Cyber News: Envelop Risk on AI in Cyber, Reinsurance and Emerging Threats

An interview with Paul Guthrie and Dean Mutam

With new online threats constantly arising, not all organizations are able to maintain a sophisticated cybersecurity posture and respond accordingly.

Whether the organization is small or large, it’s crucial to act responsibly in regards to digitally stored data. With this in mind, companies are counting on cybersecurity tools, such as trustworthy VPNs. However, the digital threat landscape is constantly evolving, leaving traditional tools incapable of handling new dangers.

To discuss this matter, we have interviewed Paul Guthrie, Co-Founder and Chief Operating Officer, and Dean Mutam, the Head of Cyber Intelligence, at Envelop Risk – Global Specialty Cyber Underwriting Firm.

Tell us a little bit about your story. How did Envelop originate?

Paul: Envelop started as a collaboration between leaders in the insurance and reinsurance industry and from the national security community. We recognized that cyber insurance was a critical tool for protecting companies in the face of rising risks and a product that would only grow in importance over the next couple of decades. At the same time, the quantitative tools required to build insurance and reinsurance products were not only lacking, but the technology base to create those tools did not exist natively in the insurance industry. We sought to model cyber risk quantitatively using contemporary principles of prediction, including the use of AI, intelligence gathering, and simulation modeling. We knew we would have to build a new type of insurance company to make it work; changing how we assess risk, model capital, underwrite, manage clients, and operate the business. So we see Envelop Risk as addressing a core need for companies internationally and see ourselves as one of the leading companies seeking to reinvent the insurance industry to bring about this future.

Can you tell us a little bit about what you do? What is cyber reinsurance?

Paul: The objective of cyber insurance is to make sure companies have the capital and ready resources they need to respond to and continue operating in the event of an attack.
Cyber reinsurance is a tool for insurers; it gives them additional capacity (capital) to expand how much insurance they can provide to customers, and it can help them structure that capital more efficiently. In effect, insurance firms give us capital and risk in simple and complex ways. It is insurance for insurance. The effect is that we bring capital from the insurance industry into cyber insurance specifically or bring capital from external sources like capital markets into cyber underwriting.

The hard part is the analysis. For any given company, we need to calculate the probability that it will suffer a cyberattack and what the cost will be. We then calculate how the portfolio of companies will perform in the face of this risk. To do this, we assess millions of companies for their economic position and their cyber defenses. We look at what attackers are doing and how that is changing, and we compare this against the history of this cat and mouse game. The results are effectively 12-month predictions, translated through a variety of insurance and reinsurance metrics used in the industry.

What technology do you use to analyze and evaluate risk?

Dean: We have a few different technologies and strategies we employ to analyze, assess, and evaluate cyber risk. Part of that is having an agile threat intelligence capability, where we are constantly gathering and tracking cyber threat actors, characteristics of the types of attacks, and characteristics of the threat targets. We use this information alongside a market-leading pool of cyber claims data to train multiple machine learning models which parameterize different aspects of cyber risk. The models are constantly evaluated and retrained against changes in the threat landscape and cyber claim data.

Where do you hope to see AI used more widely in the future?

Paul: At this point, it is so ubiquitous and is such a fast-moving part of its diffusion curve that it can be challenging to add value in terms of where to use it. For most of the work we do, we are not limited by the application of AI but by the ability to access data and the explainability of how we assess complex systems. On the latter, we find ourselves often saying that AI is just math, and the main benefit is the ability to process huge amounts of data very quickly and at a very low degree of risk. I think that AI is well understood but has a branding and communications problem broadly that we all can address by being more straightforward about what we can and what we cannot measure and how well.

Have you noticed any new threats emerge as a result of the recent global events?

Dean: To achieve optimal damage and infiltration, hacker groups have been targeting software and resources that the majority of organizations rely on through supply chain attacks. SolarWinds hacks, log4shell, and spring4sell are good examples of that. Another observation is that historically the financial industry has received the highest number of attacks in comparison to the rest of other industries. However, for most of the first quarter of 2022, we have observed the Government and defense industry receive the highest number of attacks. This shift is likely to be short-lived, but it does show the type of threat actors in the first quarter were not entirely financially motivated; rather, ideology and geopolitics were more important. This coincides with the cyberwar between Russia and Ukraine, which saw major threat groups split into two camps in support of Ukraine or Russia.

What measures should both organizations and average individuals take to protect themselves from these threats?

Dean: Epicentre of the majority of state-sponsored cyberattacks may well be in Ukraine for the most of the first quarter of the year. We are, however, more hugely interconnected than ever before through supply chains. Malware artifacts will attempt to infect any low-hanging fruits where possible. It has never been more critical to maintain high cyber hygiene standards, whether as an organization or an individual. Usernames and passwords alone are just not sufficient enough to provide the first line of defense on Internet-facing infrastructure. Adding Multi-factor authentication (MFA), for instance, will enhance the security of an average individual or business. Zero trust architecture, network micro-segmentation, incident response plan, and testing are invaluable for organizations.

Why do you think certain companies are unaware of the risks they are exposed to?

Dean: The last couple of years have seen a significant increase in the number of ransomware attacks. Close to 90% of those were delivered through social engineering involving phishing emails as a vector of attack. Threat actors very much operate as businesses, often targeting the organization’s most overlooked vulnerability, which is the end-users. In most cases to gain initial access, some form of user interaction to install the payload is required and often is by an end-user clicking armed links. Security education, secure processes, and security technologies can provide an organization with a solid foundation.

In your opinion, what types of organizations should be especially concerned with implementing cyber insurance?

Dean: That will vary from organization to organization depending on their cyber risk appetite, risk tolerance, and risk capacity. Some organizations will try and mitigate as much cyber risk as they possibly can through technology, implementing secure processes and people, but there is always a residual risk. One of the things we observe is with the constantly evolving threat landscape, even the most secure organizations find themselves susceptible and exposed to new risks over time. Cyber insurance is another option to reduce the severity of an adverse event by transferring some or all the risks to the insurer. So, for the most part, I would say any organization that can demonstrate some basic cyber hygiene, such as cyber essentials, for example, should consider having cyber insurance.

Share with us, what’s next for Envelop?

Paul: Cyber insurance and reinsurance are a good deal right now for all sides. It is profitable for those that do it intelligently, and companies are seeking more and more coverage to counter the very threats and have resources available to mitigate damage in the event of an incident. It is primed for growth. To achieve that, we will do more and more to show capital that cyber is a measurable ecosystem that can be predicted, like many other lines of insurance business, that delivers a good return and strong diversification. Downstream we will keep working with insurers to share our analytics, expand their operations, and help them deliver better value to their customers. We will keep protecting companies and capital, keep striving to be the best in the world, and grow to be the biggest player in this space at a high level of quality.