.png)
In this episode of Making Risk Flow, host Juan de Castro welcomes Jonathan Spry, CEO and co-founder of Envelop Risk, for an insightful discussion on how AI and advanced analytics are transforming cyber insurance. They explore Envelop Risk’s “data flywheel” strategy, emphasising the power of data-driven decision-making in risk assessment. Jonathan shares how AI-driven underwriting has evolved over the past eight years, shifting from industry scepticism to widespread adoption.
They also discuss "augmented underwriting," where AI enhances—rather than replaces—human expertise, especially in speciality insurance. The conversation extends to emerging risks, such as quantum computing’s impact on cybersecurity and how AI reshapes risk management across industries.
Listen to the full episode: here
Juan de Castro: Hello, my name is Juan de Castro and you're listening to Making Risk Flow. Every episode, I sit down with my industry-leading guests to demystify digital risk flows, share practical knowledge, and help you use them to unlock scalability in commercial insurance. Welcome to another episode of Making Risk Flow. Today we've got a very special episode focusing very much on Cyber and AI. And it's a pleasure to be joined by Jonathan Spry, who's the co-founder and CEO at Envelop Risk. First of all, Jonathan, thank you so much for joining me today.
Jonathan Spry: It's a pleasure. It's great to be here Juan.
Juan de Castro: Fantastic. So let's start with an overview of your background, Envelop Risk, and then we'll deep dive, I'm sure, into what you do in terms of AI and Cyber.
Jonathan Spry: Yes, of course. So I think Envelop Risk is now just over eight years old as a company. It's full of a few introductions that I was lucky enough to have probably 10 years ago. There was a real element of serendipity in being introduced to a group of AI practitioners and risk experts from the U.S., they'd mostly been working together in the aerospace and space industries and were involved in early stage quantum computing and writing quantum software, but had some real discipline in AI and a desire to real-world problems and product of a few meetings was that we committed to each other to quit everything else we were doing and build a new company to tackle the opportunity around cyber insurance and we did that by building Envelop Risk. Prior to that I had a securities route around investment banking and the reinsurance and Insurance industries. I think it was about 10 years ago a little more than that that I left my last sort of proper job if you like in investment banking. And decided to go the route of entrepreneur. And whether that was a brave or stupid decision, I'm just so pleased with where we've got to now. I'm really, really enjoying my life. And that's why I'm a big fan.
Juan de Castro: And what did you see? You said that there's a component of serendipity. Why Cyber? Like, what did you see in Cyber that you thought this is the right line of business to do things differently?
Jonathan Spry: Yeah, I mean, I thought that Cyber anyway would become a perfect use case. The data-driven approach is to wonder, I'd say, in capital management. But actually, looking back 10 years ago, Cyber was still in a relatively nascent state of development. And it occurred to me that what was missing wasn't just distribution solutions and an ability to sell the products, but actually the cyber insurance industry was lacking on the infrastructure. And by the infrastructure, I really mean capital in the form of reinsurance and analytics. So advanced analytics and the idea have been developed to combining those things together. So we would go up and gather capital and then allocate that using the reinsurance technique, which is, of course, very well recognized and very familiar capital management technique for insurers, but also to embed analytics. Particularly portfolio-level analytics within the industry, and overcome some of the myths, I think, that were surrounding Cyber, which is that there was insufficient data, and actually it was kind of obvious to the team early on that there was actually a huge amount of data around Cyber, and actually data that we could use to make a real difference. So Cyber became a particularly obvious choice as a place to start. But the fact that it was exciting and complex and emerging risk really caught our imagination. But equally, the fact that it's a sentient, if you like, or adaptive type of risk means that to really grasp the trends and understand the challenges that the risk presents to Insurance, you really needed to use more advanced techniques and particularly extract the full value of your scene learning and AI. So to that degree, I think Cyber has always, I think, fitted like a glove to develop risk, and really has become our obvious use case and a really important shock window really into everything we do on the AI side.
Juan de Castro: And when you think about using more data and better analytics to underwrite Cyber, does it mean capturing more data about Cyber risks, or is it more about just capturing similar data than the rest of the market, but really applying a layer of insight and analytics on top of that?
