Breaking into the SMB Cyber Insurance Market
January 29, 2023
During my time at Cyence, there were a lot of opportunities in the emerging cyber insurance market, but it was hard to understand exactly where to slot in as an insurance provider.
There were a few big deals each year: Google, AWS, Apple, etc. Each of these giants asked for a tower of coverage (different providers covering different tranches of risk up the stack), and it essentially came down to whether you had the risk appetite to underwrite these major names in data breach and service provider interruption. If so, you'd write at any market price, either making a lot of money if no breaches occurred or losing heavily if a breach or cloud service outage happened. Analysis wasn't likely to change your mind.
This created challenges for Cyence. Our business focused on providing useful data and models to help with company analysis during insurance underwriting. However, there was a clear mismatch between our service and insurance carrier behavior in the upper market segment.
The market for SMBs presented another interesting challenge. Insurance providers would bring us small businesses like John's Tax Services in Des Moines, IA or Mary's Plumbing Services in Akron, OH for cybersecurity risk evaluation. These companies usually had limited risk, typically operating one server or a website on AWS or Azure, and were willing to pay for cyber insurance. They wouldn't pay much but were unlikely to face breaches or downtime, so they offered a modest profit.
The problem was that for each SMB, we had to conduct extensive data gathering to accurately assess their risk, often involving weeks of back-and-forth communication. Insurance companies weren't particularly interested in individual SMBs since each deal would yield only around $1,000 in premiums, making the effort disproportionate to the payoff.
My role involved finding a way to help insurance providers write deals for thousands of SMBs while minimizing significant tail risks that could be disastrous. They wanted to collect premiums, perhaps pay out a claim or two, and maintain stability.
The initial idea proposed was to create a few "representative" portfolios for different industries and match uploaded portfolios to the closest representative based on their composition. However, this approach felt flawed if the portfolio had mixed industries, so I brainstormed a new solution.
We had data on many SMBs in general but not always the specific ones our clients were interested in. Thus, I proposed offering carriers an estimate of what a larger book of SMBs would look like. Could we sample from our data pool to generate "synthetic" companies resembling real businesses and analyze how a book of 1,000 or 10,000 such companies would behave together?
The tricky part was ensuring accurate sampling. Our risk models were based on service providers, software usage, open ports, and industries, all of which were interrelated. We needed a way to properly reflect the correlations to assess tail risk accurately. Misjudging correlations (e.g., assuming Azure and Outlook usage were independent) could significantly understate tail risk.
I devised a system using Gaussian copulas to build a correlated distribution from our data, which allowed us to generate more realistic risk portfolios. This was back in 2018/2019, requiring modification of R libraries, Python wrappers, and further integration into production.
The system worked well but was initially slow. We generated new companies on the fly each time a client uploaded a portfolio, causing severe delays for large portfolios. We solved this by adopting a hybrid system using pre-generated companies and generating synthetic ones as needed, reducing processing time from days to hours.
This significantly improved SMB portfolio onboarding, reducing the effort from weeks/months of data collection to mere hours of sampling synthetic companies.
Our customers could upsell existing clients on cyber insurance while accurately assessing the risks of potential business books. This opened up significant revenue streams and made entering the SMB market feasible.
This was a challenging project since using Gaussian copulas for this purpose was largely unexplored in 2018. I was early in my career and overly ambitious, needing considerable back-and-forth with product teams to advocate for this approach over simpler methods. Ultimately, it was worth the effort.