Episode No. 11

Quantifying Cyber Risk with Pascal Millaire   

CEO of CyberCube
Modern companies collect, generate, and access massive amounts of data. The challenge is finding meaning amidst the noise to derive actionable insights.   That’s exactly what Pascal Millaire and CyberCube are doing for the cyber insurance market. In this episode, Forgepoint Capital Co-Founder and Managing Director Don Dixon sits down with Pascal to discuss his early career as a McKinsey consultant, CyberCube’s incubation within Symantec, building analytical models to predict loss and price cyber risk, cyber risks from terrorism and war, the symbiotic relationship between insurance and cybersecurity, and more.
Listen or watch

Pascal Millaire brings 20 years of insurance, technology, and cybersecurity experiencerole as CEO of CyberCube. Today, the company plays a pivotal role as the leading analytics provider in cyber insurance, a rapidly growing industry on a pathway to reaching over half a trillion in coverage in the years ahead.

Pascal has unparalleled insights into the state of insurance and cybersecurity. He envisions a future with greater synergies across industries. You won’t want to miss his perspective on pairing actuarial approaches with cybersecurity and technology, developing market-leading products, cyber insurance supply and demand dynamics, and cultivating sustainable company growth.  

“Cyber insurance analytics could transform the future of the cybersecurity industry. Cybersecurity could not do a lot more to focus on the ROI of controls. Enterprises have dozens of solutions and are looking at hundreds of venders. Insurance analytics cuts through a lot of the noise and asks what matters with respect to financial impact.”

Pascal Millaire

About Pascal Millaire

Pascal Millaire is the CEO of CyberCube, a cyber risk analytics platform that provides data and analytic tools to quantify cyber risk for the insurance industry. He brings 20 years of cyber risk analytics and cyber insurance experience to his role helping the company pave the future of cybersecurity with reliable data and insights. 

Established under Pascal’s leadership in 2015 within Symantec, CyberCube is now a standalone, venture-backed business that works with over 100 clients including 75% of the top 40 US and European cyber insurance carriers. Since 2018, the company has raised over $100m of capital from investors that include Morgan Stanley Tactical Value, Forgepoint Capital, HSCM Bermuda, MTech Capital, individuals from Stone Point Capital, and Scott G. Stephenson, Founder of SGS Capital and former Chairman, President and CEO of Verisk Analytics.  

Previously, Pascal was the president of a hotel software company and a consultant at McKinsey & Company where he worked with companies in the insurance industry on actuarial pricing, product strategy, claims process redesign, insurance risk management, and more.  

Pascal holds a bachelor’s degree from the University of Cambridge and an MBA from the Stanford Graduate School of Business.

Episode Highlights

0:24 Introduction 

2:23 Using Analytical Modeling to Price Cyber Risk 

5:47 Incubating CyberCube 

7:52 Combining Cybersecurity and Insurance Data to Quantify Cyber Risk 

10:21 Building a Respected Board, Cultivating Partnerships, and Raising Capital 

16:44 Pascal’s Early Career as a McKinsey Consultant 

20:01 Navigating the Transition from Advising to Decision Making 

24:06 Joining Symantec and Creating a New Model to Predict Loss 

29:31 The Maturing Cyber Insurance Industry and Evolving Threat Landscape 

33:23 AI and Generative AI at CyberCube 

35:43 Attracting Capital and Government Collaboration to Support Cyber Insurance Demand 

41:09 Cyber Insurance and Acts of War and Terrorism 

44:11 Advice to CEOs 

46:22 The Future of Insurance Analytics in Cybersecurity 

Transcript

0:24 Introduction 

Don Dixon [DD] 

Welcome to the Forgecast. I’m your host Don Dixon and I’m pleased to have with me today, Pascal Millaire, the CEO of CyberCube. Pascal is the founder of CyberCube and over a decade has built the business into the number one provider of analytics modeling in the cyber insurance industry. Let me back up and set the stage.  

