Cyber risks can no longer be insured with checklists and gut feelings (Part 2)
1 December, 2025 | Current General Interviews
Anyone who brokers cyber policies today must understand and quantify risks and accompany them throughout their entire life cycle: from the initial assessment to systemic control. This is precisely where Maxime Cartan, CEO of cyber intelligence specialist Citalid, sees the crucial role of insurers, brokers, and technology partners: they are becoming orchestrating players who bring together data, models, and prevention knowledge.
Thebrokernews talks to the winner of the Swiss InsurTech Hub Summit & Awards 2025 about how brokers are evolving from sellers to strategic entities that curate risk-based solutions, influence capital allocation, and build trust between companies and insurers. Because cyber is no longer a product category, but a dynamic risk class that needs to be managed continuously.
What do your collaborations with insurers, brokerage firms or technology partners look like? What role must intermediaries and brokers play in the shift towards data- and risk-oriented cyber policies?
We collaborate across the entire cyber insurance policy lifecycle, from initial screening to systemic risk steering:
1. Risk selection & awareness
With our fully automated, lightweight assessment, underwriting teams can quickly evaluate a company’s alignment with their risk appetite without any client interaction. It enables faster triage at scale and more efficient distribution pipelines.
2. Underwriting & renewal
At the deeper assessment stage, brokers and insurers can combine multiple signals (external and internal, cyber and financial, sourced from Citalid or other technology partners, …) to structure guarantees and pricing based on actual exposure, not generic maturity scores. This reduces uncertainty and improves both margin and client fit.
3. Prevention & risk management
For critical or complex clients, brokers and insurers can equip them with our full cyber risk management platform. CISOs and risk teams can then analyze their exposure in depth, run scenario simulations, and optimize both security investments and insurance coverage. This creates a true risk-reduction loop: the insured becomes more resilient, and the carrier’s exposure improves over time.
4. Portfolio resilience
At portfolio scale, we identify accumulation vectors, monitor threat evolution and concentration, and help carriers refine underwriting guidelines to stay aligned with risk appetite. This is essential in a world where threat actors evolve quickly, and where supply-chain and cloud dependencies create systemic vulnerabilities.
5. Cyber CAT simulations
We provide catastrophe modelling services at the portfolio level to simulate extreme but plausible events. This enables insurers and reinsurers to stress-test strategies, negotiate reinsurance, and challenge assumptions around capital management.
Ultimately, intermediaries remain essential. Their role is evolving from “selling policies” to curating risk-informed solutions supported by analytics, because this is what clients now demand. This is why we see more and more brokers either developing internal cyber quantification capabilities, or partnering with pure-players like Citalid to accelerate time-to-market and credibility.
Cyber risks are becoming increasingly relevant not only from a technological perspective, but also from a regulatory perspective (e.g. operational resilience, data protection). How do you integrate regulatory requirements into your solutions, and how do you build trust among companies and insurers?
Regulation is converging toward a single message: prove that you understand your first- and third-party cyber risks, both on a strategic and operational standpoints.
We help our clients meet the requirements of many frameworks such as: DORA, NIS2, GDPR, sector-specific resilience standards.
Trust comes from transparency: our models are explainable, consistent, and backed by both cyber and actuarial methodologies. We also undergo regular audits from clients and partners.
Your platform not only recommends risks, but also generates an “investment roadmap”, i.e. preventive measures, according to your website. How important is prevention in relation to pure damage or risk modelling, and how do you measure its effect?
Prevention is central, especially when speaking to decision-makers who understand financial impacts far better than technical metrics.
It’s not enough to tell a company “you have €20 million of cyber risk”. You must tell them:
- which actions reduce it,
- by how much,
- and with what financial ROI.
That’s why our investment roadmaps go beyond prevention. They map recommendations across the full spectrum of cyber exposure: prevention and identification, protection, detection, response, resilience and recovery, and even the optimization of insurance coverage.
Every recommendation in Citalid is tied to an expected loss reduction curve. In other words, customers see the financial effect of a mitigation before implementing it. This changes the budget discussion dramatically: instead of debating tools or compliance, executives allocate capital based on impact, efficiency and return on risk reduction.
What technological trends do you see today that will be crucial for cyber insurance and risk management in the next 2–3 years? Keywords could be: AI-driven automation, real-time threat intelligence, embedded insurance, etc.
I would say that, given what we see today, four trends are likely to be crucial in the upcoming years:
1. AI-driven automation of underwriting and exposure assessment
From submission triage to data ingestion and scenario modelling, AI will accelerate underwriting workflows and enable more flexible products, including parametric models. Automation is not about replacing people, it’s about freeing experts to focus on judgement, risk appetite, and capital allocation.
2. Real-time risk intelligence integrated with pricing
Cyber will move closer to a “live” insurance line: pricing and conditions informed in real-time by the evolving threat landscape, not static questionnaires. This will turn cyber insurers even more into true risk-reduction partners, because risk posture becomes a shared, continuously updated metric.
