EP12 – More Cowbell Please! A Conversation about Cyber Risk & Insurance with Jack Kudale, CEO of Cowbell Cyber

Jack Kudale, CEO of Cowbell Cyber and I met in Des Moines a year ago. With minimal funding and no team…a year later, he has a Cyber product in 5 states (soon to be 15) and a very innovative proprietary model for determining a company’s cyber risk, now and ongoing in real time. We discussed what makes quantifying cyber risk so difficult. Why it is extremely important that cyber risk be monitored in real-time, why the world has changed and your cyber exposure has changed and why you must work to prevent and mitigate the risk first, and with Cowbell Factors, Cowbell Cyber is giving businesses real-time analysis of their cyber exposure at their fingertips.

Watch here:

 

Connect:
Jack Kudale – https://www.linkedin.com/in/jackkudale/
Cowbell Cyber Homapage – https://cowbell.insure/ 

 

Musical Credits:
Shadows by David Cutter Music:
https://davidcuttermusic.com
https://soundcloud.com/dcuttermusic
Free Download / Stream:
https://bit.ly/shadows-david-cutter
Music promoted by Audio Library:
https://youtu.be/qiBHOiEl9EI

Video Credits: Intro Stock Footage by Videvo

Transcript

Jack
You know, we see a couple/three things a there is this. First of all, let's talk about our SMBs. small to medium sized businesses.

The threat level has gone up pretty significant over the last two months. You're talking about phishing, 6-700% month over month. You talk about DDoS attacks on government facilities ransom for handhelds. There are about 1200 plus cases. I think I may have seen that In your write up somewhere at the FBI, I see three related to COVID. Now there are apps that would lock your phones and until you...until the victim has to allow paying certain cryptocurrency, it wouldn't release. So the threat level has gone up on top of existing disruption in the business. The agency's...retail agencies

Unknown Speaker
You know, this business is 150 year old build on relationship, networking, oxytocin in person. And all of sudden that got replaced. So first two weeks, everyone was hoping this will be over soon. And now you have to really realize how do I change the business model? So we label this O2O, offline to online initiative? How do I build what was happening offline to everything online, including maintaining relationships, communicating crystal clear, submitting, binding issuing policies, servicing the policies, performing claims. So we feel like we're well positioned there. And third, there is this new surge in wholesalers gravitation from surplus to admitted. Right and passively merely for compliance reason. But also, this one less thing for them to worry about is to review every surplus code. But if it's an admitted product, right, so we started to see those three things from agency retail, agency wholesale, and the actual prospect to customers. So we started the offline to online initiative for the agencies we opened up the platform to all non-policyholders online Any small Yeah, business can come in and take a look at.

Jack
We also see a rise in

private, convertible notes as opposed to prize funding rounds. Right. In terms of just a, you know, backing. What we haven't seen is any hesitation on the reinsurance part. Plus cyber. It seems cyber is insulated from the reinsurance capital.

Nick
Were you expecting that?

Jack
I wasn't expecting a recess on it. I was. I just wasn't sure. But we actually seen affirm reaffirmed commitments. And you know, for I'm not talking about existing, but I'm talking about things in the pipeline.

So,

Unknown Speaker
um, the reason I'm describing it like, you know, the First half of the hour glass is the policyholder in agencies is kind of a rising threat level and a different way of doing business. And the second part of the hourglass is the reinsurer's capital, and of course the regulator's are working from home so there is a productivity issue there. Your filings are not getting approved as fast as you would hope to be. Right. But yeah, it was that's good news that you know, cyber is reinsurance capital per cyber is this COVID-19 task force's at every insurer/reinsurer right now assessing, you know, what's the right and what could be the cyber, right. So I think those are, you know, we live in five states now, Nick, it's been great, which is

Nick
which which five?

Unknown Speaker
So the initial six minus California. Now we're still waiting patiently on California to go live, hopefully, by beginning of next month. It's Arizona, Colorado, Nevada, Oregon and Illinois. And one thing we done as part of our adjustment to COVID-19 is we are accelerating our state rollouts. Right. So the next nine, we already in the process of filing and we like to get the 15 done by end of May go to market on 6/1. Did you say? 15?

