Putting a Price on Cyber Risk Pascal Millaire and Redefining Cyber Insurance

If you ask Pascal Millaire for his advice to fellow CEOs, he points to the importance of feedback from the board and leadership team. “They help you determine how to be effective today and in the future as the needs of the business change – and boy do they change,” he says. 

Millaire understands shifting business needs as only a startup founder can. Over the last nine years, he has built CyberCube from an idea into a global leader in risk analytics for cyber insurance. Looking back on a 20-plus year career, his unique perspective can be traced to formative experiences consulting, leading a software company, and innovating in the insurance industry.

Like most kids, Pascal Millaire didn’t grow up dreaming of insurance analytics. Raised in New Zealand, he was a bright and inquisitive student who, at 18, received a scholarship to study at the University of Cambridge in the United Kingdom.   

Upon graduation, he returned to New Zealand and launched his career as a management consultant for McKinsey & Company where he landed in the insurance industry by chance. “My staffing manager provided me with two options. The first was to take a seven-hour flight to Perth, Australia, hop on a small Cessna to fly to an airstrip, drive for two hours, and sleep on a mining manager’s couch,” Millaire recalls. “The second was to fly to Sydney and start working in financial services. I chose the latter.” 

Millaire was soon consulting with technology and insurance companies across the globe on actuarial pricing, product strategy, insurance risk management, M&A, broker compensation, cross-selling, and claims process redesign. In addition to gaining a 360-degree view of the insurance industry, he learned the value of culture in an organization. “At the core, McKinsey has a culture that attracts exceptional people who in turn create an exceptional institution,” Millaire says. “My time there taught me the importance of deliberately developing a strong organizational culture.”  

In 2013, Millaire left McKinsey and began consulting with hotel software company Fingi. Working closely with the company to develop new product offerings, his involvement grew until the CEO offered him the role of company President. Millaire accepted and was energized by the accelerated pace of change, quickly learning to make operational decisions. “That shift from advising, conversations, and PowerPoint presentations at McKinsey to my first year at Fingi was a fundamental change,” he recalls. “We grew our contracts tenfold, moved from one country to five continents, took outsourced development in-house, and completely turned the business upside down.” Overseeing a multi-million-dollar budget and facilitating business growth, Millaire was no longer making recommendations: he was getting things done and seeing them through.   

In 2015, Millaire was recruited by cybersecurity firm Symantec (now Symantec by Broadcom) to work on a unique opportunity. The company’s executives were placing a bet on the nascent cyber insurance industry. With a Fortune 500 company’s depth of data and expertise, Symantec believed it could make its claim in the market as digital transformations redefined business practices and introduced new cyber risks. 

Millaire’s background in the insurance industry and as a software business leader put him in a rare class with the right skillset for the job. He was brought on board to incubate a business within Symantec Ventures, the company’s in-house venture capital firm and startup accelerator. Millaire saw the chance to create something special. “We had an opportunity to create the go-to analytics provider, shape the future of insurance, and change how cybersecurity was thought of over the long term,” he says. “We already had an enormous head start in capital, data, and expertise to create models.”  

Millaire got to work on two major initiatives. The first was to evaluate Symantec’s consumer and business products to see if they could be bundled with insurance products. The second was to leverage Symantec’s data and expertise to solve core challenges in the cyber insurance industry – namely, pricing cyber risk.  

Tackling such an enormous problem was daunting but Millaire found grounding in a practical approach, insisting the company work with joint development partners in the insurance industry to develop solutions. “The worst thing we could have done was sit in a windowless room in Silicon Valley designing analytics products we thought the industry needed,” Millaire says. At the same time, he recruited insurance executives alongside cybersecurity and technology experts to round out the company’s expertise. 

