Ari Chatterjee is chief underwriting officer for Envelop Risk, a start-up MGA in Bermuda, using machine learning tools to price cyber risks, with underwriting capacity supplied by MS Amlin
Does a focus on cyber business suit the managing general agent (MGA) model?
MGA are usually nimble and often bring specific expertise and distribution to niche markets the scale of which is difficult to achieve in traditional incumbent especially for niche businesses like cyber.
We believe in future the MGA business model will adapt to a more technology driven efficiencies that will not only improve the distribution bottlenecks, but also improve the quality of underwriting.
At Envelop, our approach to business is one of partnership than a pure MGA model. We operate as-if a virtual team with our partner MS Amlin where we leverage on each-others infrastructure and decision making is faster.
Often, we downstream our technology and resources to our reinsured clients to help them grow their cyber insurance book profitably.
What recent trends have you observed within cyber risks?
We have noticed the threat landscape move towards more targeted extortion and ransom demands which is a shift from previous social engineering vector.
This puts business interruption (BI) and contingent business interruption (CBI) components of the cover to the highest risk. We believe manufacturing and industrials are particularly vulnerable to this trend and the underwriters should carefully trade on the trend.
Volume of business has definitely increased substantially with higher demand from international markets and existing buyers asking for increased limits. In conjunction, demand for reinsurance and retrocession capacity have increased with more first-time cessions and larger reinsurance towers.
Quality of business, on the other hand, has remained stable over the last year although increased pressure to offer higher BI and CBI limits as insurers work on excluding silent cyber risks.
How are you using machine learning to provide an underwriting edge?
Machine learning automates complex mathematical analysis, enabling us to process a huge amount of data, accurately. It also allows us to weave the best of statistical analysis, regression analysis, neural nets, and other basic tools into comprehensive assessments of data sets. We joke that is like the equivalent of having a dozen PhD quants working for several years every night. With this advantage, we can be quite greedy with the amount of data we analyse.
Our fundamental principle is that since the performance data on cyber is too sparse, our job is to model the entire cyber economy like a physical system. It’s more than correlations, it’s about the emergent dynamics of a complex, adaptive system. It’s the same approach you’d take in a new aerospace, biological, or scientific field. We could not do this without machine learning, enabling to us to build a model of extraordinary complexity with a small team.
Which aspects and types of data and analytics have proven the most useful to you?
It’s always easy to forget how important it is to get the basics right. A lot of what we are able to do is use economic data to adjust for size, location, vertical, allowing us to assess companies of all types in a single model, with theoretical models we might need different ones, with different assumptions, for different company classes.
We also find external cyber posture technical analysis we can conduct through an APIs called Shodan indispensable for assessing thousands of variables on hundreds of thousands of companies, in terms of how their network is configured and managed. Finally, among other interesting elements, we’ve found social media data very valuable for revealing elements of company culture, correlated with the behavioural side of security.