you use a combination of A and B? Or maybe you do not rely on a model and you rely on underwriting judgment based on the submissions you receive? Or you currently don't play in the cyber market and you're trying to expand. Please submit your answers. We'll give everyone a few seconds, and then we'll look at the responses. All right, great. It sounds like most of our audience, they use an in-house model.
That's great. There's a lot of people that are aware of cyber risk and what the challenges are, so that's great. Ian, I'd like to ask you a question. If you were an underwriter in this ever-evolving digital world, what challenges do you foresee underwriting a risk?
Thank you, Ridhima. I think there are three things that I can think of, so as an underwriter, you might have a standard submission form, and perhaps that's aligned to something like the NIST framework or something that you built in-house, but how are you able to analyze and validate the responses you get on that submission form? So if you think about something like third-party service providers, by that I mean cloud service providers, content delivery networks, those kinds of things, does a submission response really cover all of those, or does it just respond with those supposed critical ones? What about things like patching cadence? How is that actually articulated? Is that just to gain those critical systems, or are they looking across all of their public-facing and internal systems?
When you consider companies that have many tens or even hundreds of subsidiaries, how do you actually get that context into a single submission form? And then when you start to think about behavioral risk, thinking about things like the insider threat, the likelihood of a rogue employee, how do you actually measure that? It's quite a lot to think about. And then if you actually take that a step further and say, "Well, okay, I have this information on that submission form. How do I take that and reach a conclusion about the probability of something like a data breach or a ransomware attack during the forthcoming policy period?" Add to that what the potential losses might be from underwriting that risk. Then thinking about it further. As a provider of cyber insurance, how do you actually promote that insurance product?
How do you articulate cyber risk aligned to your coverages on offer? Obviously, that's going to be key to the promotion of your proposition. Then you start to think about small and medium businesses. These typically have no IT staff to help navigate this particular risk, or maybe they consider that as someone else's problem. Ridhima, I'm going to hand it over to you to just set the agenda, and I'll get ready for the slide after that.
Thanks, Ian. All the challenges that you mentioned today are valid and some that we get asked about quite a bit. So, what we'll do today is walk through how Cyence is actually going to, how Cyence can help you risk select and validate the data that you're receiving in your submissions, how you can use Cyence to confidently price cyber risk, and more importantly, how can you raise cybersecurity awareness and promote your cyber insurance product. But before we get into the details, Ian, would you like to talk us through who Cyence is, how we came about, and what use cases we serve?
Sure, thank you. So, one of the advantages of the natural catastrophe modeling world is the breadth of authoritative data sources on which they rely. So, there are many tens, if not hundreds, of years of earthquake data, hurricane data that are available, meteorological data from the Met Office that you can actually start to build models around hurricane risk or earthquake or flood risk, et cetera. But cyber is very different to that, and up until recently, did not have such information available. And that's actually why we started Cyence back in 2014. So, we wanted to create the first Data Listening Engine for cyber. We wanted to build the first cyber risk modeling solution designed ground up to address the needs of the insurance industry and only the insurance industry. We gather both technical and non-technical data about companies and articulate that into a cyber risk model.
As we collect more and more data and the risk landscape evolves, we need to calibrate and refine those models to be relevant to this classification of risk. At a high level then, we use our data listening capability and cyber modeling expertise to provide this end-to-end economic cyber risk model for insurers and reinsurers. For underwriting, we support the ability to risk prospect, evaluating target companies based upon your risk appetite, for example. That could be revenue industry, also cut by something like a particular risk rating that you're looking at. We look at risk selection and risk assessment. We can use our risk factors that go across people, process, and technology to help you with that submission analysis, as we described in a couple of slides earlier.
The assessment helps with pricing or placement strategies, which in turn helps with your exposure management, where we can provide those in-app capabilities across portfolio analysis, aggregation analysis, scenario modeling with over 7,000 events, all available at a couple of clicks of a button, and then we have the ability to provide you with a full year-loss table that allows you to dive into those simulations and, if necessary, impose your own tail risk assumptions, for example. Ridhima, perhaps you could talk more about the data listening engine.
