Guidewire Software, Inc. (GWRE) Earnings Call Transcript & Summary

Hello, and welcome to today's webinar on Enabling Cyber Underwriting in the Digital World. My name is Michael Lin, Product Marketing Manager with Guidewire Cyence. Before we get started on the presentation, I would like to take a moment to walk through the webinar console. During the presentation, the audience will be muted, and please submit any questions you have using the Q&A check function. Our speakers will leave time in the end to answer any questions you have. Next, I would like to introduce our speakers for today. We have Ian Bird, our Business Owner for Cyber Processes with Guidewire Cyence; and Ridhima Kale, Senior Product Manager for Cyber Risk Product Portfolio at Guidewire Cyence. Without further ado, I would like to pass on the presentation to Ridhima and Ian. Ridhima, the presentation is all yours.

Thank you, Michael, and thank you all for joining today. Before we actually get into the presentation, I'd like to understand the audience a little bit more, so we'll start right off with a poll question. How do you today analyze the cyber risk of a company? You should be seeing a window pop up with the options. Do you use an in-house model? Do you use a third-party vendor? Do you use a combination of A&B? Or maybe you do not rely on a model and you rely on underwriting judgment based on the submissions you receive? Or you currently don't play in the cyber market and you're trying to expand? Please submit your answers. We'll give everyone a few seconds, and then we will look at the responses. [Voting]

Right. Great. It sounds like most of our audience, they use an in-house model. Well, that's great. There's a lot of people that are aware of cyber risk and what the challenges are. So that's great. Ian, I'd like to ask you a question. If you were an underwriter in this ever-evolving digital world, what challenges do you foresee underwriting a risk?

Thank you, Ridhima. I think there are 3 things that I can think of. So as an underwriter, you might have a standard submission form and perhaps that's aligned to something NIST framework or something that you built in-house. How are you able to analyze and validate the responses you get on that submission form? So if you think about something like third-party service providers, by that I mean, cloud service providers, content delivery networks, those kind of things. Does the submission response really cover all of those? Or does it just respond with those supposed critical models? What about things like patching cadence? How is that actually articulated? Is that just to gain those critical systems? Or are they looking across all of their public-facing and internal systems? When you consider companies that have many tens or even hundreds of subsidiaries, how do you actually get that context into a single submission form. And then when you start to think about behavioral risk, thinking about things like the insider threat, the likelihood of a rouge employee, how do we actually measure that? It's quite a lot to think about. And then if you actually take that a step further and say, well, okay, I have this information on that submission form, how do I take that and reach the inclusion about the probability of something like a data breach or a ransomware attack during the forthcoming policy period. Add to that, what the potential losses might be from underwriting that risk. And thinking about it further, as a provider of cyber insurance, how do you actually promote that insurance product? How do you articulate cyber risk aligned to your coverage on offer? Obviously, that's going to be key to the promotion of your proposition. Then you start to think about small and medium businesses. These typically have no IT staff to help navigate this particular risk or maybe they consider that as someone else's problem. Ridhima, I'm going to hand it over to you to just set the agenda, and I'll get ready for the slide after that.

Thanks, Ian. All the challenges that you mentioned today are valid and some that we get asked about quite a bit. So what we'll do today is walk through how Cyence is actually going to -- how Cyence can help you risk select and validate the data that you're receiving in your submission, how you can use Cyence to confidently price cyber risk and more importantly, how can you raise cybersecurity awareness and promote your cyber insurance product. But before we get into the details, Ian, would you like to talk us through who Cyence is, how we came about, and what use cases we serve?

Sure. Thank you. So one of the advantages of the natural catastrophe modeling world is the breadth of authoritative data sources on which they rely. So there are many tens, if not hundreds of years of earthquake data, hurricane data that are available, metrological data from the Met office that you can actually start to build models around hurricane risk or earthquake or flood risk, et cetera. But Cyber is very different to that. And up until recently did not have such information available. And that's actually why we started Cyence back in 2014. So we wanted to create the first data listening engine for cyber. We wanted to build the first cyber risk modeling solution designed ground up to address the needs of the insurance industry, and only the insurance industry. We gather both technical and nontechnical data about companies and articulate that into a cyber risk model. And as we collect more and more data and the risk landscape evolves, we need to calibrate and refine those models to be relevant to this classification of risk. At a high level then, we use our data listening capability and cyber modeling expertise to provide this end-to-end economic cyber risk model for insurers and reinsurers. For underwriting, we support the ability to risk prospect, evaluating target companies based upon your risk appetite, for example. That could be revenue industry, also cut by something like a particular risk rating that you're looking at. We look at risk selection and risk assessment. We can use our risk factors that go across people, process and technology to help you with that submission analysis as we described in a couple of slides earlier. The assessment helps with pricing or placement strategies, which in turn, helps with your exposure management, where we can provide those in-app capabilities across portfolio analysis, aggregation analysis, scenario modeling with over 7,000 events all available at a couple of clicks of a button. And then we have the ability to provide you with a full year loss table, that allows you to dive into those simulations, and if necessary, impose your own tail risk assumptions, for example. Ridhima, perhaps you could talk more about the data listening engine.