This is a huge idea and a big opportunity for CyberCube. Global losses from cybercrime are over 10 trillion dollars a year. The way companies can insure against that loss- not unlike how homeowners insure against the loss of their home due to fire- is to buy insurance. They buy cyber insurance to protect against cybercrime and cover losses that occur from cybercrime. When Pascal started this business, premiums- that is, the amount of money companies pay for cyber insurance- were less than a billion dollars a year. Now, ten years later, they’re over eleven billion a year, over a ten-time increase. Pascal’s company CyberCube, that I am fortunate to be on the board of and an investor in, has positioned itself to be the number one provider at the key chokepoint in this industry, providing insurance companies with analytical modeling to determine how much to charge so that over the long term, they can make money. 

2:23 Using Analytical Modeling to Price Cyber Risk 

 
DD 

We are going to spend today talking to Pascal about his company CyberCube. After we give you an idea of what the company does and why it is successful, I would like to turn back the clock and ask Pascal about his career as an executive from when he started out in New Zealand all the way to now living in San Francisco.  

Pascal, welcome! Why don’t you tell me about CyberCube- what it does, how it works, and what value it provides to your customers. 

Pascal Millaire [PM] 

Sure, thanks Don and it is a pleasure to be here. As you have pointed out, CyberCube is the world’s leading provider of cyber risk analytics to the insurance industry. Cyber is a really big deal to property & casualty (P&C) insurers. Cyber is the fastest growing line of insurance to emerge in a generation. It’s expected to become one of, if not the largest line of insurance in the multi-trillion-dollar P&C insurance industry. In order to reach that growth potential, the industry needs analytics to price, underwrite, and model cyber risk. That’s precisely what CyberCube does for the world’s largest insurers, re-insurers, and brokers. 

DD 

Pascal, what is analytics modeling? What do you do for insurance companies? 

PM 

At its core, we put a price on cyber risk. We put a price on cyber risk for brokers that are selling cyber insurance so an enterprise knows whether it has a 5-million-, 50-million-, or 250-million- dollar problem at hand. We put a price on cyber risk for underwriters so they can decide whether a particular account will be profitable or not. We allow those in portfolio management to put a price on reinsurance contracts and insurance-linked securities contracts, so they understand how much capital to hold against those portfolios when catastrophic cyber events happen.  

DD 
Pascal, it’s easy to understand fire insurance because you figure out the value of the building that has to get replaced. How do you figure out the cost of cyber damage? 

PM 

First, you take analogies from lines of insurance like fire. That was hard to do when this business first started out. But now we’ve reached critical mass where our largest clients are paying out hundreds, if not thousands, of claims. You look at those claims and layer on top the frequency of an event and the severity or cost of an event using traditional actuarial methods. But in order to price cyber risk, you can’t just stop there. You have to look at global cybersecurity data and the evolving threat landscape. At CyberCube, what we do very uniquely is take those actuarial insurance approaches and pair them with cybersecurity and technology approaches. By bringing those two things together, we’re able to deliver the world’s leading analytics to quantify cyber risk in financial terms. 

5:47 Incubating CyberCube  

DD 

Pascal, when Forgepoint Captial first met you, you were an employee of Symantec. What did you do at Symantec to begin your business? What progressed from there in terms of starting the CyberCube as an independent company? 

PM 

Executives at Symantec recognized that cyber insurance was becoming a very big deal. As a Fortune 500 cybersecurity company at the time hearing that cyber insurance could become one of the largest lines of insurance in this multi-trillion-dollar industry, they wanted to know if there was an opportunity to apply their data and expertise to solve cyber insurance challenges. I was brought in to incubate the business, initially within Symantec. What I found in doing so was that we had an incredible opportunity in front of us. We had an opportunity to create a firm that was the go-to provider to power the future growth of insurance. We had an enormous head start in terms of capital, data, and expertise to create models. In doing so, we could not only shape the future of insurance but also change how cybersecurity was thought of over the long term.  

