By James Thaler

Feb 19 - (The Insurer) - A catastrophic cyber event is “definitely coming”, according to Cyberwrite CEO Nir Perry, who said the ongoing soft market in the segment may highlight growing complacency around the risk.

Perry launched Cyberwrite in 2017 after previously serving in consulting roles with Accenture, PwC, and Deloitte. He spoke to The Insurer TV at last week’s NetDiligence Cyber Risk Summit in Miami Beach.

He said the company was founded after seeing “a great need” to help the whole cyber (re)insurance ecosystem to better understand the exposure and to model it.

“We definitely see the potential for a cyber catastrophe, which would have a vast impact across the industry and will change the way everybody at this conference and any other cyber insurance conference is conducting business,” Perry commented.

“It could happen tomorrow morning, and it could happen a few years from now, but it's definitely coming,” he continued.

“And everybody should be concerned, because currently we're in a soft market where everybody's feeling very comfortable to underwrite and the prices are going down,” he added.

“But the softer the market is, the more accumulation in the book, and it's growing and growing and growing,” Perry explained.

The cyber executive said that without strong modeling, firms might not fully grasp the extent of their exposure and that the industry needs to be better prepared.

Vendor outage impacting SMEs could be much worse than CrowdStrike

He noted that the CrowdStrike outage largely affected bigger firms with more sophisticated IT capabilities, where the downtime was measured in only a matter of hours for many, but that an event affecting SMEs could be much more substantial.

“It could crumble the whole economy. This is something that should be on the mind of every CEO and every head of cyber insurance in any insurance company, whether it's (in Miami) or in London or in Tokyo,” Perry commented.

“And obviously, this should not prevent the market from growing, but the insurance companies should definitely have the proper models in place to make sure that they have the right visibility into the risk,” he continued.

Similar to CrowdStrike, Perry said that a major catastrophic cyber event could be driven by a non-malicious act, like a vendor outage.

“With CrowdStrike it was just for large organisations, but now it could be for smaller organisations,” he noted.

He also said that a major outage could be caused by a malicious event, where threat actors mistakenly deploy ransomware software at a much larger scale than intended.

“It could all impact the industry quite a lot, and some insurance companies are going to have a very big accumulation of risk on their books,” he commented, adding that such an event could push the cyber segment into a hard market.

Models based on old assumptions are outdated

Perry was reluctant to criticise other cyber modelling firms, but said it was imperative that cyber cat models stay up to date with evolutions in technology and exposure and the increasing amount of data available.

“If they don't have additional models based on what they've been believing in the last five to ten years, then, really, they might be in a point of view that might be wrong,” he said.

The CEO said that the firm’s models calculate exposures both at the individual risk level as well as in the aggregate.

“We have more than 99.9 percent success. And we collect the data, and we compare in real-time, using machine learning, quantitative AI, the risk of this company compared to about half a million other companies,” he explained.

Those comparisons involve identifying the security postures of companies that have experienced a breach or cyber incident.

Cyberwrite initially started to build its models around SMEs, which make up the majority of companies buying cyber insurance.

“So tailoring a machine learning model that translates into a score for businesses is giving our customers anywhere from HSB, from the Munich Re Group, Markel and Howden and many others, the ability to actually trust our models,” he commented.

“We have an open discussion with them about how the models work. We're not hiding it. It's not a black box,” he added, noting that the company also counts wholesaler CRC Group and US regional insurer Cincinnati Financial among its clients.

“We have a team of experts explaining exactly how the model works. And many of our customers are actually integrating our reporting system into their policy admin system so that they can get the reporting and the scores in real time,” Perry said.