Of course. As Ian mentioned, due to the lack of the authoritative data sources for cyber risk, Cyence started collecting their own data. This was the birth of the data listening engine. In our data listening engine, we categorize the types of data we collect into 3 big categories that we have up on the slide today. The first 1 is what we call business attributes. This is really Cyence's database of companies of over 1 million companies globally, and it includes information, including company revenue, employee count, what industries they operate in, what are their parent-child hierarchies in terms of subsidiaries? And most importantly, for cyber risk, what websites they have. The second category is what we call cyber attributes. There are hundreds of data points that Cyence collects in this category, and they span information including a company's e-mail security, company's patching cadence, outstanding vulnerabilities, et cetera. We'll talk about these more in detail later, but these are the attributes that will serve as the predictors in the models that we build. To give you a quick and simple example, we would use something like e-mail security to identify the likelihood that a company will face a ransomware attack. As most ransomware attacks have been caused by phishing attacks, this data point becomes extremely important. Last, but not the least, we have data on incidents on various different types of events, including data breaches, cloud outages, ransomware, software zero-day vulnerabilities, distributed denial-of-service attacks, et cetera. We use these data points to power the Cyence cyber risk model. The Cyence cyber risk model outputs, again, can be categorized into 3 big categories. The first one is risk rating, risk factors and model losses. So we'll talk about risk ratings first. Risk rating is a quantitative measure of the company's risk of having an incident over the next 12 months. It is a scale that ranges from 100 to 400. A higher risk rating means that there is a higher likelihood of an incident. Second, risk factors, they are curated risk insights from -- that are derived from Cyence's data listening engine. Essentially, these insights can indicate a hacker's motivation to attack a company, along with the company's susceptibility to an attack. Motivation is the key factor in cyber risk, where you have an active adversary on the other side. Also within risk factors, what's important is that Cyence actually maps the company's digital network by identifying single points of failure. Also known as accumulation path or digital fault lines, these are things like cloud service providers or common softwares that companies might be using. And we'll talk about why that becomes important in the next few slides. Last, but not the least, Cyence translates the risk in form of potential losses that span different coverage parts that an insurer might be offering on their product, including first-party data breach, business interruption, liability, et cetera. We'll get into the detail of each. We'll start first with risk rating. As I mentioned, risk rating is on a numerical scale from 100 to 400 and is based on the predictive probability of a company having an incident over the next 12 months. Here we see a risk rating of 348, for example, means that there's approximately 11% chance that a company will have an incident in the following 12 months. This prediction is a result of a model that Cyence has built using the data that we have collected using our data listening engine and the corresponding incidents that we have collected. An important note about the risk rating is that Cyence updates the risk ratings every month. And the reason that's important is because cyber risk evolves rapidly, and updating the risk rating actually provides you the most up-to-date view of risk. The measure is also forward looking, which means every month, the risk rating is updated to provide the risk of the following 12 months. Given that we now understand what risk rating is, let's understand how it's helpful for an insurer. There are 2 main ways that risk rating can help. First, in risk selection, it can provide a way for you to identify risks you would like to write or you would like to further review. Say, for example, at renewal, you want to reduce the amount of time you're spending reviewing each account. Risk rating can help you identify those riskiest accounts where you should spend the most amount of time. Another example is you can use risk ratings in your pricing models. You can develop pricing factors based on how certain industry or revenue segments might be performing, and maybe those sectors that are performing the worst can get a pricing factor adjustment, for example. Before we go on to risk factors, let's pause and take another question for the audience. What are the biggest challenges in selling cyber insurance from your standpoint? Is it, a, lack of knowledge regarding the threat landscape or people responding, I don't need it; b, lack of understanding one's own risk or it won't happen to me; c, I don't really know what cyber insurance covers, so more around the knowledge of the insurance product itself; or d, all of the above. Please submit your answers. [Voting]

Okay. Yes. Okay. As I expected, most of our audience, or I guess all of our audience members have responded with all of those are challenges. So what we'll do in the next few slides is actually walk through how Cyence can help you promote cyber awareness -- cybersecurity awareness and promote your product. Ian, would you like to walk us through how our audience members can do that using risk factors that Cyence has?