Unknown Speaker
Yep. 15

Nick
That's fantastic. By the way, we're recording. Oh, I see that. Yes. Good. Yeah, no. This is a good conversation. You have so what? I'm curious if you're seeing the same thing I'm seeing, so I would I would classify cyber as potentially catastrophic, business wise, and the way that it can kind of, you know, we're in a pandemic. It's got viral qualities to what can potentially happen. I'm on the Nat Cat side, and I'm now getting asked more and more about business interruption. Yeah. And my guess is that there's going to be a, you you described, the O2O and how the there's, I feel as though there's a lot of discussion about the business model, in its entirety. Include in thus, even though we are in a pandemic, and there's a lot of questions about business interruption when it comes to pandemic coverage. I'm thinking that in the corporate boards and the risk management discussions, there's just the conversation about business interruption

across The board,

whether it's caused by cyber or natural catastrophes, there's just a desire in around businesses to close that gap, regardless of where it's coming from. You know, you're sort of seeing the same thing?

Unknown Speaker
You know, will we saw, you know, look, we had we gone to Illinois, four, and five weeks ago, we launched in Illinois, and that was the first week the entire Chicago and suburbs were shut down. And they were very busy filing BI claims against the general liability and the commercial property policy right. Now. So look, I would continue to say BI and also ransomware, but the resulting BI because of ransomware or just BI in general, social engineering, because of what's happening, no, no matter what kind of pandemic you have, social engineering is going to be materially, so I see this top three four coverages that are going to pick up pretty broadly.

Jack
I do see a gravitation from

Unknown Speaker
folks to understand what type of business interruption that we're against what policies so if you check your coverages, right, Do I have enough ransomware coverage? Do I have enough...So I think what will that do though that will keep moving the needle towards need for standalone and admitted product more and more. Right, that is our feeling. Do I believe long term there's an opportunity for parametric where if somebody just covers BI no matter what carrier you have. It requires a lot of, you know, especially just look at in cyber, single point of failure, the aggregation stop, those things need to be more stabilized before you can think about a parametric that includes cyber as a peril, right? I agree with you, there's definitely a conversation on BI. But you know, people were buying cyber for contractual, out of fear. And as they change, the expand the business model so they can protect themselves, partnership commercial. And now you can add the business interruption. I mean, you know, public health pandemic, right. Cyber pandemic could look very different. Right. So, I think, you know, I'm BI whether it's a, you know, will this will this change the product that insurers offer? I think a lot of lessons to pick up. I mean, I can't say it's too early to say, Would people still ask for higher limit on BI? I think most BI limits is all the way to aggregate limit anyway. Right. So yeah, so that's kind of my thoughts on it. I don't know if it got it conveyed everything you wanted to know. But

Nick
yeah, yeah. So you brought up the admitted element of it. You know, typically for let's say auto, the way an admitted filing works is you know, a carrier has some loss experience. They do the actuarial analysis in order to, you know, segment the market the way that they view it. Get to a particular rate and then you know, it's it's essentially now for a broker/agent when someone comes in and wants to buy auto insurance, they plug in some information, it goes through a rater and it says, okay, you're in this zip code with these characteristics, here's your rate. Yeah. What is what is the admitted process for cyber? Because that's that process, which is that's not just auto, that's auto, homeowners, small business like most, most of the traditional insurance products function that way. what, how, how, what is it with cyber and how were the interactions with the regulators regarding how you are filing these rates?

Jack
Yeah, so really good point. Like, you know,

a lot of the all the lines you mentioned

Unknown Speaker
the they're usually based on the industry class in the revenue If it's commercial, if it is non-commercial, you have the cost of dwelling, the MSRP of a car. Yep. And those became the right now, we have 150 year of actuarial tables and heat maps to get to finance that data. Cyber, not only you don't have those actuarial tables and the heat maps available to you, the information is also changing very rapidly, right? Right. That's the big challenge. So you couldn't really apply that model. So I would even say the law of large number is not as applicable to cyber as you might find it for other line of business. You can't just write too many cyber accounts and not worry about risk aggregation and single point of failure. You can have a significant loss in a win A very large

Jack
pool up claim.

Unknown Speaker
Accounts are policyholder, because you have a catastrophic single point of failure. The way we're looking at it is we have, I think, to date, we have about 267 data points about an account. So we write certain degree, there is a, you know, you will see traditional insurers are still using industry and revenue to write cyber, to a maximum degree and maybe single factor cyber score from a cybersecurity supplier. What we do is we rely on the revenue, employee count, industry class to a very small extent, because he kind of we call it a firmagraphic, you just have to have know enough about the company. But then we pull up all these 267 different data points. That is by the way, it's you have it at your fingertips, you don't even need to ask them all of those details.