As Millaire’s team began to build, they looked to historical data to see how new risks had been priced. “Insurers have a long history of taking small initial bets, building up claims histories, and developing products around that over time,” Millaire says. His team followed the same path, drawing analogies to known lines of insurance like fire to establish a baseline. In the early days, with few claims and limited incident data to work with, it was more of an art than a science and there was plenty of initial skepticism across the industry. The market reflected the sentiment, with under $1B in cyber insurance premiums globally. 

Over time, though, Milliare knew the company could develop more accurate modeling to provide critical value. He describes the company’s vision at the time. “At its core, we sought to put a price on cyber risk for brokers selling cyber insurance, for underwriters deciding whether a particular account will be profitable, and for portfolio managers to price reinsurance and insurance-linked securities contracts.”   

For two and a half years, Millaire led the company’s product development and industry partnerships. As the time to launch drew near, Symantec CEO Greg Clark (now Managing Partner at Crosspoint Capital Partners and CEO of network security company ExtraHop) recognized that the company would need to operate as a nimble startup to realize its potential. “It was very clear that the cyber insurance customer wasn’t the same as the Symantec customer – there is an inherent conflict in rating your customers for insurance purposes when you’re also selling them security,” Millaire says. The company would have to separate from Symantec to reach its goals. 

In March 2018, CyberCube launched as a standalone business with a $15M Series A funding round led by Forgepoint Capital (Trident Capital Cybersecurity at the time). Millaire saw the move as a chance to build deeper relationships with partners in the insurance industry. “We knew by bringing Forgepoint along as a partner that we would have access to cybersecurity, data companies, and expertise,” he reflects. “We could not be a move fast and break things startup – when you’re breaking things in insurance, you’re breaking the balance sheet of centuries-old insurers.”  

Millaire began to build a world-class board of directors filled with executives and industry leaders. With Forgepoint’s help, CyberCube recruited retired Admiral Mike Rogers, former head of the National Security Agency (NSA) and US Cyber Command, to the Board, among others. “We were serious about supporting our clients for the long term as a partner they could trust,” Millaire says.  

Those partnerships would be critical for CyberCube, which had a significant opportunity to innovate in a technologically-lagging space. Reinsurers were still making insurance decisions based only upon a company’s industry, revenue range, and geographic location – ignoring actual cyber risks. CyberCube was positioned to breathe new life into the industry. 

Millaire began planning for CyberCube’s next round of funding immediately after the Series A round. The company onboarded global leaders in insurance and reinsurance as clients, gaining access to more data to improve their analytical models. 

In November 2019, the company secured a $35M Series B funding round led by HSCM Bermuda and Forgepoint Capital, with the participation of MTech Capital and individuals from Stone Point Capital. The new funding would drive the company’s product development and expand its go-to-market efforts to regional and national institutions. Millaire reflects on CyberCube’s strategic goals at the time. “The Forgepoint investment had already given the cybersecurity expertise we needed to be successful,” he says. “At the same time, we were trying to create one of the most valuable institutions in the insurance industry. Having insurance-savvy investors to direct the company’s future and signal that long-term view was important.”  

Over the next three years, CyberCube would leverage its newly injected cyber and insurance DNA to become a market leader in quantifying cyber risk. The company developed a holistic platform with multiple products including Broking Manager, Portfolio Manager, Account Manager, and CyberConnect to serve brokers, portfolio managers, and underwriters.  

CyberCube also built relationships with the world’s largest insurance, reinsurance, and broking organizations to enable data-driven decisions. In 2022 alone, the company announced strategic partnerships with companies including QBE, Kroll, Duck Creek Technologies, Majesco, and Fermat Capital Management.  

In December 2022, CyberCube closed a $50M round from investment funds managed by Morgan Stanley Tactical Value, with the continued participation of Forgepoint Capital, HSCM Bermuda, MTech Capital, and key investors from Stone Point Capital. For Millaire, the additional funding supported a long-term play. “There had been some pretty big disruptions around valuations and we knew how important it was to have a long-term view to achieve our mission,” he says. Bringing on new capital partners signaled longevity and strength and allowed CyberCube to focus on product development and an accelerated go-to-market plan.  

