In conversation with
Shopify’s CISO,
Andrew Dunbar
We sat down with Shopify’s CISO, Andrew Dunbar.
Andrew has built Shopify’s security function from a single-person operation in 2012 to a programme spanning cybersecurity, IT, fraud and risk across a platform supporting millions of merchants in over 175 countries.
In this interview with Sascha Pollock, recorded ahead of the Cyber Risk Reckoning Forum in June, Andrew discusses how AI is expanding the capacity of security teams at Shopify, with human analysts remaining in the loop at every critical decision point.
Our chat also covers the shift in the threat landscape toward AI-enabled social engineering, why user behaviour analytics has become a central defensive capability, and what Shopify’s HackerOne bug bounty programme has taught Andrew and the team about securing agentic systems at platform scale.
We’ll be discussing frameworks for identifying concentration exposures in your portfolio, 3 realistic catastrophe scenarios with estimated impact ranges, and shared methodology for stress testing that both primary and reinsurer teams can use in renewals discussions.
What We’ll Tackle:
1. Cloud Infrastructure Aggregation
– Identifying hidden concentrations across AWS/Azure/GCP
– Business interruption triggers from single cloud provider failure
2. Software Supply Chain Dependencies
– Modeling downstream impact of critical vendor compromise
– CrowdStrike-style scenarios – operational failure vs. malicious attack
3. Correlation vs. Independence Assumptions
– Where current models underestimate simultaneous claims
– Geographic/sector diversification – does it actually reduce systemic risk?
4. Realistic Loss Scenarios & Stress Testing
– Building credible catastrophe scenarios with limited historical data
– PML estimates reinsurers will accept vs. what actuaries can defend
Why Now?
Reinsurers are increasingly challenging primary insurers’ accumulation assumptions, while regulators demand stress testing that current models can’t support. With limited historical data for systemic cyber events, both sides need new approaches to quantify concentration risk.
Attendees:
– Head of Cyber Cat Modeling/Portfolio Management
– Chief Actuary / CRO
– Reinsurance Brokers
– Reinsurer Underwriters & Cat Modelers
Participants
THis episode's Guest
Andrew Dunbar
CISO @ Shopify
Rick Caccia
CEO @ WitnessAI