MGA Intangic is in its second year, backed by AXA XL, and provides a pre-emptive approach to underwriting cyber risks.
The cyber insurance market faces significant challenges that underwriters are failing to address, creating demand for a different approach to the risks involved, according to Ryan Dodd, founder and CEO of Intangic.
The cyber market has been soft or at best flat at present, he noted, despite business interruption events, the CrowdStrike outage, “record setting losses and increasing frequencies of ransomware”.
Customers are most concerned by high frequency cyber losses that are taking place, rather than cyber catastrophe risk, he suggested – the nickels and dimes – that, when taken together, represent a growing cost and resources drain on commercial organisations.
Part of the problem is a lack of demand for the cyber product, he suggested.
“There’s a lot of hand wringing in the cyber insurance and reinsurance market about catastrophic risk, but the reality is, there’s just not enough insurance being sold,” Ryan (pictured) said.
Dodd was speaking with GR at the Rendez-Vous de Septembre (RVS 2024) in Monte Carlo.
“Typical insurance is underpriced,” he warned. “The frequency of events is significantly greater than the current price would suggest. So that’s the first problem. The second problem is that if you look at the market dynamics, quite simply, on any metric you look at, not enough insurance being sold.”
The recent CrowdStrike outage caught many large firms, reliant on cloud services, off-guard, he suggested.
“CrowdStrike is shedding light on the enormous levels of risk that companies are inadvertently retaining, right? Speaking with large companies, they didn’t really take into account the level of risk they are retaining,” said Dodd.
“The downside risk to digital transformation is BI and being open to cyber-attacks. Compared to something like fire insurance, cyber is three times or five times more likely to happen, and it’s about 100 times more costly than the average event. And yet the fire insurance market is about $80bn in premium, and the cyber at best is $15bn, despite more frequent and costly events,” he added.
Monitoring attackers
Dodd described his managing general agent (MGA), which is backed with capacity from insurer AXA XL,”primarily as a data science platform” working with large organisations on how to best approach their primary and excess cyber insurance strategy.
“My view is that the reinsurance market, as well as the primary market, is not going to experience any major changes until there is a product suite that is more fit for purpose to the customer, and that does not necessarily involve more traditional insurance,” Dodd said.
He said his MGA believes in first breaking down the problem into different pieces to find solutions.
“The way to grow the reinsurance market is cyber is not to expect that there is going to be provide more capacity, like, it’s just not going to magically happen. There needs to be a ton more work done that breaks down cyber risk into multiple problems.”
This starts with a pre-emptive element that can provide firms with the intelligence to prepare for and perhaps stop an attack happening before it can take place, he suggested.
“What can we see that the customer can’t? Because in the large company arena, we have to be able to provide a company with a solution or risk tool that they don’t already have, and when you’re talking to FTSE-100 firms, they’ve usually got every tool,” Dodd said.
“We believe that there’s not enough emphasis at all on the actual peril, which is human beings attacking you. What we bring that no one else brings is we’re going to give you a view of what the attacker is doing, at a scale that you can’t currently see,” he continued.
This, in Intangic’s case, is the data science and ‘secret sauce’ intelligence behind the MGA.
Understandably, Dodd was reluctant to give details of this away to passing journalists at RVS 2024, but he revealed it involves “monitoring the way attackers communicate”.
“We’re giving the customer a unique view, and we can provide that data to an underwriting team as well,” he added.
CrowdStrike lessons
The economic loss of an event like the CrowdStrike outage, which occurred in July 2024, is likely to remain illusive, according to Dodd, who offered the following advice.
- Boards and C-suites are now asking if the company is doing enough to mitigate losses of a business interruption (BI) event like CrowdStrike. On the question of ‘losses’ – there is an important distinction. The question the market is asking is about potential insurable losses.
- But the question increasingly on the minds of boards, C-suites, and shareholders is now different. For them, the CrowdStrike outage raises the question of how to better understand and measure total economic loss due to technology risk, not just insurable loss.
- Most large organisations today use hundreds of technology vendors. The interdependences of each of these IT suppliers amounts to one massive digital Jenga tower. Contrary to a lot of the market commentary about loss mitigation and resilience in the wake of this outage, there is not yet an accepted framework to measure the economic loss question, much less predict the likelihood of an outage-induced BI event.
- As a result, the market today is not equipped to price the risk of corporations’ interdependent Jenga towers. The way cyber risk has been modelled by the market simply has not kept up with the speed and complexity of digital transformation. For Crowdstrike, we’ll never know the actual total economic loss.
No comments yet