We spent a couple of years within Symantec incubating the business. When it was time to launch, it was very clear that the cyber insurance customer wasn’t the same as the Symantec customer. There is an inherent conflict in rating your customers for insurance purposes when you’re selling them security. Perhaps most importantly, Greg Clark, the CEO of Symantec at the time, recognized that we would need a nimble startup that was singularly focused on becoming the preeminent partner to the cyber insurance industry. That’s when we raised our Series A, brought in Forgepoint, and injected the DNA needed to create a lasting institution serving this dynamic market. 

7:52 Combining Cybersecurity and Insurance Data to Quantify Cyber Risk 

DD 

Fortunately, we did that- at the time you had no revenue, and it was a big bet on the quality of the team, but you had already demonstrated the ability to build an enterprise class application and that you had a proprietary source of data. Let me dwell on data for a minute. You need data in order to come up with analytical models. What kind of data do you need, what does that data indicate, and how does it lead to a conclusion and recommendation for your clients? 

PM 

Data is essential to any analytics company. When we started the business, the refrain from insurers was often, “The problem with cyber is that there is not enough data available to us.” Fast forward to today, the mindset has really changed. I think the mindset today is more often that there’s too much data available in cyber. It’s hard to understand the data, to access the data, to make sense of the data. A core part of what we do is take data and distill it into actionable insights.  

We think about data in terms of two categories. The first category is cybersecurity data that comes from our proprietary data collection technologies as well as our partnerships with cybersecurity companies- many of these are relationships that Forgepoint helped us create. We then pair that data with data from the insurance industry: financial data, exposure data, broker application data, claims and loss data. Uniquely, when you’re able to train cybersecurity data against insurance and financial data you can quantify cyber risk in financial terms in a way that you could not otherwise. We are in the very fortunate position of now serving over 100 insurance clients and 30 of the 40 largest U.S. and European cyber insurers. As we work with those carriers and get data and analytic feedback on our models, it allows us to deliver the world’s leading analytics to quantify cyber risk. It creates a competitive moat versus other competitors and internal models, helping us drive insights in a way that we could not if we didn’t sit on both data sources and if we didn’t have the market position we have today. 

10:21 Building a Respected Board, Cultivating Partnerships, and Raising Capital 

DD 

Of course, it was an advantage to have built the enterprise-class application within Symantec. When you were freed to act independently from Symantec, one of the first things you did as CEO was to build a world-class board of directors- with the exception of me, of course. You brought on board executives and industry leaders in a way that indicated to the insurance industry that you were serious and building a company that could be public. How did you think about that? 

PM 

I thought about that in conjunction with Forgepoint. We knew by bringing Forgepoint along as a partner that we would have access to cybersecurity, data companies, and expertise. In the very early days, it was company building that was really important. When we went out to insurers, we could not be a move fast and break things startup. When you’re breaking things in insurance, you’re breaking the balance sheet of centuries-old insurers. We needed to project both the information security hygiene that came from our roots within a Fortune 500 cybersecurity company and the expertise of a business our clients could partner with not just for years but for decades. Taking early steps, such as Forgepoint’s help recruiting retired Admiral Mike Rogers, former head of the NSA (National Security Agency) and US Cyber Command to our board of directors in the first few months, we were signaling that we were serious about supporting [our clients] for the long term and were a partner they could trust. 

DD 

The other thing that you did well was to identify investors for the next round of capital just after you raised the first round of capital. How did you think about identifying which investors you thought would do a good job of not only bringing money, but also bringing expertise and insurance industry credibility?  

PM 

Running our Series A, the Forgepoint investment gave us a big check next to the cybersecurity expertise we needed to be successful. At the same time, we were trying to create one of the most valuable institutions in the insurance industry. As such, as we sought to raise capital for our Series B, having insurance-savvy investors to direct the company’s future and signal that long-term view was important. We were thrilled to bring on MTech capital, Hudson Structured Capital Management, and individuals from Stone Point Capital in our Series B- all premier investors in the insurance space. That really injected DNA and brought the cyber world and the insurance world together at the board level- the same thing we were seeking to do at the ground floor level with the company’s team. 

