DeNexus: Our predictions for 2023

By Jose Seara, founder and chief executive of DeNexus

The war in Ukraine could be considered the biggest development in industrial cyber this year. It was shocking to see state-sponsored actors being given the mandate to compromise critical infrastructure. However, despite that, there has been little evidence of industrial facilities being cyber-compromised. Several hypotheses exist about why, and we will know more and better over time.

During conversations with our clients and contacts in the market who are renewing their cyber insurance policies for 2023, some interesting dynamics appear. Insureds with strong risk controls have been able to renew their policies without paying higher rates despite initial expectations of facing a hardening market, and some of the larger insurers are reporting that they have additional capacity to deploy despite the general belief that there is a capacity gap, while some risk owners are experiencing that lack of capacity.

This is anecdotal information based on a few data points, but it implies that cyber insurance remains a new, immature class, and it also shows inefficiencies in the market. But why? Why are similar cyber risks experiencing different insurance dynamics? Why do risk owners choose to keep the risk rather than hedging it? In my opinion, it is due to not fully understanding the risk and lack of cyber risk data that eliminates the guesswork. Or, risk owners do not find the products they need to mitigate it, or they are not being asked the right questions (as one of our industrial customers shared with leading underwriters during the DeNexus Cyber Thought Leadership annual meeting in October).

As we move forward into 2023, answering this question will be crucial. It is increasingly clear, however, that second-generation cyber modelling is imperative to give risk owners and underwriters specific insight about their exposures. What do I mean by second-generation modelling? I am talking about tailored solutions for specific industry verticals that use real-time, inside-and-outside-sourced data that allow for dynamic cyber risk data to capture fast-changing cyber threats.

Would a Florida hurricane risk model fit the needs to model earthquake risk in Japan? The question sounds ridiculous, but it is not far from first-generation cyber risk modelling attempts. One-size-fits-all does not work for cyber risk, and that approach has not solved the problem and has not unlocked the market potential.

This is accomplished by going inside a client’s network to obtain evidence-based cyber data. This data will help both the risk owner and the underwriter of the risk, who needs comfort that the risk has been adequately mitigated. Collecting, moving, storing and processing this highly sensitive data is a challenge, but one that is a must for the market to develop. As far as we know, DeNexus is the only second-generation cyber risk modeller for industrial environments. Our DeRISK platform is a self-adaptive, cloud-based platform that uses evidence-based data to predict where and how cyber breaches are likely to happen, how they are likely to evolve over time, and their financial impact. Our DeNexus Trusted Ecosystem empowers organizations to efficiently share that data with all the stakeholders in the risk management and transfer chain in a safe, secured and compliant manner.

DeNexus is not alone. Although the leading OT industrial cyber risk modelling platform, there have been other entrants to the space, especially in IT corporate systems, including some (re)insurers who have invested heavily in developing their own cyber risk modelling solutions, rather than relying on third party vendors.

2023 may be a tipping point for cyber risk modelling. I think it will be. We look forward to seeing second-generation modelling efforts mature even further. They have caught the eye of the insurance-linked securities (ILS) market which is starting to see cyber risk as a valued asset class behind which to deploy capital.

Previous
Previous

UK and EU are tightening cyber security standards

Next
Next

Opinion: Cyberattacks continue to pose a significant risk to health services