Yes. Absolutely. So we've already seen this slide. I mean effectively, we listen to data about companies across the public Internet. We curate this into insights about how motivated an attacker might be to perform some sort of hack on the business. How susceptible then might a business be to such an attack and look for the digital fault lines that exist in common accumulation path. So we create this into a set of robust behavioral and technical risk factors from this data listening engine that provide you, the underwriter, with a view of what is happening in terms of cyber risk for a business. So you can see that we have some 47 risk factors around behavioral and technical insights, but we also have those accumulation pieces as well. So cyber is something that is individually focused as well as aggregative. So you could have a targeted attack on a single business, but you can also have something like a cloud service provider downtime, which means that a number of businesses in your portfolio are affected by that. And these are those digital fault lines. If you think about all of those risk factors that we push forward into our app, you can use those to actually provide a health check to promote cyber risk awareness with the end insured. Because we collect data on something like 1 million-plus companies, it is also easy for us to identify how a company is performing against their peers. This can provide a valuable peer benchmarking to the company that you're trying to insure and also to you as an underwriter. And when you're looking at those promotional activities as well, we could actually drill into particular risk factors that can mean something quite specific. So let's think about something like e-mail security. And maybe that's something you're concerned about. Leaving a company exposed to spoofed e-mails, that could actually result in a ransomware or other type of fraud or cyber attack. So when we're talking about e-mail security and how well that is configured or otherwise, we're actually checking this using something like the DMARC or the SPF standards to figure out how well configured those systems are. And this can provide you with critical insight into how well that business is managing their e-mail service, for example, and therefore, how well protected they might be. There's no such thing perhaps as a 100% protection. But by something like those risk attributes like ransomware that I discussed earlier. You could use that in a health check report to describe how you might talk to your e-mail service provider if you're a small and medium business about setting up DMARC or SPF, or as an underwriter help direct your questioning when looking through that submission as to how well that e-mail security is set up. Then we can look at things like patching cadence. So out of date software in any associated network with the business allows vulnerabilities to be exploited by bad actors. So once again, we have a risk factor that describes patching cadence. And it allows you to see, from an outside-in perspective, what their behavior is in terms of how well they're keeping that software up to date. This is really useful in terms of evaluating those responses on the submission as we discussed earlier. But again, you can use this as a promotion capability, either directed or across a peer group to describe what that risk landscape looks like and why it's important to have patching, especially on publicly facing assets up to date. And then for small and medium enterprises, we've actually developed this a stage further, where we can have an on-demand data listening capability to assess one of these small and medium business' cyber risk. This can be API-driven and integrated into our online portal for an assessment that returns inside of 2 minutes, a set of risk factors, a risk rating and a peer comparison, allowing you to digitally underwrite those risks with Cyence insight and indeed to provide those capabilities such as health checks and others that we've just described inside of those last few slides. So Ridhima, how do we model Cyence's losses and how can underwriters use these in their processes?

Sure. So as I mentioned before, Cyence models events that happen for different reasons, right? Data breaches, cloud providers, ransomware, et cetera. And then we map those events to different types of coverage parts that the insurers may be providing. So from a bird's eye perspective, there are a few different events that Cyence models. And they're categorized into individual events and accumulation events. Individual events are those where a single company is impacted given an attack, for example, Target having a data breach or Marriott having a data breach. Accumulation events are those where multiple companies might be impacted given an event. For example, if Amazon AWS were to go down, how many companies would potentially suffer from business interruption? So there are 6 big categories of events as we see up on the slide, including data breaches, DDoS, service provider outages, software zero-day vulnerabilities, payment processor outages and ransomware. Cyence has a probabilistic model that would go through event type and essentially calculate the estimated loss for each and then map it to the coverage parts that may be triggered. In addition to Cyence's estimate for average annual loss, we also estimate losses for different return periods. And what I mean by that is you would be able to make projections like there is a, let's say, 2% chance that a company or a portfolio of companies will have a loss greater than X dollars. In addition to providing ground up losses, Cyence can also help underwriters apply insurance policy structures, including retention, limits, waiting periods, attachment points to get a view of insured losses and also to identify where on the insurance tower would be the most optimal place for an underwriter to play and the corresponding price associated with that. And of course, there's a lot of detail associated with each of the models that we build, and we invite the folks on the call to contact us as if they would like to get further details. Those were the prepared remarks that we had for today. We'd like to open it up for Q&A. Michael? Okay. Let's move on to the next slide there. Michael might be having some difficulties. So we actually have a few questions, few frequently asked questions that we have received from our clients that we would like to discuss today. The first one that we received and, Ian, I'd like to direct that to you, is how does Cyence collect its data?