Of course. As Ian mentioned, due to the lack of the authoritative data sources for cyber risk, Cyence started collecting their own data. This was the birth of the data listening engine. In our data listening engine, we categorize the types of data we collect into three big categories that we have up on the slide today. The first one is what we call business attributes. This is really Cyence's database of companies of over 1 million companies globally, and it includes information including company revenue, employee count, what industries they operate in, what are their parent-child hierarchies in terms of subsidiaries, and most importantly, for cyber risk, what websites they have. The second category is what we call cyber attributes. There are hundreds of data points that Cyence collects in this category, and they span information including a company's email security, a company's patching cadence, outstanding vulnerabilities, et cetera.
We'll talk about these more in detail later, but these are the attributes that will serve as the predictors in the models that we build. To give you a quick and simple example, we would use something like email security to identify the likelihood that a company will face a ransomware attack. As most ransomware attacks have been caused by phishing attacks, this data point becomes extremely important. Last but not the least, we have data on incidents on various different types of events, including data breaches, cloud outages, ransomware, software zero-day vulnerabilities, distributed denial of service attacks, et cetera. We use these data points to power the Cyence cyber risk model. The Cyence cyber risk model outputs, again, can be categorized into three big categories. The first one is risk rating, risk factors, and model losses. So, we'll talk about risk ratings first.
Risk rating is a quantitative measure of a company's risk of having an incident over the next 12 months. It is a scale that ranges from 100 to 400. A higher risk rating means that there is a higher likelihood of an incident. Second, risk factors, they're curated risk insights that are derived from Science's data listening engine. Essentially, these insights can indicate a hacker's motivation to attack a company, along with a company's susceptibility to an attack. Motivation is a key factor in cyber risk where you have an active adversary on the other side. Also, within risk factors, what's important is that Science actually maps a company's digital network by identifying single points of failure, also known as accumulation paths or digital fault lines.
These are things like cloud service providers or common software that companies might be using, and we'll talk about why that becomes important in the next few slides. Last but not least, Cyence translates the risk in the form of potential losses that span different coverage parts that an insurer might be offering on their product, including first-party data breach, business interruption, liability, et cetera. We'll get into the detail of each. We'll start first with risk rating. As I mentioned, risk rating is on a numerical scale from 100 to 400 and is based on the predicted probability of a company having an incident over the next 12 months. Here, we see a risk rating of 348, for example, means that there is an approximately 11% chance that a company will have an incident in the following 12 months.
This prediction is a result of a model that Science has built using the data that we have collected using our data listening engine and the corresponding incidents that we have collected. An important note about the risk rating is that Science updates the risk ratings every month. And the reason that's important is because cyber risk evolves rapidly, and updating the risk rating actually provides you the most up-to-date view of risk. The measure is also forward-looking, which means every month the risk rating is updated to provide the risk of the following 12 months. Given that we now understand what risk rating is, let's understand how it's helpful for an insurer. There are two main ways that risk rating can help. First, in risk selection, it can provide a way for you to identify risks you would like to write or you would like to further review.
Say, for example, at renewal, you want to reduce the amount of time you're spending reviewing each account. Risk rating can help you identify those riskiest accounts where you should spend the most amount of time. Another example is you can use risk ratings in your pricing models. You can develop pricing factors based on how certain industry or revenue segments might be performing, and maybe those sectors that are performing the worst can get a pricing factor adjustment, for example. Before we go on to risk factors, let's pause and take another question for the audience. What are the biggest challenges in selling cyber insurance from your standpoint? Is it, A, lack of knowledge regarding the threat landscape or people responding, "I don't need it"? B, lack of understanding one's own risk or "it won't happen to me"?
C, "I don't really know what cyber insurance covers," so more around the knowledge of the insurance product itself? Or D, all of the above? Please submit your answers. Okay, yep. Okay, as I expected, most of our audience, or I guess all of our audience members, have responded with all of those challenges. So, what we'll do in the next few slides is actually walk through how Cyence can help you promote cyber awareness, cybersecurity awareness, and promote your product. Ian, would you like to walk us through how our audience members can do that using the risk factors that Cyence has?