Nick
And that's, that's, that's 267 points above and beyond the traditional classification and just, you know, how many employees, what's your revenue? This is, you know, your your whittling down more to the specifics about exposure and risk.

Unknown Speaker
Yeah, we and then we convert that into multivariant ratings factor called Cowbell Factors. So, exactly. So essentially what happening is, Nick we are writing cyber, not only on industry and revenue, but also on risk exposure as opposed to and that is what is a big Delta, big differentiator, you truly know the type of now you can classify the single point of failure. You can aggregate it the way you look at it. You can manage premium to limit ratio, you can write portfolio into certain industries to certain extent and then, right. So, yeah, that's the big deal for us.

Nick
Yeah, that's, it, it reminds me of where the, you know, the property business was moving as well because again, the classifications by zip code, I do flood on a on a day to day basis and the risk can vary dramatically in a single zip code. So, an average an average rate will have a wide variance and that allows a smart underwriting team to go in and kind of poach out the stuff that doesn't belong in there. You know, it's, it's at the average rate, you can get the lower ones and kind of remove those out. That's, that's really smart. any pushback from regulators?

Unknown Speaker
It's a different approach...

Jack
It's beenn limited time of the experience but,

you know, I think we'll know as we file more as we but you know, so far. You know, we're writing policies in these five states right now, currently.

So,

Unknown Speaker
ya know, I think, good questions, we provide better answer. But yeah, it's an amazing experience to, by the way, Nick, I think you and I first started about a year ago, you did in Des Moines, Iowa now and as you know, it was a one man...three slides show at the time, not even funding it at the time, right. So you know, that we moved really fast and that you couldn't do without a proper support from the reinsurance panel, without a quick approvals from insurance regulators.

Jack
So yeah, if was a

really good experience so far.

Nick
So, given, you know, the the market is still immature and I mean,

Unknown Speaker
young. Right.

Nick
You know, the cyber itself is, has evolved quite a bit over the last few years but, you know, the internet's not that not that old compared to general property. Right. And so there have been writers of business. How I'm going to ask you the question like I would get asked if I were going to pitch is, how are you going to how do you how is Cowbell Cyber going to compete against some of these larger writers of cyber, that can potential they have a big balance sheet, they have, they can potentially throw armies of researchers and information technology specialists at the How does cowbell cyber compete?

Jack
Yeah, so,

look, I mean, if he had a army of researchers, someone would have done it what we do a long time ago. It requires a cross section/cross industry innovations don't happen at large companies. You know, you have to know AI, you have to know cybersecurity, you have to know insurance. And you bring and assemble that unique, foundational team to solve a very complex problem. So I think the innovation can only happen in a very difficult and a small budget, a finite number of people. That's one part...second. You know, this is not a business where you throw a lot of bodies at it. In terms of distribution and army. There are people like you know, most of the world has access to the gang of eight and I call it the top eight standard markets that are selling cyber big ones, right? Everyone in the world has access to those products. But then why it's taken great, like you said, Young market. Why is 91% of small to medium sized businesses still uninsured? There's a reason for it. And the reason is, you know, the people are gravitating to have a very simplified process. People are gravitating to have a just right coverage, and people are gravitating to get more insights that can help them make decisions. Right now I'm talking about the small to medium sized businesses. So unless you solve this trifecta of purchase drivers, the process the coverage and the insights, no matter how big and how big you are, and how many resources you have, you're not gonna cut it. That is why, you know, we think that The innovation behind Cowbell Factors is actually driving the process. I mean, Nick, we, it takes half day for people to configure cyber product. We activate policy in less than five minutes. We have eliminated the application. We have covered, submission and binding to microsecond. Right? So it has to be driven by technology, where you, you don't need like, Look, we in a smallest, less than 20 people. And maybe less than $2 million in expense. We build an entire insurance company with the product in the hands of retail agents to sell it to the businesses in like eight to nine months. So, I mean, you haven't seen that happening with any large property and casualty insurer trying to build a cyber line of product. So that gives us more confidence, right? This is where we bring the innovation, right? It's not our ego, it's the will the scale and then then the managing the time to market and the market is youngest good, because powerful tell wins here, right? 91% in SMBs are uninsured and in the first 9% there, a lot of people are under insured. Right. Many people are still doing endorsements on existing BOP and property policies for the cyber industry.

