Cyber risks as a financial investment: Citalid’s vision for the future of the insurance industry

Maxime Cartan, CEO of Citalid, explains how cyber risk is becoming one of the most strategic and scalable opportunities in the insurance industry. His company transforms cyber threats into measurable financial metrics, enabling insurers, corporates and financial institutions to understand, assess and manage digital risk as an asset class.

Thebrokernews talks to the winner of the Swiss InsurTech Hub Summit & Awards 2025.

Maxime, please tell us briefly: How did Citalid come about, and what was your personal motivation for founding a company that quantifies cyber risks?

Back in 2017, my co-founder Alexandre Dieulangard and I were both working in cyber threat intelligence at ANSSI, the French cyber-defense authority. We were helping compromised critical organisations, both governmental and private.

And we kept running into the same wall with executives: every strategic decision ultimately comes down to economics, yet cyber risk was still discussed only in technical terms. The bridge between cybersecurity, business continuity, financial exposure and insurance simply didn’t exist. Organisations were essentially flying blind.

Alexandre and I have always been driven by entrepreneurship, with complementary backgrounds: his legal and geopolitical lens, and my engineering and mathematical approach to cyber. Building a concrete, silo-breaking solution felt like the natural next step. We wanted to answer one simple question: “What is the financial exposure of my company to cyber risk, and what should I do about it?”

Our motivation was clear: make cyber risk measurable, comparable and actionable for executives, insurers and financial institutions. Because once you can quantify it, you can finally manage it.

What exactly distinguishes your platform from traditional approaches to cyber insurance or cyber risk management? What technological levers do you use ? AI, threat intelligence, modelling?

Traditional approaches rely on external scoring or questionnaires. You’re forced to choose between speed and substance: long questionnaires capture internal posture and business context, but are time-consuming and painful; external scans, while fast and necessary, only reveal technical signals visible from the outside.

Meanwhile, cyber is a dynamically evolving risk. The limited historical loss data available becomes obsolete quickly, yet cyber remains one of the top risks for corporates and insurers. The industry needs a new approach that merges threat intelligence, business context, external and internal signals, and financial impact into a single coherent view… without compromising speed.

Citalid is now the leading cyber risk quantification technology in Europe because it addresses this gap through three pillars:

• Live cyber threat intelligence contextualized to specific sectors, geographies and offensive scenarios.
• Advanced modelling, mixing Bayesian networks, Monte-Carlo simulations and financial impact expertise.
• AI systems that automate analysis, correlate signals and detect risk propagation across IT systems and company portfolios.

The outcome is a platform that goes far beyond maturity assessments. It computes incident likelihood, expected losses, worst-case scenarios, and the ROI of security and insurance strategies. In short: we translate cyber into the language of risk, capital and insurance, making it measurable, comparable and decision-ready.

You won the Swiss InsurTech Hub Summit & Awards 2025 with the statement that cyber is the “most profitable and scalable sector of the next decade”. Can you explain this in more detail, and how do you see the role of insurers in this?

Yes… or at least it should be, if we collectively build the right foundations!

Cyber is the only insurance line where underlying exposure is growing faster than capacity, modelling capabilities or underwriting expertise. Digitalization, AI adoption, cloud concentration and hyper-connected supply chains are creating exponential exposure. And yet we still see huge coverage gaps: limited capacity for large corporates, and limited market penetration for the mid-market.

This combination creates a perfect storm of opportunity:

• Tremendous and accelerating demand
• Limited available capacity
• A critical need for better pricing, modelling and risk selection

Insurers who truly master cyber today will shape the market for the next decade. I’m convinced cyber will become a core strategic line of business, on par with property or specialty but far more scalable, because it underpins every modern organisation.

The role of insurers is pivotal: not just to provide capital, but to drive resilience, improve security incentives, and help the entire economy understand and price digital risk with the same clarity as any other financial exposure.

After winning the 2025 Awards what are your next growth steps? In which markets do you want to expand? Which partner ecosystems are important to you?

Three priorities come to mind for our next phase of growth.

1. Geographic expansion

We already serve clients in a dozen countries, and our focus areas are Switzerland, Germany, the UK and North America. These markets combine high cyber exposure, mature insurance ecosystems and strong regulatory drivers.

2. Deep integration within partner ecosystems

Brokers, insurers, reinsurers, MGAs and GRC underwriting platform vendors are central to our strategy. Our aim is to make cyber risk quantification natively available where underwriting, risk selection and capital decisions are made.

3. Scaling the product footprint.

We’re expanding our portfolio-level analytics for insurers and banks, especially around risk accumulation, systemic scenarios and the connection between cyber and credit risk.

Switzerland is a strategic hub for us: highly mature, innovation-friendly, and globally connected. It’s an ideal launchpad for international expansion.

In your opinion, what are the biggest obstacles that still prevent insurers from underwriting cyber risks in a data-driven way or assessing them accurately?