DD 

It surely has been a pleasure for me to be able to explain cybersecurity to the insurance investors and have them explain insurance to me. You also made two additional moves. You did a top-up round with a fund from Morgan Stanley and then, in one of the most important moves, you brought in the retired CEO of Verisk. Let’s talk about that. 

PM 

As anyone that follows the tech market or the Insurtech market will know, there were some pretty big disruptions over the course of the last couple of years in terms of valuations, what investors were looking for, and expectations. As we thought about delivering the world’s leading analytics to quantify cyber risk for the insurance industry, we knew how important it was to have that long-term view and take long-term horizons. We brought Morgan Stanley- MSTV- as a capital partner to signal that long-term strength. It was a move that was welcomed internally and by our clients- we can focus on growing the business rather than on short-term capital.  

In addition, Scott Stephenson was a really important addition to our business. Scott had previously been the CEO of Verisk, a Fortune 500 provider of physical property analytics to the insurance industry. As we thought about the couple of decades that he had spent at Verisk creating deep partnerships with the insurance industry and physical property, there were very clear analogies with what we are doing at CyberCube for the next generation of insurance and digital property, digital risk, and cyber risk. Scott has been a tremendous asset to me and the broader board as we think about building a long-term institution that’s a preeminent partner to the insurance industry. That long-term relationship building is something he’d done with his prior employer. 

DD 

The wave that we are riding is the digitization of corporations around the world. As they go from having their value in physical assets to virtual assets, those virtual assets are at risk of attack and theft by cyber criminals and nation state actors. If you think about 30 years ago, Exxon and General Electric were the highest market cap companies. Now, it’s all of the virtual companies like Google, Facebook, Amazon, and others. That’s the business that you’re in: protecting them. We are in front of virtual assets that need to be protected.  

16:44 Pascal’s Early Career as a McKinsey Consultant 

DD 

Now that we have positioned the company you’ve built as being the leader in its category, let’s go back and talk about your personal story. You grew up in New Zealand. How long did you live in New Zealand and how come you don’t have a Kiwi accent? 

PM 

I get asked that all the time. In the U.S. people say, “It doesn’t quite sound like you’re from around here” and the same happens in New Zealand. I grew up in New Zealand until the age of 18, at which point I received a scholarship to study at Cambridge in the UK. I was then lured back to New Zealand to join McKinsey & Company as a management consultant. That took me all over the world before I moved to California 18 years ago. 

DD 

What did you do at McKinsey? 

PM 

At McKinsey, I got my initial introduction to insurance. It’s not an industry I thought I would choose, but very early in my career I did make the conscious decision to pursue it. I wish it was for the underlying attractiveness of the industry but if truth be told, my staffing manager provided me with two options. The first option was to take a seven-hour flight to Perth, Australia, hop on a small Cessna to fly to an airstrip, drive for two hours, and sleep on a mining manager’s couch. The second was to fly to Sydney and start working in financial services. I chose the latter and as I got deeper into my work, I found out that insurance was a super interesting industry, which surprises a lot of people. In fact, if I’m on a plane and don’t want to talk to the person next to me, I’ll tell them I make software for insurance companies. They generally get busy with other things at that point.  

Analytically, it’s an interesting industry that supports virtually every area of the global economy. As consumers, our lives wouldn’t function without it. At McKinsey, I had the opportunity to work in actuarial pricing, insurance product strategy, broker compensation, claims process redesign, reorgs, risk committee design, and M&A. I gained a 360-degree view of the insurance industry. Now, as the CEO of a cyber insurance analytics company, every one of those experiences has made me a better partner to the companies I’m serving. I’m forever grateful for that time.  

20:01 Navigating the Transition from Advising to Decision Making 

DD 

Many McKinsey consultants end up being in senior leadership positions and senior operating positions. They have to make the transition from advisor to decision-maker. What’s your management style, your communication style, and your leadership style, and how did you make that transition? 

