Inside track: the deepest cyber modeller is coming to Bermuda

04-10-2022

Inside track: the deepest cyber modeller is coming to Bermuda

Jose Seara, CEO, DeNexus.

DeNexus, which quantifies cyber risk for large industrial and critical infrastructure corporates, is bringing its DeRISK platform to the Island’s risk transfer sector. Bermuda:Re+ILS reports.

The energy and computing industries often refer to “generations” to reflect the continual technological development they rely on. So it’s to be expected that Jose Seara, chief executive officer of DeNexus, describes his cyber modelling as belonging to the second generation.

With a background in renewable energy and an eye on industrial critical infrastructure and manufacturing sectors, his move into the cyber modelling space four years ago was driven by a desire to bring his industrial clients to the latest frontier of what’s possible. In fact, the third generation of cyber modelling is already taking shape in his mind.

Seara says that DeNexus is still the only second-generation cyber modeller. That means it is a fit-for-purpose solution focused on large industrial risk by using real-time, inside-sourced data that allows for dynamic responses to fast-changing cyber threats.

DeRISK is the world’s first self-adaptive, cloud-based platform that uses evidence-based data to predict where and how breaches are likely to occur, what their business impact will be and what mitigation actions provide the highest return on investment. It is designed to help industrial organisations, underwriters, reinsurers and insurance-linked securities (ILS) investors fully understand the risks associated with cyber attacks.

DeNexus gets “inside” a client’s network by using telemetry—the in-situ collection of data at remote points and its automatic transmission to monitor devices, threats and cyber controls in place. At just shy of a decade old, telemetry isn’t new, Seara notes, but what is new is the way that DeNexus uses it to assess cybersecurity.

“Four years ago, I saw a massive opportunity to use telemetry for cyber analytics and, as far as I’m aware, DeRISK is still the only industrial cyber risk quantification platform that leverages data from inside a client’s network,” he said.

The company’s best-known competitor, perhaps, is CyberCube, which sells data and software, but a key difference between them, says Seara, is that DeNexus sees both industrial clients and underwriters as a key client base. For example, he estimates that cyber-related ILS has the potential to equal the property cat ILS market by 2040.

“Telemetry allows us to deploy deep inside an industrial facility, gather its data continuously and then ship it outside in a protected manner.”

Inside job

“There are two main differentiators between what we call the first generation of cyber risk modelling attempts and the second generation for the industry verticals in which we are leading,” Seara explained. “These are: being more specific and going deeper.”

First-generation modellers take a “one-size-fits-all” approach to risk, be it a hurricane in the Gulf of Mexico or an earthquake in Japan, he says, but that approach merely “scratches the surface” of the potential for cyber modelling. Second-generation DeNexus therefore offers bespoke models for every industry vertical it analyses, he added.

The second difference is that DeNexus is focused on a small selection of industry verticals, which enables it to go “very deep” into a client’s data—by going inside its network and staying there 24/7. Above all, a deep dive into an industrial facility’s network and a knowledge of the specifics of that facility are needed, owing to the sheer volume of the data produced, Seara says.

“Data from inside a facility tells us pretty much everything about how it is built, how vulnerable it is to cyber risks, and the controls the owner has deployed to hedge some of those risks. We have visibility of all of that. Plus, if a facility is compromised, then we see that as it is unfolding.

“Our DeRISK platform calculates the financial exposure to cyber risk that the owner of a facility has, and provides them with risk mitigation strategies to enable them to make the best use of their risk management capital.”

If necessity is the mother of invention, then the DeNexus approach is a response to the risk transfer sector’s need, not only for clear visibility of an exposure, but also a view of that exposure as it evolves. It’s this capability that can empower the different stakeholders in a risk management chain as never before, Seara emphasises.

“Decisions on whether or not to set aside capital for a potential loss need ‘inside data’ that only second-generation cyber risk modelling can provide. First-generation cyber modelling only looks at risk from the outside, by performing a scan of the surface of an attack that a client is exposed to,” he said.

“Analysing the network data of an industrial process is a much more complex value proposition than just scanning computers. It includes contextualising network data with the underlying industrial process and the business layer.

“Telemetry allows us to deploy deep inside an industrial facility, gather its data continuously and then ship it outside in a protected manner,” he explained.