Nick
Yeah. There's so many similarities between even though cyber and natural catastrophes are not the same. There's so many similarities and I feel I think there's like a lot of overlap and how we both view the future of insurance and you brought something important up, was, you know, a lot of your potential customers want insights. Yeah. Right. And I don't know about you, but there's something immensely dissatisfying with just selling an insurance policy. Mm hmm. Right. We're collecting all of this data. Um, you know, I know I, I always feel with when I deal with commercial accounts, I think I know more about their building than they know about it. Yeah. And so

yeah, it's okay.

Should a disaster occur and I can get you back up on your feet. Okay. Yeah, that's a, that's socially valuable. But I think there's more value to like what you said providing those insights like in the risk management sphere, there's, before risk transfer, there's risk mitigation and risk prevention. And if I have information that can help you prevent or mitigate loss, why don't I just tie the whole thing together? Yep. I have a feeling you think you think of it the same way? Yeah.

Jack
I also think

I agree with everything you said. I also one thing. Another data point is, you know, we bringing a transparency into the market that didn't exist for cyber...single data source...couple principle, the agency should know as much about the policyholder if not more, okay. The policyholder or the potential customer should have a really good insight into what are the parameters used to define my coverage and my premium? Right. And today, those two things don't exist...a black hole, right. So we have the platform is built on a single data source that is accessed by the policyholder, the agency, and the reinsurers and that is a pretty big change for the market. So it's not just the policy you're buying, it's a process of buying policy. It's the governance once the policy is activated, what is the gap in insurability? We apply it every quarter, every month. So Nick, this allows us to, I go back to the north star for Cowbell, right? The usage base cyber will not only you can influence or change the premium, but also the limits and coverage based upon the evolving risk. So this is like risk transfer on the go all the time. So it's a kind of a three year journey for us right?. We're still talking a year into the journey. This will go a long way towards that journey. Yeah.

Nick
Are there any particular businesses that are essentially uninsurable? That you, you know, we have on the Nat Cat side there, you know, there could be you know, single story structure, on the ocean, in Florida. And it's just like it would cost so much to insure that part like that devastation is inevitable. It would cost so much to insure it it's essentially uninsurable because they're not gonna pay that money. Do you? I don't know enough about how cyber insurance actually relays all that but you run into the same things where there's businesses, they're either so sloppy or whatever, that they're essentially uninsurable.

Jack
Yeah. So there are certain industries that you don't write. And that's just a that's not an aggregation issue is just that, you know, for example, the adult content industry or gambling, right, and that just like in a book of business, you just don't insure them for not just cyber, a lot of other line of product. But then there are certain industries that are high risk, you may call it, because of just the amount of data so you Think about, I would not call it somebody who is non-insurable. I mean, there is a cost to it right now we have a limited experience in the market to really say hey, we would never write so and so type of thing. But if you look at CCPA per record, there is a penalty on it. So the number of records go up, you are exposed to much bigger revenue in case of GDPR. It's 5% of your revenue. So the higher the revenue, the higher the GDPR, our average ransomware was about 95k last year. In the small to medium market, as you go up, the market goes up this year is going to change. So we are accommodate, you know, to that I just don't have enough data point to say, you know, we know that certain industries we don't want to write certain percentage more than certain percentage of our total portfolio. Yeah, because we know this high data aggregator everyone depend on the same cloud provider. So it's this big race to single point of failure terms in terms of that. But yeah, there has an I think we look at every industry, right? Look, I mean, you know, we want to grow fast, as well, but we want to do it without compromising the due diligence that is required to write insurance. Now, one thing we saw is a lot of people rely just based on domain name. Okay, sure. But hope it's not just domain name. hope there is a lot of due diligence behind it. So that is what I'm talking about. Right. So we want to build a sustainable long term business. It's not just a

Nick
Yeah, there's so much in common because as you're talking, I'm just like, well, we have the same problem. I don't want I don't want to write too much business in New Orleans. Huh, flood business, you know, like, you write too much there, you're gonna get you're gonna get caught eventually, you know. So there's a there's a lot of parallels between our two businesses. When it comes to that, I'm curious, in this potentially new, this new normal that we're going to have where, you know, considerable part of population could is working from home now and could remain working from home. How does that change the cyber exposure for companies that have had to rush in some instances to kind of put together the necessary infrastructure to allow people to work from home, does this potentially open up holes for you know, egregious people to to get in...way too significantly, so what was done temporarily has to be done permanently. And I even if you go back to work, because you know, this practice People have found many different ways to be more productive. Then being not at the office, right, etc. So, temporarily, a lot of things will change the controls.