PM 

There’s a lot that can be taken from McKinsey. It’s no surprise that McKinsey wins a bunch of accolades in terms of the percentage of their alums that go on to be CEOs of companies. That’s particularly true in the insurance industry, actually. I think my biggest takeaway from McKinsey is their recognition that their biggest asset was their culture- a culture that attracts exceptional people and turns it into an esteemed institution. At the core, that’s what McKinsey has. Recognizing the importance of culture and the need to work on it deliberately has been one of the enduring features of my time at McKinsey.  

At the same time, the jokes they make about consultants are somewhat true- it’s spending a lot of time in PowerPoint polishing slides. That’s just not how the real world works. Once I’d left McKinsey, I was doing some consulting work for a hotel software company. I got so involved that the CEO asked me to become president of the company to help get stuff done. That shift from advising, conversations, and PowerPoint to my first year in that role where we grew our contracts 10x, moved from one country to five continents, took outsourced development in-house, and turned the business upside down, showed me how the pace of change in decision making (with mistakes along the way, mind you) was fundamentally different from my time at McKinsey. It was energizing in terms of what I wanted to do with my career- spending my days getting things done and seeing them through. McKinsey is an incredible institution, though it’s not a long-term career for many. But it’s a great place to start- I’m glad that’s where I began. 

DD 

How long were you at the hotel software company? 

PM 

It was around 18 months. We did some pretty major transformations there. It was enough for me to get a taste for the software space and want to do more.  

DD 

How did you make the transition to Symantec and San Francisco? 

PM 

I moved to San Francisco for love and am now a very happy San Francisco resident. With Symantec, the company wanted someone that had a grounding in insurance and in leading a software business. At the time that was a pretty small subset of people. It remains relatively small. Insurance is one of the world’s largest industries and 10% of the Fortune 500 are insurers, but when it comes to technology and innovation it’s years behind many other industries. I think that’s why Insurtechs and firms like CyberCube breathe new life into this very large, important but technologically lagging industry. 

24:06 Joining Symantec and Creating a New Model to Predict Loss  

DD 

What specifically did Symantec have you doing? 

PM 

Symantec had me do two things. First, I was looking at how Symantec products for both consumers and enterprises could be bundled with insurance products. Second, and most importantly, I was looking at how Symantec’s data and expertise could be used to solve some of the core analytic challenges in the insurance industry. My philosophy at the time was the worst thing we could do would be to sit in a windowless room in Silicon Valley designing analytics products we thought the insurance industry would need. It was very important to bring on design partners- joint development partners- to undertake our modeling initiatives and build what insurers and insurance institutions needed versus what we thought they needed.  

In the early days at Symantec, one core part of what we did was recruit really good insurance executive talent alongside the cybersecurity and technology talent in the company. We also formed partnerships with globally leading institutions to ensure the initial products we developed were things they could use to make a difference. 

DD 

What you were doing was not just looking at historical data. You were actually creating the ability to predict losses based upon data. I can think back to thirty years ago when people first started to attack the issue of how to predict catastrophic losses from hurricanes, fires, floods, and earthquakes, and sell insurance for that. There was a model in the property and casualty industry about predicting future losses, but it seems difficult that one could predict losses in cyber insurance. How did you first come to grips with that? 

PM 

First, we looked at the history of insurance over hundreds of years. This is something the insurance industry has done time and time again. As new risks unfold and there are new priorities for enterprises and consumers, insurers have a long history of taking small initial bets, building up claims histories, and developing products around that over time. In some ways, cyber is more predictable and less volatile than other major lines of insurance. I think about surety insurance, directors’, and officers’ insurance, and the early days of workers comp insurance. The insurance industry is used to taking initial steps to start building up claims histories and moving from there.  

From a CyberCube perspective, there was more art than there was science in the early days. Fast forward to today, we have clients paying out hundreds and thousands of claims which we’re calibrating our models against- and our models are turning out to be right. Two years ago, CyberCube’s projected industry loss ratio was three percentage points off the National Association of Insurance commissioner’s year-end loss ratio. Last year, we were one percentage point off. It’s difficult to price cyber and reflect the change in the loss landscape, but when you’re working with the world’s largest insurers and can calibrate your losses against them, plus you have deep technology, security, expertise, and data to monitor what’s happening in the threat actor landscape, those two things together enable you to deliver models that perform and enable insurers to price risk. 