Jonathan Spry: So it is definitely both, and for AI to really work, the conditions it needs to hold are access to superior computing power, access to data, and then sophistication in what you do with that data. And that really means better algorithms and better data scientists. We have all of that now. Not just to gather risk, but our industry has an opportunity, the conditions that are required to make best use of AI. Clearly, quantity and quality of data are really, really important. And I think the ability to source data, whether it's through private means or public data, and the ability to source data directly from your transactions, from your business. And developers are well known for having a no-dents-and-no-deal philosophy. That is something that we adhere to, critically. And the benefit of that is that having now on the RTI side of reinsurance going back to 2018, we have a particularly rich data set, and that provides additional insights. More data means more business. More business means more data. So you absolutely need a strategy for acquiring data, and then you need to be sophisticated in what you do with that.
Juan de Castro: Yeah, but it sounds like it's a mix of whenever you're looking, at specific risk, you try to capture data externally available, right? And then it sounds like at the same time, you are leveraging the insights from your existing portfolio to analyze any risk. Is that how you think about it?
Jonathan Spry: Yeah, absolutely. So you could view that as a sort of positive line wheel of data, enriching your insights. Insight then creates the appetite for more business. We can then attach more capital, and if you like, diffuse that into the industry, all of which then assists with product development, debt and breadth of coverage for Insurance, cyber insurance, which instead, of course, produces more business and more data. So I think at the heart of Envelop Risk is this flywheel, which just grows and grows and continues to propel the growth of the underlying side of insurance, which ultimately is what we're really interested in. We choose to use reinsurance because we feel that's the best way to manage the capital and to bring new sources of capital into cyber insurance. But it's the growth in the underlying side, the fraud that most interests us and really is propelling the growth of our company.
Juan de Castro: And when you're thinking about growth and how you use this, that should be your insight, especially as you compare to your competitors, are you thinking you are better at identifying profitable risks that others might not be able to identify in the absence of those analytics, are you thinking you can more accurately price this? How do you actually compare to others?
Jonathan Spry: Yes, I think in terms of what we do differently, the competitive edge if you like, I would say that risk selection is extremely important. But actually, perhaps the most important thing is portfolio optimization and understanding risk at a portfolio level, which is something that we have to do with reinsurance, but actually is something that the reinsurance business allows us to do because we take on risk at a portfolio level. And really what's dragging the performance of our book of business, if you like, the return on capital through our various capital providers, it is much about the aggregation of risk, tail risk, which is what we really obsess about here. But really an understanding of the correlations is the risks inside the portfolios. And more than anything, it's trying to understand using inference, statistical inference. What's our test means various forms of machine learning and AI, but really what we're trying to do is perform causal inference. So we're trying to understand what is driving the performance of the portfolio over time.
Juan de Castro: And is there also a component of capital efficiency by avoiding aggregation?
Jonathan Spry: Well, actually, what we are trying to do is deliver the right mix of risk and return to the capital provider. And the tolerance, the preferences for risk may be different for different capital providers. And like many reinsurers and insurers, our metrics, which should be familiar to most of the audience here, would include things like TVAR. And actually, when we look at new transactions, we're not just looking at the price and the risk selection. We're looking at the marginal TVAR. So just the reward attended to a particular transaction, just the private additional TVAR. And that is actually not just a question of pricing, but both. It's actually driven by whether the marginal benefit of that transaction adds to the portfolio. And the same question may result in different answers in terms of yes/no decision making, depending on the attitude the capital provide.
Juan de Castro: So it's really looking at the marginal impact of writing a new risk in your overall portfolio. Okay, and so going back to the analytics, AI, obviously, since you started, technologies have evolved tremendously in those eight years. So we'd love to hear your thoughts on how did you think about analytics and potential use of AI, 8 years ago versus now?