Yeah, absolutely. So, we've already seen this slide. I mean, effectively, we listen to data about companies across the public internet. We curate this into insights about how motivated an attacker might be to perform some sort of hack on a business. How susceptible then might a business be to such an attack? And look for the digital fault lines that exist in common accumulation paths. So, we create this into a set of robust behavioral and technical risk factors from this data listening engine that provide you, the underwriter, with a view of what is happening in terms of cyber risk for a business. So, you can see that we have some 47 risk factors around behavioral and technical insights, but we also have those accumulation pieces as well. So, cyber is something that is individually focused as well as aggregative.
So, you can have a targeted attack on a single business, but you can also have something like a cloud service provider downtime that means that a number of businesses in your portfolio are affected by that. And these are those digital fault lines. If you think about all of those risk factors that we push forward into our app, you can use those to actually provide a health check to promote cyber risk awareness with the end user, in short. Because we collect data on something like a million-plus companies, it is also easy for us to identify how a company is performing against their peers. This can provide a valuable peer benchmarking to the company that you're trying to insure and also to you as an underwriter.
And when you're looking at those promotional activities as well, you can actually drill into particular risk factors that can mean something quite specific. So, let's think about something like email security, and maybe that's something you're concerned about. Leaving a company exposed to spoofed emails, that could actually result in a ransomware or other type of fraud or cyber attack. So, when we're talking about email security and how well that is configured or otherwise, we're actually checking this using something like the DMARC or the SPF standards to figure out how well configured those systems are. And this can provide you with critical insight into how well that business is managing their email service, for example, and therefore how well protected they might be. There's no such thing perhaps as 100% protection, but by something like those risk attributes like ransomware that I discussed earlier.
You could use that in a health check report to describe how you might talk to your email service provider if you're a small and medium business about setting up DMARC or SPF, or as an underwriter, help direct your questioning when looking through that submission as to how well that email security is set up. Then we can look at things like patching cadence. So, out-of-date software in any associated network with a business allows vulnerabilities to be exploited by bad actors. So, once again, we have a risk factor that describes patching cadence, and it allows you to see from an outside-in perspective what their behavior is in terms of how well they're keeping that software up to date. This is really useful in terms of evaluating those responses on the submission, as we discussed earlier.
But again, you can use this as a promotional capability, either directed or across a peer group, to describe what that risk landscape looks like and why it's important to have patching, especially on publicly facing assets, up to date. And then for small and medium enterprises, we've actually developed this a stage further where we can have an on-demand data listening capability to assess one of these small and medium businesses' cyber risk. This can be API-driven and integrated into your online portal for an assessment that returns inside of two minutes a set of risk factors, a risk rating, and a peer comparison, allowing you to digitally underwrite those risks with Cyence inside and indeed to provide those capabilities such as health checks and others that we've just described inside of those last few slides.
Ridhima, how do we model Cyence's losses, and how can underwriters use these in their processes?
Sure. So, as I mentioned before, Cyence models events that happen for different reasons, right? Data breaches, cloud providers, ransomware, etc. And then we map those events to different types of coverage parts that the insurers may be providing. So, from a bird's-eye perspective, there are a few different events that Cyence models, and they're categorized into individual events and accumulation events. Individual events are those where a single company is impacted given an attack, for example, Target having a data breach or Marriott having a data breach. Accumulation events are those where multiple companies might be impacted given an event. For example, if Amazon AWS were to go down, how many companies would potentially suffer from business interruption? So, there are six big categories of events as we see up on the slide, including data breaches, DDoS, service provider outages, software zero-day vulnerabilities, payment processor outages, and ransomware.
Science has a probabilistic model that would go through each event type and essentially calculate the estimated loss for each and then map it to the coverage parts that may be triggered. In addition to Science's estimate for average annual loss, we also estimate losses for different return periods, and what I mean by that is you would be able to make projections like there is a, let's say, 2% chance that a company or a portfolio of companies will have a loss greater than X dollars. In addition to providing ground-up losses, Science also helps underwriters apply insurance policy structures, including retention limits, waiting periods, attachment points, to get a view of insured losses and also to identify where on the insurance tower would be the most optimal place for an underwriter to play and the corresponding price associated with that.