What is critical to know about insurance is our problem statement is very different than cybersecurity. In cybersecurity, a CISO needs to be right every time with respect to hackers and those seeking to penetrate their systems. A hacker only needs to be right once to get into a system and cause damage- they can try many times. Insurers fall into neither of those buckets. Insurers need to be right on average over tens of thousands and hundreds of thousands of policies. That’s possible because of insurance analytics. With CyberCube’s help, the industry is, in the main, actually getting this right and pricing risk thoughtfully and appropriately, adapting as the underlying threat landscape changes. 

29:31 The Maturing Cyber Insurance Industry and Evolving Threat Landscape  

DD 

Let’s talk about how the industry has matured. When you and I first went to the Monte Carlo conference for reinsurers, I was stunned to learn that the reinsurance industry was making very large insurance decisions based upon only three pieces of data about each company: what industry they were in, what broad revenue range they were in, and what geographic location they were in. I thought to myself, “None of that is informed by the risks of cybersecurity that I’m aware of.” Now, through the conferences that are hosted by CyberCube, I have seen the industry change in its sophistication around identifying and analyzing risks. What’s your perspective on that? 

PM 

I think that’s absolutely the case. After years of selling tens of thousands of policies and paying out hundreds and thousands of claims, CyberCube is able to partner with our insurance carriers to drive better underwriting decisions. Ransomware was a key example of that. We got to the point where a substantial portion of all ransomware claims globally were based on two things. Number one, ineffective multi-factor authentication and number two, open ports like RDP (Remote Desktop Protocol) ports. By using CyberCube’s single risk analytics, insurers were able to make better, more informed decisions about what made a good risk and a not so good risk.  

Our models, through machine learning, new data sources, and calibration with our clients, have moved forward in leaps and bounds since then. We have cybersecurity signals that, if present in a company in the CyberCube analytics, lead to a 25x, a 20x, a 12x increase in the likelihood of claims. We are arming insurers with the data they need to make a better underwriting and pricing decision. Perhaps even more exciting, insurers can now be a force for good, pointing out when companies have vulnerabilities they should address. Now, when insurers see claims, based on signals from companies like CyberCube, they know what needs to be addressed. 

As I think about when we started the business eight years ago, there was a bunch of catch-up that the insurance industry needed to do with cybersecurity. We have reached a point now where cyber insurance analytics are actually able to teach the cybersecurity industry about what drives losses, the probability and severity of losses, and what we should be doing about it. 

DD 

We are seeing that in our cybersecurity investing practice in the eight or nine questions that are being asked of companies before they can be underwritten. If they cannot answer those questions correctly, they have to fix their internal operations. This is really helping tamp down the losses. Nonetheless, as the old story goes, once you begin a battle the enemy has a vote. The enemy here has been incredibly creative and nimble to keep changing the shape of the battlefield and continue to hack.  

33:23 AI and Generative AI at CyberCube 

DD 

You were a visionary back in 2012 when you thought about starting the CyberCube operation within Symantec. Let’s talk about your vision going forward in terms of products or markets. No conversation can be held today with reference to GenAI (Generative AI) or artificial intelligence. Maybe I can just start with that question- what are you doing today in artificial intelligence and what are you doing in the future with GenAI? 

PM 

Artificial intelligence has always been a core part of what we do and how we deliver the world’s leading analytics to quantify cyber risk as we use tools like machine learning to train our models. Large language models are an incredibly important development. They are not a future development- we are already seeing a tremendous lift in our models from LLMs (Large Language Models) today. We are using LLMs to extract data at scale and understand the global internet in structured ways that we couldn’t before. We are using large language models to fill gaps in our proprietary tech dependency data. Our early testing shows it’s allowing us to eliminate up to 90% of the gaps we see in our own data sets with respect to the technology dependencies to single points of failure that companies have. It is still a rapidly evolving space for us, but AI has been a core part of what we do since our beginning. Large language models are now turbocharging our analytics.  