Jonathan Spry: Yeah, it's interesting because I think sort of 8 or 10 years ago, AI was beginning to get more recognition in terms of its potential power. And some of the cynicism of using AI was beginning to erode, albeit it was not long before that, that there was really eye-rolling kind of observations being made about anybody that was talking around AI. And AI had had so many sort of old storms throughout the 1890s and into the millennium. And I suddenly go back and think about, my deal with AI was very much linked to virtual reality, kind of gaming and so on. And I wasn't quite ever convinced that this was going to have a material impact on our world, and particularly the world of risk management. But in the background, we had industries, and I guess defense aerospace is a good example of that, which had been embedding the disciplines around machine learning for a long, long time. But I think machine learning is sometimes referred to as good old bashing AI. It's been with us for quite a while. It's very well proven. There are new techniques and a big shift in how machine learning works. And the availability of computers and the sophistication around data science has increased so much that the results of machine learning are far more impressive than perhaps they would have been in the past. And of course, we have the new techniques of machine learning, things like reinforcement learning, and even sort of unsupervised machine learning, which really are, you know, breaking the arts of the possible around AI. You know, things have changed a lot just in the history, sort of eight, nine years of Envelop Risk. And the origin of generative AI, a lot of language models, has obviously shifted hugely people's belief in the use of AI. But also, I think this changes the paradigm in terms of what people think is possible. And for the first time within the last couple of years, we are beginning to use generative AI techniques, and we've found incredibly useful in things like exposure matching. So just reviewing our portfolio and name matching, which may not be the most fascinating topic, but it's incredibly important in reinsurance to actually understand that what you're modelling exactly mirrors the real exposure that you have. And we're really finding some true power in those NLM approaches, sorry, NLM approaches in terms of, our ability to overcome that sort of patchy data and problems that are inherent in modelling if your data is not quite accurate.
Juan de Castro: So perhaps to bring all of this to life for the audience, can you give us a high level overview of what the end-to-end underwriting workflow look like at Envelop Risk? So from the moment you receive any risk to the moment a decision has been made?
Jonathan Spry: Yes. So in most respects, we are mirroring exactly the way reinsurance typically transact. So most of our business's data is broker driven. We work with the largest reinsurance brokers and those that have developed a bit of a niche offering or punch above their weight within Cyber. The information we receive is pretty typical in terms of reinsurance information submission. The broker or the client wants to transact digitally or to a degree digitally. We're very keen on that idea. But ultimately, we will accept it in whatever format it arrives. What we have is a model which will map to most of the exposure that we see within the submission. So our model has many millions of companies within it already. It's not hard for us to add new ones. Getting a little bit more data about a company is important. But ultimately, the URL and naming conventions around the company, that really helps us. We then perform initial modeling. We model the risk economically.
Juan de Castro: But when you say you do model, is this an automated process or is there...
Jonathan Spry: It's not fully automated. We are certainly in the supervised use of machine learning. And we will perform runs of quite a large and complex model of economic Cyber risk. We effectively view Cyber as a global economy with threat actors, with dependencies. We simulate some of that adversary versus defence response. It is driven hugely by desire. In causal inference, so we're really looking for not just the answer to hypothesis testing as to what may be a correlation, but actually we're allowing machine learning to pull many contexts, bearings of simulations, and look at hidden trends as to really what's causing risk. The economic results are then produced, and then we map all the Insurance and reinsurance terms. So clearly the insured loss, indeed the reinsurance loss, is not the same as the underlying economic loss. The way we model Insurance terms and reinsurance terms is an important part of what we do. We think of ourselves as structurers, if you like, financial engineers. We want to have a good view of economic risk, but also the ultimate, or very high level risk, like the OET, the ADP, all of those are metrics with which the reinsurance industry will be familiar. We're mapping all of that to our capital providers.
Juan de Castro: And also one of the points you made as we're going through the processes, you've got a database or information about thousands or whatever, a large number of companies. So is your approach to try to have that information almost pre-analyzed before you receive new risks? Or do you do that real time when you're trying to analyze a single risk, you pull all that information together?
Jonathan Spry: Yes, and we're typically looking at a portfolio level. So much of what needs to be modelled for a new reinsurance portfolio will already be in our model. There may be some gaps we may need to. Ingest further information, but the computing power we have available means that we can run the entire model in a relatively short period of time. And actually, that's something that's improved hugely throughout the journey of Big Data. A couple of days, I think, to begin with, has now been reduced to a matter of minutes, half an hour, something like that.
