As always, thanks you to Isabel Rittenberg and Matt Donofrio for their help. And another thanks to DALL-E for generating this art from the prompt "Andre the Giant punching a computer, Goya"
Last summer A16Z made an incredible claim. Or more precisely, one of their many incredible claims strayed into my realm of interest.
In a post announcing their investment in Stoik, an Andreesen partner wrote this:
“...traditional modeling does not work for underwriting cyber risk. Incumbent models can’t understand or nimbly respond to today’s rapidly evolving cyber risks.”
Now I realize these blog posts are written for punch and not necessarily to demonstrate rigor. But still I mean, c’mon. This is such a hubristic point to deliver with a straight face. Do you know how some of the newer insurance models performed vs. incumbents last year? Not very well!
And then to make this claim about cyber insurance specifically! Would you like to guess how those particular loss ratios are trending? Also quite poorly!
All that to say, A16Z’s post got me thinking about cyber insurance in general.
And then LastPass got hacked, and I spent Christmas moving to a new password manager. That got me thinking about cyber risk and cyber insurance very specifically.
—
For the most part when I think about cyber insurance I think about money, specifically VC money. In a chilly funding market, cyber insurance has stayed hot, with almost 20% of insurtech investment dollars flowing into cyber insurance since last June.1
And this makes some sense. Cyber insurance is the fastest growing sector in the P&C market, buoyed by very strong demand signals.2 And this growth and demand are powered by fundamentals that look solid at first glance: a massive TAM reinforced by modern business requirements, and a unique underwriting advantage enabled by technology.
But then you take a broader view. And you look at the general state of “online” and the turbulent capital markets. And maybe the hype makes no sense at all.
So let’s break down these mirage-y fundamentals, starting with investors' excitement about the massive size of the commercial3 cyber insurance market.
What would a replacement-level VC say about cyber insurance? Probably something like, “Cyber insurance is basically mandatory and the premiums are rapidly growing. With odds this good, we can’t lose! Also Stuart, fabricating a quote from an imaginary VC is not very rigorous.” Well tough luck fake-VC! It’s my blog and I'm not doing any hacky ChatGPT stuff.
You kinda understand the excitement when you hear it like that though, right? But do you hear anything else? The echoes of past hype maybe — the Buy Now, Pay Later craze perhaps?
I certainly hear it. Cyber insurance and BNPL enjoy similarly huge TAMs and clear product-market fit. Both have seen a surge in private investment and a flurry of talent and press.
And critically, neither can hold on to the capital they need to profitably offer their products at scale.
Take Klarna. As interest rates have increased, the cost of capital (i.e. the cost to provide the loans that powered a once-$60 billion dollar business) skyrocketed.
And this pain is being felt across the entire sector. Affirm’s borrowing costs jumped 4x during the same period, with its stock down as much as 90%.
These same warning signs are now flashing in the cyber insurance market. Carriers and brokers are struggling to access the capital they need. Erica Davis, co-head of cyber at Guy Carpenter, described this situation recently:
"As the demand continues to increase in the direct market and there is a continued lack of new entrants into the reinsurance market, the squeeze on reinsurance capacity for cyber insurers will continue to be exacerbated."
This lack of reinsurance capital is forcing cyber insurers to get creative the same way that BNPL providers once did. When Klarna couldn’t find enough warehouse capital, they sold bonds. And in January, in an effort to find capital, Beazley placed a $45 million cyber cat bond on the Bermuda Stock Exchange — the first of its kind — just a few days after the chief of Zurich Re called cyber risk “uninsurable.”
In both cases then we have risk categories (one created via loan, one via risk of loss) that “smart money” is finding increasingly unpalatable. This is forcing distributors to look for bigger markets, broader pools of capital, and in my opinion, less sophisticated investors. Historically this pattern is a bad signal for capital-intensive industries.
What about the second thing that has investors excited then — the opportunity for technology to intervene and prevent cyber loss? A thesis you can see clearly in CYGNVS’ massive series A.
I am equally baffled by this side of the investment thesis. Products like CYGNVS have no moat and present a clear, single point of failure risk.
That is, if CYGNVS’ service doesn’t work when you need it, you will switch to an identical service, provided by a different company.
Just like Lastpass! I loved Lastpass! I was an evangelist to friends and family. And after the hack was announced in December, I ditched it immediately. Any loyalty I felt evaporated in a nanosecond — Lastpass was a single point of failure for my digital life and even a wobble (and it looks like a lot more than a wobble) was enough for me to cut and run.
So my question to anyone investing in these companies is: what’s the plan when the software fails? Because it probably will! Because that’s what anything under too much stress does!
Look at CYGNVS or Boxx or Cowbell or [insert name of any other cyber insurtech here]. These are impressive services with expert teams and plenty of resources. Yet if they fail once, or even wobble, users will move on immediately. These are impossibly high-stakes for a business — especially businesses with multi-year CAC payback periods.
(A note: I started writing this in February. And now I'm about to publish and SVB is experiencing something between a mini and an “oh shit”-sized bank run. I personally watched a few dozen founders switch banks in an afternoon — imagine how fast people will move on from something with a comparatively lower switching cost.)
—
So cyber insurance then, what do we have?
We have a rapidly growing sector that requires a continuous flow of capital that is itself getting harder to access. This capital will only get harder to find and more expensive as hacks and breaches continue, which they inevitably will. And any company offering services to protect or mitigate these attacks will lose 50-100% of their customers instantly if their solution fails.
And where does that put cyber insurance over the next 5 years?
My guess is that the outcome here is a federal backstop. It’s not even a guess really — the rumors are starting. Something similar to Northridge or the 1927 Mississippi flood will happen and reinsurance capital will keep running away until it’s not available at all. The need for cyber coverage won’t disappear though — businesses will need to be covered — so the government will step in.4
For sure there will be a few more cycles for the cyber insurance sector. Some investors and founders may cash out successfully and some brave reinsurers may inject more capacity opportunistically, but ultimately I think the private cyber insurance market will end up being far smaller and more boring than venture capital investors and their backers are hoping.
—
1 This number is a best-guess. I divided the amount of capital raised by cyber insurers (found just by Googling) by the total amount raised by insurtechs during the same period. Look, I’m trying to make a point here — cut me some slack!
2 I should also note here that I think a number of investors have approached the sector with a measured approach. I thought Costanoa’s post here did a very good job framing the opportunity while holding the risks as substantial and real.
3 Most of this critique is focused on commercial cyber insurance. Personal cyber insurance is somewhat intriguing to me actually.
4 As I said, I started writing this post like three weeks ago and last week the White House’s National Cybersecurity Strategy was released. This includes this reference to a federal backstop: “The administration will assess the need for and possible structures of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.” I gotta write faster.