We are leaning even further in to see how generative AI can help an underwriter make quicker decisions and access the compendiums of information that exist within the CyberCube network. I do expect this to be a transformational technology for not just risk in the global economy but also how insurers understand and analyze risk. 

35:43 Attracting Capital and Government Collaboration to Support Cyber Insurance Demand  

DD 

The amount of capital needed in the insurance industry to back the cyber risks that they are taking by writing insurance policies may be more than what the industry can afford on their own balance sheets. What are you doing to assist the industry in creating more sources of capital?  

PM 

This is a very good problem for the insurance industry to have. The insurance industry typically grows below the rate of GDP growth globally and has a highly penetrated set of products. Cyber is not one of those products. Today, a single digit percent of all cyber risk is covered by a cyber insurance policy. Too few companies buy policies and those that do buy typically don’t buy high enough limits. As we think about the growth of this market, the problem is not on the demand side- the demand for cyber insurance- because cyber risk is growing over time as we further digitize the economy. The problem is on the supply side- the supply of capital to support this. CyberCube is taking a proactive role in attracting capital to this market. Two initiatives we have launched in the last six months are indicative of that. 

The first is that we worked with structuring agents to create the world’s first publicly tradable cyber insurance-linked securities, which act as publicly tradable bonds. Instead of tying to a credit event, they are tied to a cyber event. That business got off to a roaring start and in Q4 2023, 7.5% of all insurance-linked securities issued globally were issued in cyberspace. CyberCube was the modeling agent for all of them. We think that the market’s going to continue to grow. There’s a $50 to $100 billion market for net natural catastrophe insurance-linked securities capital and we believe the market for cyber risk capital could be even larger.  

That being said, Don, you shared some eye-popping numbers earlier on the size of cybercrime. Some cyber catastrophes are so large that there is not enough capital in insurer and reinsurer balance sheets or the insurance-linked securities market to cover them- things like nation-state-to-nation-state war. CyberCube is currently engaged with multiple governments on the potential creation of cyber reinsurance backstops and support for catastrophic cyber events in those markets. For example, we participated very closely with the U.S. Treasury as they have investigated a federal government cyber reinsurance backstop as part of Biden’s national cybersecurity strategy.  

As we think about the future, there is incredible growth in cyber risk and in the cyber insurance market. We need to ensure our models are attracting enough insurance, reinsurance, ILS, and government capital to provide the financial resilience needed to sustain catastrophic cyber events.  

DD 

The government does have a role here. That sounds like the flood insurance the government provides for areas where privately provided flood insurance is not possible. 

PM 

That’s right. In fact, the federal government does a lot in insurance. Some describe the U.S. federal government as a giant insurance operation with a side hustle in the military. If you think about health, life, disability, crop, quake, flood, terrorism- virtually all lines of insurance have either very heavy government regulations or the government acting as insurers of last resort. As we think about the size and scope of cyber risk long term, it’s no surprise that the public and private sectors are starting to have thoughtful dialogue on whether there is a role for the federal government and, critically, how we can ensure any federal government response to catastrophic cyber risks leads to more private sector capital coming into the market, not less. There has been good government policy and insurance that has led to a more flourishing private sector. There has also been government policy that has led to the stymieing of a private sector market for insurance.  

I’m confident the dialogue happening between the public and private sector is headed in a direction of greater resilience for the U.S. economy and other economies around the world, and solutions that make sense for taxpayers, enterprises, and insurers. 

41:09 Cyber Insurance and Acts of War and Terrorism 

DD 

You mentioned that hackers are primarily organized crime or nation-state actors. I know specifically that Russia, China, Iran, and North Korea are the primary nation-state actors and that they also sponsor hacking by organized criminal groups. At some point, the insurance industry has to say, “Enough, that’s an act of war. We’re not going to pay you back for that because we can’t insure against acts of war or terrorism.” Where is the cyber insurance industry now on acts on war? 