Juan de Castro: It is fascinating, this approach to Cyber, but at the end, this concept of looking at the portfolio, the impact or the marginal impact of a new risk or a new portfolio into your book, etc. Is something that surely can be applied beyond Cyber. I guess two questions. One is, why have you chosen to stay within Cyber are you thinking about expanding to other lines of business but also what are your thoughts on whether the same approach could be used in other lines of business yes
Jonathan Spry: I think in terms of our stickiness to the subject matter we love which is Cyber I think Cyber has grown and continues to outgrow other classes I think in Lloyds it's still the fastest growing business at the moment so that there is a lot to do with Cyber and there remain big protection gaps in the world of Cyber. Equally, the world is not going to stop digitalising in the same way that software has been said to eat the world. I think Cyber is eating the insurance industry, and a company like Envelop, we don't necessarily think of ourselves, as a disrupting force, at anything we're trying to build on the mental infrastructure to support the growth of an underlying industry. The reason I say whether or not we view ourselves, as disruptive is that, I see Cyber itself, as on a very disruptive journey, insurance industry. And actually if you stick close to Cyber, what you begin to see is that Cyber and that the risks that go with Cyber, will begin to prevail in terms of the thinking that's required to understand other lines or the classes of business. For example autonomous vehicles, will have a very large fiber, and software risk equivalent, to them. We're beginning to see Cyber increasingly creep into marine and aviation, and space for obvious reasons. And even, even property failures, where we have Cybers and underlying cause and a huge amount of focus around supply chain risks business interruption. Which for me is, close to being the holy grail, for Insurance. I think, alongside understanding climate risk, I think, supply chain risk is probably the dominant force, we need to understand, as an industry particularly, where you start combining AI as an analytics technique, but also understand that AI is going to have an incredibly significant impact on the liability landscape. And it's actually likely to cause us to reinvent what we think of as the insurance industry and risk management.
Juan de Castro: Yeah, that makes sense. So that does already mean, I mean, it sounds like you're going to stay focused on Cyber the fastest growing line of business. I think it's almost only started. But do you see the same approach you're taking to Cyber being used by others in other lines of business too?
Jonathan Spry: Yeah, I do. So as Cyber becomes a dominant force in a form of liability, or general liability, in the form of casualty, reinsurance or Insurance, we will follow it and move into those areas because we understand it. In terms of whether you could use the same techniques, AI-driven machine learning, data-driven underwriting, how I'd wish to turn it, other classes of business, absolutely, we believe you can. And actually some of the data, thermographic data, geopolitical data, economic data, is so similar to other liability classes that we believe, that, that becomes the obvious thing to do. And something that in data, we most certainly will do in the future.
Juan de Castro: And you touched on earlier that your approach, at least right now, is very much supervised machine learning. So almost like call it augmented underwriting. So your technology is providing all the insights, but they're still an underwriter and ultimately making a decision like so. How do you see that evolving in the next few years?
Jonathan Spry: We're big fans of this term, augmented underwriting. And I suppose we would be equally respond to the idea of augmented capital management versus risk management. All that really means is we've got a human in the loop. So there's a human machine in space. There may be parts of the insurance industry which are now so rapidly digitalising that they can take the next logical step and become automated and begin cutting the human out of the loop. I suspect that those are more personalised classes of business and obvious reasons for that. Within the specialty insurance and reinsurance world, I think there is a human in the loop. So it's a human that's developing in terms of skill set, maybe fewer often, certainly as the underwriting role. But I know that the view that we're planning to remove the human underwriting from anything we do within the foreseeable future. And I think we benefit hugely from having human judgment, expertise, and the ability for humans to continue to create relationships and manage relationships, understand some of the market dynamics. If you like, game theory. In competitive landscapes, I still find human judgment to be more telling, more rich in its predictive ability than relying purely on the machine.
Juan de Castro: Yeah, that is true. I share that point of view and that applies to, I would say, P&C and specialty lines. Having said that, typically what we see is almost regardless of the complexity or the line of business, there's always a subset of risks that are more, call it simpler, more straightforward, more homogeneous. So we are seeing some insurers and reinsurers thinking about, okay, I'm not going, I mean, I still want this augmented underwriter approach for most of the risk I see, but I'm starting to identify the bottom 20%, which are more straightforward that I can... Start thinking about how do I completely straight through process those. What are your thoughts on that?