Thanks, Ridhima. Yes, this is definitely one of the most common questions that we get asked. So look, I'm going to read this slide out effectively. But we have a set of proprietary collection, open source data sources and third-party providers that we go to, to collect this data. It's quite frankly, astonishing how, in many ways, easier it is to collect this data in terms of being able to connect to these systems and find out what they are. It's far more complex to actually pull that together and make a model, of course. But that's why we built Cyence. We recognize that this capability was that, right? But we do this from a nonintrusive perspective. So if you think about it, we're doing more than -- no more than shaking hands with the system. Any company's Internet-facing systems that are outside their firewall, we are doing that. And our methods effectively mimic the reconnaissance that the hacking group would conduct when investigating targets. So if any of you on the line are familiar with a certified ethical hacker route and you look at that reconnaissance phase, where you're going out there and looking at that particular target, where you're looking at the company structure, perhaps the websites, the sub-domains that it owns, societal footprints, those kind of pieces, that's what we're doing. And we're doing that entirely from an outside-in perspective and entirely inside of the law. And then another one we get asked quite a lot is how Cyence is used by its customers. So I think this presentation has been scattered with -- in a roundabout way we've discussed this. But one of the key things is taking those risk ratings, the risk factors, things like the peer comparisons and take that as a combination, pulling that into an underwriting guideline or pricing model to determine the pieces that Ridhima was talking about, whether you might write or decline a piece of business, or whether you actually would refer that to your teams to -- from the enterprise risk management to determine whether you should actually move forward with that risk or not. Things like portfolio loss benchmarking. So let's have a look at what revenue and industry segments are underperforming or perhaps those that are overperforming and maybe that's something that could actually set our appetite to look at new prospecting routes. So this ultimately builds into defining tiering strategies. So what are those high-risk accounts that are coming up for renewal? What are the ones that actually could potentially burn our books, and that could be just because of overreliance on one particular service provider or it could be something like underperformance in terms of their patching cadence in terms -- in relation to their peer group. And Ridhima, I think there's 1 question that we often get about how we validate this model, maybe you should take this.

Yes, of course. This is a question again that we get asked quite often. So 1 way Cyence validates their model is by identifying whether the risk rating, which is one of the model outputs, is successful in segmenting risks. So what you see on this slide is the distribution of companies based on the Cyence risk rating, which you see on the X axis. And this distribution is broken down by companies that have had incidents and that have not had incidents. The companies that have not had incidents are in blue, and the companies that have had incidents are in orange. And what we see in the slide is that risk rating is actually successful in segmenting those companies appropriately, companies that have higher risk ratings are more likely to have incidents. And so this is just one way that we validate some of the risk ratings, some of the outputs of the model and how they perform. What we'll do now is we'll go -- open it up for live Q&A. And Michael, if you're back on, and you can moderate the questions.

Yes. We are now open for Q&A from the audience. The first question that we have here is about -- around silent cyber. So silent cyber has been a term that comes up in recent years. Can you talk about -- can you talk a little bit about silent cyber? And how does Cyence help with assessing the risk?

Yes. I can take that question. Silent cyber, the way Cyence has been approaching the problem of silent cyber is by a simulation -- sorry, scenario-based approach. So what we have done is we have identified the specific scenarios that are most impactful to specific lines of businesses, say, property lines of business. And we've developed scenarios that can be run in an excel worksheet. So essentially what we're -- the input data that we're looking for would be around your exposure, so how many property policies you might have. We do ask that people have an understanding of their property form, say, in terms of does it explicitly exclude cyber as apparel or it's vague and the language may not stand out. So those are the kinds of inputs that we look for, but we have developed a few scenarios. One of them being a power routed scenario, which is an extension of the Lloyd's business blackout. But we have developed our own assumptions and modified that scenario. And the second one is a ransomware scenario. So what if a mass ransomware attack were to happen and people were to claim -- or companies were to claim business interruption on their property policies. So those are the 2 main scenarios that we've developed, and we're working on our third one, which would be a -- or we're planning to work on a third one, which is a power outage for potentially another part of the world other than the United States.