Cyber risk presents a combination of obstacles that makes it one of the biggest actuarial challenges insurance has ever faced.

A young risk with limited, inconsistent historical data

There is no century-long loss history or universally accepted taxonomy. Without common definitions, benchmarks and exposure metrics, insurers struggle to calibrate models and write policies.

Extremely high volatility

Attacker behaviour, tools and incentives evolve at digital speed, making past loss data a weak predictor of future events.

A human-driven, geopolitically sensitive threat

Cyber risk is shaped by malicious intent, geopolitical tensions, economic cycles and emerging technologies — all factors that introduce deep uncertainty.

A technically complex domain with scarce expertise

Understanding vulnerabilities, controls, architectures and behaviours requires expertise that is rare… and in a tense hiring market, extremely hard for insurers to recruit and retain.

All these factors lead to a lack of appropriate solutions on the market built to help insurers grow cyber insurance portfolios profitably and optimize underwriting processes based on a strong cyber expertise.

Citalid helps overcome these gaps with standardised exposure metrics, live attacker-centric intelligence, and automated modelling that integrates natively into underwriting and risk workflows, making cyber quantifiable, comparable and insurable at scale.

How do your corporate customers specifically experience the benefits of your solution? Do you have any examples of how risks or premiums have changed?

Our cyber risk quantification engine actually powers two complementary products:

• Citalid Portfolio — large-scale third-party risk quantification used for insurance underwriting, portfolio accumulation analysis, supply-chain risk management (TPRM), and even credit risk evaluation.
• Citalid Core — detailed first-party risk modelling that helps corporates identify their most relevant scenarios, quantify exposure, and run what-if simulations to build an optimal security and insurance roadmap.

Together, they create a virtuous risk-reduction loop: Portfolio users (insurers, brokers, financial institutions) are incentivized to co-sell Core to their most critical clients, because improving the insured’s risk posture directly reduces their own exposure. It’s a true win-win dynamic.

Corporate users of our Citalid Core product usually report three concrete benefits:

• Radical visibility: for the first time, executives understand which scenarios matter and the financial magnitude of each, in clear business language
• Optimized premiums and policy terms: some clients have reduced premiums by up to 20% or renegotiated conditions to accurately reflect their true risk, strengthening trust with their insurer
• Smarter investment decisions: instead of “buying everything,” they prioritize security actions with the highest marginal risk-reduction impact, benefiting every stakeholder involved

And on the insurer side, the value is symmetrical: one carrier used our models to reprice an entire portfolio after identifying clusters of companies with disproportionately high projected loss ratios… a pattern they simply couldn’t detect before.

Cyber insurance traditionally has the problem of having few historical claims records. How do you deal with this? How do you model scenarios that are rare but still possible?

Traditional actuarial modelling of risks requires large, stable historical datasets… which simply don’t exist in cyber. That’s why we rely on Bayesian networks, and just to be clear: no, I’m not talking about the yacht called “Bayesian” someone from the audience mentioned to me after the Awards!

In simple terms, a Bayesian network is a kind of explainable AI that combines expert a-priori knowledge witha-posteriori real-world observations.

On the one hand, we codify what cyber risk experts already know about attackers’ victimology, behaviours, techniques and defenders’ control effectiveness, likely business impacts and resilience. That becomes the prior: a structured, quantified understanding of how cyber incidents unfold, even before seeing any data.

On the other hand, every new incident, be it a ransomware campaign, a data leak, a supply-chain compromise, … provides new signals. Bayesian updating through inference allows the model to learn and recalibrate from every new data point, even if they are rare or incomplete.

This is crucial because cyber is the opposite of traditional actuarial domains: it’s adversarial, interconnected and fast-evolving. Waiting for decades of loss data is simply not an option.
Bayesian networks allow us to augment scarce datasets with contextual intelligence and cyber expertise, and then refine the model continuously as reality evolves.

The result is a genuinely new viewpoint for insurers: one that can model plausible but unseen scenarios, quantify tail events, and understand how risk propagates across technologies and supply chains. In other words, it gives actuaries a rigorous framework that finally matches the nature of the risk, which is why it resonates so strongly with carriers frustrated by the limitations of historical-only approaches.

Maxime Cartan is co-founder and CEO of Citalid, a technology scale-up recognized as the European leader in Cyber Risk Quantification (CRQ). He previously worked as a cyber threat intelligence specialist at ANSSI, the French national cybersecurity authority. He is a graduate of a prestigious engineering school and a renowned business school in France and holds certifications in Offensive Security (OSCP, CEH). Before joining ANSSI, Maxime was a partner at Hypermind, a startup company specializing in predictive geopolitical analysis.

The questions were asked by Binci Heeb. The second part of the interview will be published on Monday, December 1.

Read also: Start-ups, winners and strong ideas: The InsurTech Awards 2025

---

---