The funding round also brought Scott Stephenson, former CEO of enterprise risk assessment firm Verisk, onto the board. Stephenson’s Verisk experience providing physical property analytics to the insurance industry was an invaluable addition, strengthening CyberCube’s reputation as a long-term partner. 

Today, global cyber insurance premiums have grown to over $11B and risk pricing accuracy has dramatically improved. Cyber is expected to become one of the largest lines of insurance in the multi-trillion-dollar property and casualty (P&C) insurance industry.  

CyberCube now works with over 100 clients, including 75% of the top 40 United States and European insurance carriers, as the world’s leading provider of cyber risk analytics for the insurance industry. The company is continuously making model improvements powered by claims data, client calibration, and machine learning. “We’ve reached a critical mass where our largest clients are paying out hundreds, if not thousands, of claims,” Millaire says. “We can use those claims, layering them with the frequency and severity of an event using traditional actuarial methods plus global cybersecurity data.” CyberCube’s analytics can now predict if a cybersecurity signal will increase risk by 2x, 10x, or 20x in a company. In 2022, CyberCube’s projected industry loss ratio was 3% off from the National Association of Insurance commissioner’s ratio; in 2023, it was within 1%. 

AI has also been transformative for CyberCube’s capabilities. The company has used machine learning to train its models for years and is now leveraging LLMs to extract data at scale, even testing generative AI integrations to help underwriters access information from CyberCube’s network to make quicker decisions. 

It’s a wave of dramatic changes over the six years since the company’s founding, when data was scarce and cyber risk seemed unpriceable. “The mindset today is more often that there’s too much data available in cyber – it’s hard to understand the data, access the data, and make sense of the data,” Millaire says. “A core part of what we do is take data and distill it into actionable insights.” 

Taking a forward-looking stance, Millaire and CyberCube have been tracking the amount of capital the cyber insurance industry needs to back cyber risks. “Today, too few companies buy policies and those that do typically don’t buy high enough limits,” Millaire says. “A single digit percentage of all cyber risk is covered by a cyber insurance policy.” Demand isn’t the issue as cyber risks grow. The supply of capital to back insurers is what’s coming up short.  

CyberCube is stepping up to help attract capital and strengthen the market. The company’s Portfolio Manager product was used to inform the first publicly tradable cyber insurance-linked securities in 2023; as of Q4 2024, cyber catastrophe bonds have provided $415M of new capital to the industry. “7.5% of all insurance-linked securities issued globally in that quarter were issued in cyberspace and CyberCube was the modeling agent for all of them,” Millaire says. “The market’s going to continue to grow.”  

In addition, CyberCube has led public-private industry conversations around how to insure against catastrophic risks which could bring costs exceeding the capital on insurer balance sheets. It’s a critical topic as threats from cyber warfare and cyber terrorism become more plausible. “The public and private sectors are starting to have thoughtful dialogue on whether there is a role for the federal government to provide a backstop and, critically, how we can ensure any federal government response leads to more private sector capital coming into the market, not less,” Millaire says. Most recently, CyberCube participated with the United States Treasury in investigating a federal government cyber reinsurance backstop.  

As Millaire reflects on the arc of the cyber insurance industry, he notes how analytics have changed the role of the insurer. Today, insurers can not only better price risk and underwrite policies but can also catalyze better risk management within organizations. “Insurance analytics cut through the noise around solutions and vendors by asking what matters with respect to ROI,” he says. “We have reached a point where cyber insurance analytics can teach the cybersecurity industry about what drives losses, the probability and severity of losses, and what we should be doing about it.” 

Despite changing market and risk dynamics, Millaire remains focused on CyberCube’s core mission. “Our goal is to deliver the world’s leading analytics to quantify cyber risk for the insurance industry,” he says. That’s what he will work to ensure as the company pushes into its next phase of growth.