Jack
Where, what the controls were before are no longer the same control, they're not up to par. And that changes the cyber risk pretty significantly. Right? So Cowbell Factors go down for certain industries and certain businesses as they start to reflect into the actual data? So yeah, this changes a lot. This is why when my initial thinking was threat level has gone up. It's not because people/hackers are working much harder. It's because the infrastructure has become weaker. Yeah. Right. So that is the big risk. And you know, if you Don't have like you said risk prevention and risk mitigation, you have to work on risk transfer. Yeah, to a degree. And this is why, yeah, that this is why my optimism to that 9% take up rate to hit 20% in a post COVID era, is giving more and more optimism that that will actually be the case because the drivers are the weaker infrastructure...focus on BI...never had cyber. There wasn't a good enough standalone admitted product, the process was cumbersome. I see a good resulting outcome as you cut through all of these problems. Yeah.

Nick
The the world of the hacker...when something like this occurs in the world, it's so disruptive. Does it make a hacker salivate. Like, do they? Do they realize like, this is a new opportunity for us? You know, to do what it is that we do, or do they just keep doing what they do and they're just more successful? because like you said, the infrastructure is weaker.

Jack
Yeah, they are and also, people who were not involved in cyber crime...people who are involved in physical crime, they might turn to cybercrime because they can't move around too much.

Unknown Speaker
So interesting.

Jack
Yeah. It's profound impact on that. Yeah. very profound impact on that. So yeah.

Nick
is there you know, you're in your long term in your long term thinking and planning of cyber/cyber insurance. Do you foresee a situation where it becomes standardized in such a way that it becomes added as a named peril in a policy or do you envision that it will probably stay mono-line or as an endorsement somehow,

Unknown Speaker
for the foreseeable future? Yeah.

Jack
I if I had to make a bet, not If I had to, if I had to make a bet it would be mono-line. for the foreseeable time. You know, again, we only know cyber, we don't know anything else. That's our specialty. So we'd like to remain mono-line as well. A lot of work going on in the government and specially pre COVID. I think you heard about the Solarium commission, possibly. They want to certify insurance products for cyber, they want to certify the underwriters, they want to certify claims adjusters. And this is not certifying cybersecurity products. We're talking about insurance products. So there's a lot of role for us to play in defining those aspects of the business. So we are involved tiny bit in periphery. But yeah, I think it will stay on the line. Especially because it needs to be much more standardized before something else happened to it. Yeah, yeah.

Nick
My last question is what's going on with our good friend Trent Cooksley?

Jack
Yeah, he's believe me or not is going to office every day. So that's a big thing happening with all alone??

Nick
Just him?

Jack
All Alone. Just him.

Where ya know, he is you know, I fortunaltely have two very good co-pilots for distribution in Trent and put product in Rajeev. So, ya know, he's doing amazing. We beefing up distribution. We strategic we hiring in the division. Big deal...needed right now. Yeah, and we are just so committed to the journey. We all believe that we are building much more resilient business. And we like to tell stories in future that, hey, if you come out of crisis like public health, that it was, anything can happen, and we'll be much more resilient business right now. That's how we're looking at it. Again, without a lot of optimism, there won't be any entrepreneurship and there won't be a lot of risk taking. So you know, we are we're having fun. We're enjoying. We're at 21. Now. We'll be getting to 36 by the end of the year. Fantastic!

Unknown Speaker
Yeah, yeah.

Jack
Yeah. And we'll be at 50 states by the end of the year.

Nick
Congratulations. Yeah. And we'll have

Jack
more to sell for sure. So good. Yeah. Great. catching up with you. I missing you. Oh, thanks for taking time.

Nick
Same. Yeah. I'll I will edit This And one final question. Yeah. When's the last time you had a haircut?

Jack
Well, that was March, 2nd.

Nick
Remember the exact date? Yeah. I am proud to say, I need your opinion. I'm going to I'm going to put this on the recording. I need your opinion. How did my wife do with mine? I just, she has never cut. I thought, Wow, that is a A+.

Jack
experience there. That's awesome.

Nick
I will tell her you said that. Thank you. Thank you so much. Tell her more Cowbells. Right, so always, always. I'm gonna squeeze some Cowbell into this video.

Jack
Yeah, beautiful. Thank you. I appreciate I appreciate it. JACK. Thanks a lot and talk to you soon. Thanks.