3. Embedded cyber insurance inside digital and cyber ecosystems
Security controls and insurance will be bundled into the tools companies already use, such as cloud platforms, cyber solutions, payment providers, IT services. Coverage and resilience may become native to the technology stack rather than a separate procurement cycle.
4. Probable coverage of risks generated by massive GenAI adoption in companies
Generative AI is creating new risk scenarios: model poisoning, misuse, hallucination-driven decisions, IP/data leakage, … which are adjacent to cyber and face similar modelling challenges. Insurers will have to cover AI-enabled incidents long before actuarial datasets exist. The players who can quantify these risks through expert knowledge, contextual intelligence and dynamic modelling will gain a decisive advantage.
In short, the winners will be those who combine automation with deep cyber intelligence, and who are willing to put skin in the game… aligning product economics with the real risk their clients face when things go wrong.
As a young company in a highly regulated and risk-sensitive area: What were the biggest challenges you had to overcome, e.g. in data acquisition, sales, scaling or vis-à-vis established market participants?
Entrepreneurship is the story of trying to overcome challenges… sometimes with more success than others, but always with resilience. A few come to mind (and this is by no means exhaustive):
- Trust building with CISOs first, then insurers — both require time, proof, and deep due diligence.
- Mindset shift in markets used to actuarial modelling on long historical datasets: introducing new ways of modelling new risks is hard, especially in soft market.
- Data acquisition: cyber data is sensitive, multidimensional and hard to standardize. Our background in threat intelligence at the French cyber defense agency helped us build the right methodology and validation pipelines.
- Long sales cycles, particularly with large banking and insurance institutions.
- Scaling internationally while being disciplined with capital and resources.
Winning major deals and strategic partners helped accelerate the trajectory, but only after we earned it.
Do you work primarily with large companies, SMEs or directly with insurers? What is your ideal customer group, and why?
We operate across three segments:
- Large corporates directly, because their exposure is high, global, and they already understand the value of quantifying cyber risks. From the ones I can publicly name are industry global leaders in their respective segments such as Alstom, Lagardère, Fresenius…
- Insurers, reinsurers and brokers, who leverage our Portfolio product to steer underwriting, accumulation and systemic exposures.
- SMEs indirectly, via partners, insurers and brokers, to help overcome the awareness and distribution challenge in this segment.
On the corporate side of things, our ideal client is one who aligns cyber risk with broader financial decisions: insurance capacity, capital allocation, vendor dependency, operational resilience. We can usually tell very quickly by looking at who is in the room, whether it’s only the CISO, or whether the Risk Manager, business owners and CFOs are present and genuinely willing to understand the exposure and make proactive decisions.
This is why we often use the phrase: “Dare to know, be ready to act.” Because once the risk is framed at that level, quantification becomes a necessity, not a luxury.
What values drive your team at Citalid? How do you create an innovation- and growth-oriented corporate culture, especially when entering the international market?
One of our employees once said, “Citalid is a company where values aren’t written on a wall… you just feel them every day.” That stayed with me. If I had to name them, I would say:
- Trust: we never compromise on modelling quality or transparency. In an industry built on uncertainty, credibility is earned through rigour.
- Pragmatism: our job is to translate complex cyber signals into clear decisions, grounded in actionable financial metrics. We are allergic to buzzwords.
- Collective intelligence, my former field of research: it is often misused today but, under the right conditions and environment, we are smarter together. And I include employees but also clients, partners, insurers, regulators. Cyber risk is systemic; the way we tackle it must be collaborative.
I believe these values naturally shape our culture as we expand internationally. Innovation is not a department at Citalid: it’s a collective discipline, anchored in humility, curiosity and a strong sense of measurable impact.
Looking five years into the future, what is your vision for Citalid and the cyber insurance industry? What role will your company play in this?
Five years from now, I see cyber becoming as structured as natural catastrophes: with standardized exposure metrics, accepted accumulation models, benchmarks shared across the industry, and eventually capital markets instruments. Cyber will move from being an uncertain “technical topic” to a genuine asset class of risk.
Our ambition is for Citalid to be the global reference infrastructure for quantifying and managing cyber risk, for insurers, banks, and large enterprises. The missing layer that allows the market to track, price, transfer and steer cyber exposure with the same clarity as any financial asset.
When that layer exists, the impact is not only financial: better intelligence and better models lead to better decisions, which ultimately create a safer, more resilient digital economy.
Maxime Cartan Maxime Cartan is the co-founder and CEO of Citalid, a tech scale-up recognized as a European leader in Cyber Risk Quantification (CRQ). He previously worked as a cyber threat intelligence specialist at ANSSI, France’s national cybersecurity agency. A graduate of both a top engineering school and a top business school in France, he holds certifications in offensive security (OSCP, CEH). Before joining ANSSI, Maxime was a partner at Hypermind, a startup focused on predictive geopolitical analytics.
The questions were asked by Binci Heeb.
Suche:
Sponsoren:
