Krakenimages.com/shutterstock_82488826
5 August 2024ArticleRe/insurance

On the frontline of the cyber wars

When people think of cyber attacks, what comes to their minds are probably ransomware attacks or the theft of people’s financial details.

But when Jose Seara thinks about cyber attacks, he thinks of hackers disrupting energy companies or railway companies, causing mass blackouts or snarling commuter traffic.

Seara spent 10 years building a North American renewable energy company, having worked in wind energy previously when he became concerned about the threat to industrial and infrastructure businesses.

As a result, Seara founded DeNexus, a company dedicated to providing protection from cyber threats to industrial companies.

Two years later, the startup has an insurance licence from the Bermuda Monetary Authority (BMA) and is in the authority’s regulatory sandbox, which is designed to enable insurance innovators to start their businesses under close regulatory supervision.

The company has grown steadily since it was founded, and now has around 20 customers around the world. These are often large corporations, and the company’s platform has been deployed 200 times. It has 30 employees, up from 18 two years ago.

“Cyber is a specialty niche risk but niche doesn’t mean a small risk,” Seara says. “It’s gigantic. It impacts electricity, utilities, gas utilities, oil and gas companies, large transportation, railways, airports, manufacturing, very large data centres.

“There are no assets or intellectual property to be stolen. But they provide vital services to our civilisation.”

He adds: “That is a very special flavour of risk that is historically underserved from the technology standpoint, meaning the understanding of risk. And that’s what we’ve been working on for the last four-plus years.”

Seara says the company has developed real-time dashboards to allow companies to monitor data security and to model risk as it relates to cyber attacks on industrial companies. But, he says, the company faces problems in finding re/insurance capacity, especially for business interruption.

As a result, DeNexus has entered the BMA’s regulatory sandbox to try to solve the puzzle of the capacity shortage.

“We are doing things that have not been done before and the sandbox framework is precisely there for that, to test new solutions, to promote new activities and businesses, for the insurance and reinsurance industry,” he says.

“Why Bermuda? Because it provides a nice framework and because it’s at the core of the reinsurance business, and reinsurance is where the bottleneck sits for risk transfer.”

Being prepared

Seara says business interruption caused by a cyber attack on an industrial company could end up being a multi-billion dollar event.

“The industry is not prepared to deal with a single event of that size. We need to build additional capacity.”

The problem for re/insurers lies in the reality that the risk is difficult to price due to the lack of data in a relatively new and rapidly changing segment of the insurance industry, he says.

“We provide them with that data,” he explains. “Under the regulatory sandbox framework we are using that data for them to get their hands on the risk, so they can better understand and develop fit-for-purpose insurance products that transfer some quantum of risk, and also to build additional capacity.

“That, in a nutshell, is what we are trying to do.”

Seara says there is more data available than people think, but “it is not properly structured or compiled”.

“We have developed our own proprietary models that spit out that data. We are building the dataset and building our actuarial tables based on the historical data. But in parallel, this is a dynamic and evolving risk which is another challenge.

“Our thesis is that we need to constantly monitor the risk, and see how it evolves—not only from the threat standpoint, which is a constantly moving target, but also from the protection angle.

“These companies are large corporates, they are sophisticated entities, they deploy already significant capital on understanding and mitigating and managing the risk. We constantly monitor both sides of the equation: attack and defence,” Seara says.

“That information goes into our analytics platform and provides a continuous assessment of the risk to the owner of the risk, and to the underwriter and in parallel, keeps building that database, day after day, with every customer. With every deployment of our analytics platform, we gain access to more data, and we learn more.

“We use that data to constantly build the actuarial table and to retrain the algorithms we use to capture all that data.”

Find the weaknesses

Seara claims the dashboard is able to look at the internal defences of a business to see where the weaknesses are while also monitoring where threats are coming from, at an unprecedented level of detail.

“There are thousands of datapoints pulling out data every second,” he says. “It is streaming the data in a continuous basis to our database. It is unique in the industry and provides us with an exceptional visibility of the risk, something the insurance industry has never seen before with this level of granularity and detail.”

Seara agrees that defences against cyber attacks have improved in recent years, and most companies are more aware of the dangers and have taken steps to prevent attacks.

But hackers, sometimes backed by national governments, are also increasingly sophisticated, he says.

Seara says the potential for DeNexus is huge, and its footprint is growing. Its main focus has been on electricity generation and distribution but it is also deployed in manufacturing, transportation and energy production.

That should grow and, Seara says, the BMA has been central in giving the company credibility.

“Our personal experience with the BMA could not be better,” he says. “They have been very business-friendly. At the same time, they have been clear: ‘these are my rules—you play by my rules, you are welcome to do things here’.

“The rules in our case for the sandbox framework were clear. The BMA provided the conditions we needed to meet if we wanted to benefit from the framework. We met the conditions, they gave us the approval, they issued the licence,” he explains.

“Now that we are active, we have a company in Bermuda that is regulated, and now we need to follow the rules; we have meetings with the BMA on average every month. They do their job.”

Seara says the company is continuing to seek investment after several rounds of financing, and it is needed to employ more people, primarily on the data analytics side of the business.

“We are we are hiring more data scientists, artificial intelligence and machine learning engineers,” he says.

“Reinsurance is where the bottleneck sits for risk transfer.” Jose Seara, DeNexus

The company’s other need is computing capacity, because it runs weekly simulations for its customers that can use tens of millions of different scenarios.

“Simulating those 50 million scenarios for a single, let’s say, car manufacturing company is very computer-intensive,” Seara says. “We need access to computing resources that are not cheap.”

He is optimistic that this is the year the reinsurance capacity bottleneck begins to clear.

“2023 will be remembered as the year when meaningful cybersecurity decision began,” he declares. “There will be maybe $300 million of capital flowing into that product this year, which is an indication that next year we make our product half a billion dollars deployed in cyber iPhone Operating System products, including true tradable products that apparently are going be sold into the market in November and December.”

“A lot of people are spending a lot of resources, money, and talent putting that data together.”

Reflecting on the reported issuance of a $100 million cyber catastrophe bond, Seara says: “A $100 million bond in the grand scheme of things is not that big a deal. But it’s $100 million more than a year ago.

“I have been saying to my investors and customers that that was going to happen sooner rather than later. But I’ve been saying that for three years—and it didn’t happen yet. Finally, in 2023, it is.

“I’m very bullish about the opportunity. A lot of people are working on understanding the risk. We are not alone. A lot of people are spending a lot of resources, money, and talent putting that data together,” he concludes.

Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.