Great. Okay. So question number 2 is that cyber landscape is always changing as well as the criminal behaviors. So how does the application effectively reflect that evolving change in the market?

Yes. I think that we covered a lot of that in those earlier slides, although, of course, we were giving a very high-level view. But one of the core principles when we founded Cyence was that we wanted to have a set of cyber expertise inside of the business as well as modeling expertise and data scientists. And one of the core pieces that we do is we keep a very close eye on how that cyber landscape is evolving. So we are currently on our fourth iteration of the model. So if you think from our inception in 2014, we are now on that fourth version of that. And a lot of that is to do with exactly what you've just said, that evolving landscape that we see there. So in 2014, the big news was data breach. So that's where we focused our efforts. But in recent years, ransomware is becoming more and more to the [ four ]. So there is still plenty of data breach activity going on there. The frequency might have decreased, but the severity in many cases has increased. In terms of ransomware, we've definitely seen the frequency increase. And so we have that combination and modeling expertise, the data we gather and the cyber expertise coming together to actually refine and recalibrate those models to make sure that it's purposeful when underwriters are coming to write that next phase of business. Ridhima, is there anything you wanted to add to that?

Yes. Just one more thing to add to that would be going back to the point about Cyence updating their risk ratings monthly. So even though we're on our fourth iteration of our model, we do update the risk ratings and the model losses monthly. So we've taken data -- updated data every month for over 1 million companies globally, and we're rerunning the model. So the purpose again of that is to provide the most updated view of risk.

Awesome. Thank you Ridhima and Ian. So next question is, have you seen any usage outside insurance, such as in financial and other industries?

Yes. Absolutely. So certainly, credit risk is another area that we can apply this cyber profiling to, right? So if you look at the work we do with S&P, for example, and the 360 report that we do there, that is effectively taking this data we have there and helping inform that as to how likely the business is going to be -- or how likely a business is going to suffer an event, but what the impact of that event is going to be on the business as well. And then we can also look at things like credit risk for banking. So we can look at -- when you think about a business that's looking for a $50 million loan, for example. So yes, there are going to be a whole series of questions that are going to be asked about that business. But working with some of the larger institutions in the banking world, we've actually become a key part of that questioning set in terms of being able, a, to provide some insights for credit analysts to look at the cyber risk of that business that they're going to underwrite; but secondly, to provide the end loanee the information about what their cyber hygiene looks like from the outside-in. And it's not something that's necessarily yet being used to price out loans or to do anything to inform losses given default or something similar to that. But we'd like to see that as we build that capability out in the financial services world, banking with S&P, et cetera, then that's something we're definitely going to focus on more.

Okay. So last question is about the poll -- the first poll question that we had. So based on the poll results, we see that many insurers in the space develop their own in-house models for cyber risk or assessing cyber risk. So the question is around is the Cyence application customizable to integrate -- to curate all the risk factors with the in-house model?

So Cyence is customizable from the standpoint that we provide our -- your loss tables, which is basically our Monte Carlo simulations, our entire Cyence output, which our customers have found extremely useful and valuable and actually building into their own model. So they take insights from the Cyence's model and credibility weighted against their own experience to build their own pricing models internally. That's one of the best ways users have taken Cyence and put in and included it into their own risk insights.

Okay. I believe that's all the questions that we have. And -- okay. So that's all the questions that we have from the audience. And if any of you would like to learn more about the product, we have a bunch of resources, a bunch of assets for you to acquire more information. And we'll send out all these assets in a follow-up e-mail. A couple that I would like to recommend is hearing from the customers to talk about how they use Cyence application. Customers such as AXA XL and Marsh would be a great reference point. And if you like to learn more about Cyence and really witness the functionalities and capabilities in real time, feel free to request Cyence risk analytics product demo by contacting Charles Clarke. He is our VP in Analytics and Data Services with Guidewire Cyence. And this concludes our presentations for today. I would like to thank everybody who participated. And thank you, Ridhima and Ian, for the outstanding job on the webinar.

Thank you.

Thank you. Thanks, everyone.

Thank you very much.