His company’s data monitoring and gathering is structured according to complex agreements, he adds, “because that data contains, as you can imagine, highly sensitive information about the potential vulnerabilities in those assets”.

Seara declines to name his telemetry providers, but he will say which he considers to be among the leaders in this field: Nozomi, Forescout, Tenable and Industrial Defender.

Two products

DeNexus offers two products: DeRISK Industrial and DeRISK Insurance.

DeRISK Industrial “empowers” an industrial enterprise to quantify and manage its cyber risk exposure on a continuous basis, while DeRISK Insurance quantifies the cyber risk of industrial enterprise clients and client portfolios for underwriters.

Using industry-accepted cybersecurity frameworks, DeRISK feeds data through standardised processes to provide probability analysis and financial impact of diverse threat scenarios. The risk analysis results of all DeNexus clients are then clustered by sector and geography to derive the predictive drivers of loss purpose-built for the re/insurance and ILS markets.

The company says that DeRISK informs investment decisions and price policy and pinpoints capital allocation strategies, by guiding re/insurers and ILS investors on expected loss; probable maximum loss; value at risk; tail risk; impact on income; impact on reserves and balance sheet; loss exposures; and risk structuring.

Renewable entry point

DeNexus clients include large utilities and independent power producers, such as Apex Clean Energy and GridSME. Given Seara’s background in the wind, solar PV and cogeneration sectors, renewable energy was the “obvious entry point” for him when he founded DeNexus in early 2019.

The next big industry vertical that DeNexus plans to enter—as early as next year—is the oil and gas business. It has already started working with a global oil and gas player with a presence in midstream and downstream markets, Seara says.

“The oil and gas industry is quite mature in the deployment of telemetry so we will be using data that they are already producing to inform the financial quantification of their cyber risk exposure. What we are adding is the analytics layer to their data,” he said.

Asked why a cyber attacker would target a renewable energy facility, he says it’s because renewables are becoming increasingly relevant sources of electricity in certain regions.

“Blocking renewable energy in California, for example, would cause disruption to the entire electricity system because, during peak hours, renewable energy delivers up to 70 percent of that state’s electricity.”

Although DeNexus can often “infer” who a cyber attacker is, identifying the source of a breach isn’t its focus, Seara says.

“In our value proposition, we try to quantify the exposure more than identify who is behind the risk. Our specialty is in quantifying the risk rather than developing the intel on cyber attackers because there are many other companies doing that,” he said.

“In an industrial environment, the risk, most of the time, takes the form of operational risk—business interruption, damage to equipment, risk to life or environmental damage. That is, there is no risk to intellectual property inside those facilities that has a value for the attackers to try to steal. Rather, this is heavy machinery or critical infrastructure, where the damage is usually disruption of an industrial activity.”

The DeRISK platform gives the owner of the risk visibility of their exposure, where it is coming from, and how it evolves through time.

“Cyber risk, for better or worse, changes often and with the information we provide, the client is empowered to make decisions based on their risk factor and risk tolerance level. That is the gap we help them to close, by understanding what is the next action they should take in order to reduce their risk using their financial efficiency criteria,” Seara explained.

“However, there is some point at which investing in mitigation ceases to be financially efficient, and it’s then that the remaining risk could be moved to the risk transfer industry. That would be a risk that we define as a low probability, high impact event, which the owner of the risk does not want to keep on their balance sheet. That’s a business opportunity for the risk transfer industry.”

Next stop, Bermuda

DeNexus is headquartered in Sausalito, California, and has its main engineering base in Madrid, Spain. It has subsidiaries in Switzerland and the UK, and it is working on licensing its operations in Bermuda.

“We’ve been working with the risk transfer industry for two years and with capital markets that provide additional financial capacity to the risk transfer industry for almost a year now, and the conclusion is that there is a significant gap in capacity to underwrite the increasing cyber risk,” Seara said.

“The traditional cyber insurance industry cannot provide that capacity so they need to tap into capital markets. The way they do that is by securitising the risk and selling the security to financial investors. Bermuda is the leading jurisdiction for that and insurers, reinsurers and the ILS community are telling us that our ‘inside-out’ approach to data is absolutely essential for them.

“We are designing, with the insurance industry and ILS community, new insurance products that can leverage that data and provide the owners of the risk with better, cheaper, more efficient protection, and with the capacity that doesn’t exist elsewhere in the market.”