Jonathan Spry: I would agree that we're in a process now on the underwriting side and on the distribution and the claim side of the insurance industry of digitalising and automating where it makes sense to. And certain tasks now, quite legitimately, I think, will be replaced by AI and do not need to be released eventually. I'm not sure that we are on a linear path to complete automation. And part of the reason for that is that actually I see AI as having just as great an impact and probably more of an impact on the liability side. So I think the subject matter of Insurance, the risks that we trade are changing more quickly as a result of AI than perhaps even the analytic tools that we're using and the underlying tools that we're using, the benefit of the money. So clearly the future of Insurance as AI, as part of the shield and sword that we use, but equally AI is actually going to be an increasingly big topic. In terms of what it is we're trying to ensure and the nature of liability particularly. And there is a huge amount of discussion, as we all know, around generalized Artificial Intelligence or Artificial, General Intelligence and the path towards AGI. I suspect that speculating on when or why and how that may happen is beyond the scope of this podcast. And I will avoid doing so because I'd hardly have. No more or less clear on that as anyone else. But what we are seeing is very, very important milestones, if you like, intermediate steps towards HNI as being quite short-term horizon. And already we see some generalized learning within neural networks. We see advances in the large language models that perhaps even those architects of those models just a year or two ago would not have expected. So we're beyond the point, I think, where we can realistically sit in denial that there is going to be some level of generalized learning and something that I think Mr. Suleyman recently termed in his book, Artificial Capable Intelligence. So where the models are not just performing particular tasks, but are actually taking on complex and multi-step activities on their own without direction. And that's going to be a phenomenon which I think is relatively short-term. Has implications for what we do as underwriters and analysts, but also is going to start shifting along with other impacts and the ramifications of AI start shifting one of these we're trying to be sure and re-initial.
Juan de Castro: You are probably a great example of using some of the more advanced thinking, latest technology, and Envelop Risk. And what's your process by which you start thinking, okay, I'm going to start using this new... All the technologies that you just described in your day-to-day operations. So how fast are you able to start leveraging that?
Jonathan Spry: We don't view our model as static at all. The team that supports the model by the way, something we are calling Envelop Labs, in the UK, in the U.S., and elsewhere as well, but the home is right here in the UK. And the team keeps growing. The disciplines of that team want to use growth and the expertise that we brought in has grown. So what started as a probably conventional supervised machine learning approach to looking for trend and, if you like, painting a picture of the future and putting our competencies all around risks and looking for some accuracy in terms of confidence without finding precision and trying to exactly predict the future. That is still the philosophy we've adopted. But like I say, we introduce new techniques, whether it be something like reinforcement learning, whether it's the use of generative AI. We have an active and certainly dynamic management around the evolution of our technology. And we're fortunate that although we're probably cast being a startup, we're more of a space of staying up currently now, we can move very, very quickly. We're sort of ads are on lean in our thinking. We would not move the significant parameters of modelling without a process of road testing and without consent from our providers, because ultimately this is a model that we are using as custodians of their balance sheets, of their capital. So we involve our strategy partners in the dialogue around modeling. But in terms of the R&D in the Envelop labs, we can move very, very quickly and ensure that we're on the cutting edge of the user they are.
Juan de Castro: And as you're thinking about where to apply the new technical advancements, quite often, at least, what I see is, if you think about LLMs or GenAI or new types of machine learning, quite often, I think the adoption curve I see is... Typically teams start using it for, okay, just almost like stage one is help. My life to make it easier. So just help me with the routine activities because that is to be like a low risk area then. Once you've done that, you start thinking, okay, now help me interact with others and help me make decisions. So do you see like a similar? Horizons of Adoption,
Jonathan Spry: I do. And I think that paradox mirrors the developments in AI more generally. So we see the task level AI already being replaced by something a little bit more capable. It is certainly not fully automated and it's certainly not unsupervised and generalized. But it is more than just tasks specifically. There is reinforced learning. There is the ability to, we already have AI, which is coxed to the point where it can improve itself, which is a really important milestone on the horizon. It brings with it risk as well, of course, but if we have that ability, that is exactly the ability we should be using in capital management, risk management, and in underwriting. There's still a huge amount more we can do with those techniques. And embedding more of a generative AI in the distribution landscape, we can still focus on the way we transact. And there's more to do in terms of digitalising that, bouncing within a marketplace which itself is digital. And equally, we can use the modeling and new techniques to assist with product development. One thing we're trying to do is to help insurers fill the protection gaps. And to do that, we need to understand the demand, even the kind of inchoate demand, the demand that we don't yet know is there, but is beneath the surface for additional risk protection. AI can really help U.S. Understand that. We can understand the idea. What really is moving the needle for a company, whether it's an SME or a major corporate, in terms of the risks that they should be transferring and actually influence the better decisions to sell, to insure, or to seek to buy Insurance? If so, to ensure that there is a market fit for the products that's being supplied, if you like. And reassurance to have it all about because of the analytics in the package.