Of course, there's a lot of detail associated with each of the models that we build, and we invite the folks on the call to contact us if they would like to get further detail. Those were the prepared remarks that we had for today. We'd like to open it up for Q&A. Michael? Okay, let's move on to the next slide that Michael might be having some sound difficulties. We actually have a few questions, a few frequently asked questions that we've received from our clients that we would like to discuss today. The first one that we received, and I'd like to direct that to you, is how does Cyence collect this data?
Thanks, Ridhima. Yeah, this is definitely one of the most common questions that we get asked, so look, I'm going to read this slide out effectively, but we have a set of proprietary collection, open-source data sources and third-party providers that we go to to collect this data. It's quite frankly astonishing how, in many ways, easy it is to collect this data in terms of being able to connect to these systems and find out what they are. It's far more complex to actually pull that together and make a model, of course, but that's why we built Cyence. We recognize that this capability was there, right, but we do this from a non-intrusive perspective. So if you think about it, we're doing no more than shaking hands with a system. Any company's internet-facing systems that are outside their firewall, we are doing that.
Our methods effectively mimic the reconnaissance that a hacking group would conduct when investigating targets. If any of you on the line are familiar with the Certified Ethical Hacker route and you look at that reconnaissance phase where you're going out there and looking at that particular target, where you're looking at the company structure, perhaps the websites, the subdomains that it owns, societal footprints, those kind of pieces, that's what we're doing. We're doing that entirely from an outside-in perspective and entirely inside of the law. Another one we get asked quite a lot is how Cyence is used by its customers.
I think this presentation has been scattered in a roundabout way we've discussed this, but one of the key things is taking those risk ratings, the risk factors, things like the peer comparisons, and take that as a combination, pulling that into an underwriting guideline or pricing model to determine the pieces that Ridhima was talking about, whether you might write or decline a piece of business, or whether you actually refer that to your teams from the enterprise risk management to determine whether you should actually move forward with that risk or not. Things like portfolio loss benchmarking. Let's have a look at what revenue and industry segments are underperforming or perhaps those that are overperforming, and maybe that's something that could actually set our appetite to look at new prospecting routes. This ultimately builds into defining tiering strategies.
What are those high-risk accounts that are coming up for renewal? What are the ones that actually could potentially burn our books? And that could be just because of over-reliance on one particular service provider, or it could be something like underperformance in terms of their patching cadence in relation to their peer group. And Ridhima, I think there's one question that we often get about how we validate this model. Maybe you should take this.
Yes, of course. This is a question again that we get asked quite often. So, one way Cyence validates their model is by identifying whether the risk rating, which is one of the model outputs, is successful in segmenting risks. So, what you see on the slide is the distribution of companies based on the Cyence risk rating, which you see on the x-axis, and this distribution is broken down by companies that have had incidents and that have not had incidents. So, companies that have not had incidents are in blue, and the companies that have had incidents are in orange. And what we see in the slide is that risk rating is actually successful in segmenting those companies appropriately. Companies that have higher risk ratings are more likely to have incidents.
And so, this is just one way that we validate some of the risk ratings, some of the outputs of the model, and how they perform. What we'll do now is we'll open it up for a live Q&A. And Michael, if you're back on and you can moderate the questions.
Yes, we are now open for Q&A from the audience. The first question that we have is about around silent cyber. So, silent cyber has been a term that comes up in recent years. Can you talk a little about silent cyber and how does Cyence help with assessing the risk?
Yes, I can take that question. Silent cyber, the way Cyence has been approaching the problem of silent cyber is by a simulation, sorry, a scenario-based approach. So, what we have done is we have identified specific scenarios that are most impactful to specific lines of businesses, say property lines of business, and we've developed scenarios that can be run in an Excel worksheet. So, essentially, the input data that we're looking for would be around your exposure, so how many property policies you might have. We do ask that people have an understanding of their property form status in terms of, does it explicitly exclude cyber as a peril, or it's vague and the language may not stand up?
So, those are the kinds of inputs that we look for, but we have developed a few scenarios, one of them being a power outage scenario, which is an extension of Deloitte's Business Blackout, but we have developed our own assumptions and modified that scenario. And the second one is a ransomware scenario. So, what if a mass ransomware attack were to happen and people were to claim, or companies were to claim business interruption on their property policies? So, those are the two main scenarios that we've developed, and we're planning to work on our third one, which is a power outage for potentially another part of the world other than the United States.