DeNexus will open an office in Bermuda to be closer to its stakeholders in re/insurance and ILS.

“We are fast approaching an important milestone for us that we expect will happen in the new year when a new product will be made available to the market. We are doubling down on our efforts to be known in the Bermuda community and to build a brand on the Island about an entity, DeNexus, that is leading this cyber risk quantification modelling for large industrial companies.

“Legal entities are being incorporated as we speak and the goal is having a permanent establishment in Bermuda before the end of this year,” he said.

In the meantime, DeNexus has received System and Organisational Controls Type 2 (SOC 2) data security accreditation. SOC 2 is a worldwide grade developed by the American Institute of Certified Public Accountants, and is designed for service providers who store customer data in the cloud. The firm’s efforts to secure ISO 27001 certification—an international standard on how to manage information security—are now under way.

Seara says SOC 2 compliance illustrates DeNexus’s commitment to the highest standard of controls when dealing with client data.

“The DeRISK platform is a combination of policies, procedures, accreditations and technologies that allows us to guarantee to our clients that we are good custodians of their information, and that DeNexus is a trusted ecosystem,” he said.

Complex landscape

In a blog published in July this year, titled “Global Net Carbon Zero ambitions and the role of Cyber in ESG”, Seara wrote that much of the digital transformation under way is increasingly enabled through adoption of cloud services.

However, the flipside is that the cyber risk landscape becomes more complex as more business interruption risk is devolved from the risk owner to third-party digital service providers, creating a significant concentration of business interruption risk—the re/insurance industry refers to this as systemic accumulation risk.

This matters, he wrote, because digitisation of the global economy needs risk capital to be available to underwrite the many, new and innovative business models that are at the heart of the digital transformation.

“There is a paradox at play here,” Seara wrote. “At a time where the global economy is going digital, insurance, reinsurance and ILS investors have less confidence that they know enough about the digital risk in the new and more complex digital landscape and, in turn, have less confidence to put capital at risk.”

He added that central to re-establishing “cyber confidence” is the ability to provide visibility, knowledge and surety, and second-generation cyber risk quantification platforms, such as the DeNexus DeRISK platform, provide core capabilities around which confidence can be rebuilt.

“There is a significant gap in capacity to underwrite the increasing cyber risk.”

Energy DNA

In a nod to his heritage in the energy sector, Seara said he came up with the name DeNexus from the Japanese word for energy, “den”, and nexus, to reflect the company’s mission to “connect the dots in the cyber space”.

His native Spain has been at the forefront of renewable energy for 20 years, while Japan has developed a healthy renewable industry in the last decade, he says.

“Japan is one of the markets we will serve when we scale up the company and, as preparation for that, on our advisory board we have an individual who was running the brokering practice for Aon in Japan. Japan’s renewables sector is a real market opportunity for us,” he said.

Seara, who is from Barcelona, joined the electricity industry out of college, in 1996. In the early 2000s, when Spain began developing renewable energy technology, he joined DeWind and then Proyectos de Cogeneración. He then founded Proydeco Ingeniería Y Servicios, which he sold when he was offered a role leading a renewables independent power producer in the US called NaturEner.

“The US and Canada were doing in the 2010 timeframe what we had been doing in Spain in the 2000s. That meant I decided to push harder than originally anticipated by NaturEner’s investors, and built a company in the power generation space that was sold to a large investment bank a few years later, in 2018. Then I formed DeNexus.”

Three's the charm

Asked how he imagined the third generation of cyber modelling would be, Seara answered: “If I knew that, then I would already be building it!

“But that generation will be about identifying sources of data that anticipate the threats and thus help the owner anticipate the risk mitigation strategies they will need, according to macro trends that are so relevant to cyber risks in large, critical infrastructures. At the moment, we are just scratching the surface of the potential of the DeRISK platform.”

Another feature of DeNexus as a second-generation cyber modeller, he said, is that it brings in the expertise of the industry it is working with.

“The first-generation modellers are cyber experts with modelling skills or modelling experts that procure cyber expertise, but none of them cares about the underlying industrial process. And that’s totally missing the mark,” Seara concluded.

DeNexus, DeRISK, Jose Seara

Bermuda Re