PM 

This is a work in progress. For hundreds of years, the P&C insurance industry has been unable to cover the costs of wars because there is simply not enough capital on insurer and reinsurer balance sheets to do so. Insurance is a promise to pay. It doesn’t make sense to make promises that can’t be kept. It’s very difficult to believe that the insurance industry will be able to cover cyber war when they couldn’t cover other forms of war.  

There’s a concerted effort right now to say, “What are those most extreme scenarios where there are things like kinetic war that turns into cyber war, and a major aggressor trying to enact maximal damage on a particular economy?” It’s only for those extreme events that the insurance industry is working to ensure they have guardrails in place to avoid making promises to pay that they can’t keep. Where appropriate, they are also looking to see if there is a role for government.  

What is critical to note, however, as we think about the wordings that have been rolled out into the cyber insurance market, is that few if any of those wordings will have changed any claims paid out over the last 10 years. This is a prospective view to get ahead of what could happen in the future. It’s designed so that when a broker is representing a cyber policy to their enterprise, they are very clear about what that market and policy would include and what it would not. I don’t think enterprises should fear that the same policies which have proved incredible valuable to the global economy over the last decade will stop providing that value in the future, even with some of the most restrictive language. We are just trying to isolate and contemplate those very extreme events in advance of them actually happening. 

44:11 Advice to CEOs 

DD 

This has got to be enjoyable for you because you have built a company that is operating both in North America and on a global stage for the private sector as well as the public sector. It is a big opportunity and a big wave you are riding. You are recognized as one of the global leaders in this industry.  

Let me come to some closing reflections here. You are a first-time CEO and first-time CEOs do not often go the entire route as you have, starting and then going all the way to global impact. What is the best piece of advice that you have received along your career journey that’s helped you become a long-term CEO? 

PM 

I would say two things. First, never lose sight of the culture of your organization and how it needs to evolve over time. Second, as a CEO you need to be open to feedback. I am very fortunate to have built a tremendous leadership team with a wide variety of perspectives. As a CEO, it is important to solicit their perspectives and ultimately find my own way based on what feels true to me and my leadership style. What I would say to other CEOs is to think about your board and your leadership team as some of your greatest assets. They provide data points that help you determine how to be effective today and in the future as the needs of the business change- and boy do they change as you enter the different stages of the company’s life cycle.  

46:22 The Future of Insurance Analytics in Cybersecurity 

DD 

It has been enjoyable to work with you because you are open to new ideas and direct feedback, which I provide almost to a fault. Now you are in a position where you can affect change in the cyber insurance industry. What do you see as your opportunity there and what would you like the industry to do to improve?  

PM 

I think cyber insurance analytics could transform the future of the cybersecurity industry. Cybersecurity could do a lot more to focus on the ROI of controls. Entreprises have dozens of solutions and are looking at hundreds of vendors. Insurance analytics cuts through a lot of the noise and asks what matters with respect to financial impact. What are the security indicators, vulnerabilities, and tools that are going to either reduce the probability of a security incident or reduce the severity or cost of an incident? Insurers have a lot to learn from the technology sector and the cybersecurity sector, but I hope it is a symbiotic relationship whereby cybersecurity learns from what the insurance industry is seeing and what companies like CyberCube are providing through cyber risk analytics to drive better decision-making and a more resilient global economy long-term. 

DD 

Pascal, that’s been our objective here at Forgepoint as well. We recognize we can’t be 100% perfect. At some point, we can’t buy another tool or get another person involved. Cyber insurance is one way to transfer risk and continue to build companies successfully. What you are doing is helping us in that process. Pascal, thanks for your time, dedication, and perseverance in making this successful. Here’s to your accomplishments and the continued success of you and your team. 

 
PM 

Thank you, Don. I and our team could not have done it without Forgepoint’s partnership from the very beginning.  

DD 

Take care, thank you.