Great. Okay, so question number two is, the cyber threat landscape is always changing as well as the criminal behaviors. So, how does the application effectively reflect that evolving change in the market?
Yeah, I think that we covered a lot of that in those earlier slides, although, of course, we were giving a very high-level view. But one of the core principles when we founded Cyence was that we wanted to have a set of cyber expertise inside of the business as well as modeling expertise in data scientists. And one of the core pieces that we do is we keep a very close eye on how that cyber landscape is evolving. So, we are currently on our fourth iteration of the model. So, if you think from our inception in 2014, we are now on that fourth version of that. And a lot of that is to do with exactly what you've just said, that evolving landscape that we see there. So, in 2014, the big news was data breach. So, that's where we focused our efforts.
But in recent years, ransomware is becoming more and more to the fore. So, there is still plenty of data breach activity going on there. The frequency might have decreased, but the severity in many cases has increased. In terms of ransomware, we've definitely seen the frequency increase. And so, we have that combination of modeling expertise, the data we gather, and the cyber expertise coming together to actually refine and recalibrate those models to make sure that it's purposeful when underwriters are coming to write that next phase of business. Ridhima, is there anything you wanted to add to that?
Yeah, just one more thing to add to that would be going back to the point about Cyence updating their risk ratings monthly. So, even though we're on our fourth iteration of our model, we do update the risk ratings and the model losses monthly. So, we take in data, updated data every month for over a million companies globally, and we're rerunning the model. So, the purpose, again, of that is to provide the most updated view of risk.
Awesome. Thank you, Ridhima and Ian. So, the next question is, have you seen any usage outside insurance, such as in financial and other industries?
Yeah, absolutely. So, certainly, credit risk is another area that we can apply this cyber profiling to, right? So, if you look at the work we do with S&P, for example, and the 360 report that we do there, that is effectively taking this data we have there and helping inform that as to how likely a business is going to be, or how likely a business is going to suffer an event, but what the impact of that event is going to be on the business as well. But then we can also look at things like credit risk for banking. So, we can look at, when you think about a business that's looking for a $50 million loan, for example. So, yes, there are going to be a whole series of questions that are going to be asked about that business.
But working with some of the larger institutions in the banking world, we've actually become a key part of that questioning set in terms of being able, A, to provide some insights for credit analysts to look at the cyber risk of that business that they're going to underwrite, but secondly, to provide the end loanee, the information about what their cyber hygiene looks like from the outside in. And it's not something that's necessarily yet being used to price out loans or to do anything to inform losses given default or something similar to that, but we'd like to see that as we build that capability out in the financial services world, banking with S&P, et cetera, then that's something we're definitely going to focus on more.
Okay, thank you. So, the last question is about the poll, the first poll question that we had. So, based on the poll result, we see that many insurers in the space develop their own in-house models for cyber risk, for assessing cyber risk. So, the question is around, is the Cyence application customizable to integrate, to curate all the risk factors with the in-house model?
Cyence is customizable from the standpoint that we provide our actuarial loss tables, which is basically our Monte Carlo simulations, our entire Cyence output, which our customers have found extremely useful and valuable in actually building into their own models. They take insights from the Cyence's model and credibility weighted against their own experience to build their own pricing models internally. That's one of the best ways users have taken Cyence's input and included it into their own risk insights.
Awesome. Okay, I believe that's all the questions that we have from the audience. And if any of you would like to learn more about the product, we have a bunch of resources, a bunch of assets for you to acquire more information. And we'll send out all these assets in our follow-up emails. A couple that I would like to recommend is hearing from the customers to talk about how they use Cyence application. Customers such as AXA XL and Marsh will be a great reference point. And if you'd like to learn more about Cyence and really witness the functionalities and capabilities in real time, feel free to request a Cyence Risk Analytics product demo by contacting Charles Clark. He is our VP in Analytics and Data Services at Guidewire Cyence. And this concludes our presentations for today.
I would like to thank everybody who participated, and thank you, Ridhima and Ian for the outstanding job on the webinar. Thank you.
Thank you. Thanks everyone.