Juan de Castro: So we focused a lot on the AI space and all the advancements in the last 10 years, but more specifically a couple of years. I'm always interested about, you mentioned that your background or early on you were focused on also around quantum computing. Which is probably an area where we've been talking about for a while, but probably has not reached that, I don't know, like key milestone from being something which is very promising to having real world in kind of use cases. Is that fair or no?
Jonathan Spry: I think that's there. I should stress that I'm a long way away from being a quantum computing expert, but I have been incredibly fortunate to be surrounded by and have... Great access to a number of those that are interested in that space. What I've noticed is two things. One is that the lure of AI and the growth in computes, the training and preference, and the real-world results that we're getting from AI is dominating people's thinking. And if anything, focus on the quantum is maybe reduced a little bit. The second would be the quantum is always a few years away and never quite gets to the point of commercial reality, albeit there have been some important developments and movements. I'm absolutely convinced that quantum computing will play a role in the future analytics of risk and the insurance industry. I'm not going to give you a prediction as to when and avoid that obvious fitful, but it is some years away. Clearly, we need in Cyber to think quite carefully about new cases for quantum, particularly around encryption, and whether or not quantum could lead to a catastrophe or even sort of existential level of risk around breaking encryption and sort of the whole role of cryptography and in protecting data and transactions. I would always stress that whether it's quantum or it's AI, almost certainly those techniques will be used by our adversaries, so they will be part of the threat landscape. But equally, those techniques can be used as part of our defenses. And what we need to ensure that risk management evolves just as quickly as the threat landscape, and that we do not deny ourselves the opportunity to realize the very best of whether it's AI or quantum. We need to extract the real value there, because otherwise the threat adversary will attach itself to that technology. And perhaps one example of that at the moment is the deepfake world. And we see movement quite quickly in that space, which is not. It's not overly concerning if we understand the risk and we use similarly advanced techniques to detect it and mitigate against it. But that space has moved pretty quickly. We have these Generative Adversarial Networks, which is underlying technology, which sort of simulates and aligns networks to compete to produce better results. That is what's being used to generate these images. Whether they're reading images or voice equally. But those techniques can also be used as part of a dependence. So it's about understanding the technology and its sort of two-sided coin perspective as to what we can do to understand the evolving risk, but also to realize the best of those techniques to prevent real harm, catastrophic risk, or even the sort of existential risk that we sometimes hear associated with AR.
Juan de Castro: That is a good question. Plenty of thoughts on that one. I think I'm going to take takeaways from what you just said. One is probably quantum computing. Eventually, we don't know, to your point, we don't know when, but eventually we'll have a ChatGPT moment, right, where it moves from being promising to being almost like broad adoption. So I don't know when that's going to happen, but I think that it will. I think the other point is actually I was, I have not reflected on it probably enough, is the threat of something like quantum computing breaking the strength of all the cryptography. I mean, the basics of cryptography, right? At the end, I mean, most of the security online is based on password encryption using algorithms that current technology cannot break, but I think quantum computing might be, right? I think... I don't know. That's probably almost like a theme for a movie, right?
Jonathan Spry: It is. It's a merging of science fiction with science facts. It's very interesting, for sure. And I'm still clear of making bold predictions as to what that's going to look like, but it's not going away. And we're beginning to feel it. The future may not be here, but as William Gibson said, it's here, but it's on the even more distributed.
Juan de Castro: I think that this is a brilliant way of wrapping up the episode. Jonathan, it's been fascinating to deep dive today into all things Cyber, AI, technology. I've really enjoyed spending a bit of time with you, and thank you so much for joining me again.
Jonathan Spry: Well, likewise, Juan, I've really enjoyed it. And it's been great chatting to you today.
Juan de Castro: Making Risk Flow is brought to you by Cytora. If you enjoy this podcast, consider subscribing to Making Risk Flow in Apple Podcasts, Spotify, or wherever you get your podcasts so you never miss an episode. To find out more about Cytora, visit cytora.com. Thanks for joining me. See you next time.
