Riddle Me Cyber
In his latest 2020 Predictions, Scott Galloway (who was my professor for brand strategy at NYU) quoted his mentor Paul Stephens who advised him to “Never bet against a company that has a great product.” When I think of great products, I think of Ritter Sport, alo leggings, and Tod’s. And when I think of great service, I think of Trader Joe’s, Nordstrom and Givenchy.
A marketer will tell you that a great insurance product is often the cheaper insurance product. And an underwriter will tell you that a great insurance product is better coverage with fewer exclusions. I don’t know of many underwriters-slash-marketers but Nick Lamparelli comes close; he’s the chief underwriting officer at reThought Flood and while I never asked him if he considers himself a marketer – a good portion of his activities absolutely fall under the space of B2B marketing. And the reason I bring him up is that the co-founder, and COO of Cowbell , Trent Cooksley, brought up his views in our recent conversation on cyber.
“To me, cyber is just like property insurance, it’s exactly the same except there’s an arsonist outside. There’s a ninja arsonist outside and that makes it really complicated because there’s a human being that’s actively trying to cause harm in a very nefarious and sinister way but also in a discreet way,” said Lamparelli in his conversation with Dominic Vogel, the founder and chief strategist of cybersecurity firm Cyber.sc, back in September 2019. And while the security capabilities are here the problem is that very few take advantage of them. After all, “The market doesn’t reward good security,” and “The government doesn’t regulate good security,” says security technologist Bruce Schneier who argues that there are absolutely no incentives anywhere to have good security, and so we don’t.
But that hasn’t prevented the rise in cyber insurance startups fueled by $289 million in funding as of 2015 according to Coverager Data. And typically behind every MGA, there’s an established insurer. For instance, Argo and Swiss Re back Coalition , a San Francisco-based risk management and cyber risk solution that has raised $50 million since its inception in 2017. The company recently announced its acquisition of BinaryEdge, a Swiss startup established in 2015 that scans the entire public Internet space and creates real-time threat intelligence streams and reports about a company. “We have similar technical capabilities,” Cooksley tells me; emphasizing that you’ll find a cyber insurance startup’s competitive edge in the ability to incorporate data and technology to improve the policyholder experience, accelerate quote generation, and provide better data in real-time to everybody in the process. Cowbell Cyber, also from San Francisco, works with Markel, Renaissance Re and Nephila Capital and has raised $3.3 million since its inception in 2019. It recently announced Cowbell Prime 100 to allow agents to issue personalized cyber policies with up to $5 million in coverage. Most importantly, Cowbell works with “hundreds of datasets.”
“Cyber started grabbing headlines within the last decade when companies were looking for cyber coverage yet insurers’ initial reaction was to look for policy exclusions – a typical insurance scenario of a public panic rightfully met by insurers’ attempt to mitigate this terrible risk,” says Marty Frappolli, the Senior Director of Knowledge Resources at The Institutes. And this terrible risk is coupled with “a lot of guesswork” when it comes to pricing coverage, a good enough reason for Warren Buffett to declare he doesn’t want his companies “to be a pioneer on this.” “I don’t think we or anybody else really knows what they’re doing when writing cyber.” For what it is worth, Berkshire is no pioneer and far from a leader in cyber insurance with its ~1.4% market share.
Roughly four years ago CoverHound introduced CyberPolicy that’s “specifically focused on cyber insurance and the needs of the small business owner in a digital world that it’s exposed to.” The site which enjoys anywhere between 7,300 to 15,000 monthly site visitors according to SimilarWeb and SEMRush respectively is proof that consumer awareness in this category is low – too low. In fact, there are approximately 20,760 monthly searches on Google for cyber insurance-related keywords, e.g., cyber liability insurance and cyber insurance cost, and the key organic driver to cyberpolicy.com are folks searching for “What happened to anonymous” (~720 searches a month), followed by ‘cyberpolicy’ (~170 searches a month). So the current reality is that not enough people search for cyber insurance online but that’s not the worst part. The worst part is how do you convince someone they are a target as there are two trains of thought, ‘if it happened to Jeff Bezos, it could happen to me,’ and ‘there is a reason he is a target.’ Stated differently by Bruce Schneier, the feeling of security and the reality of security don’t always match.
And this tiny D2C landscape is a good enough motivation for several, new cyber insurance startups to opt for a B2B2C model similar to the one picked by Cowbell Cyber and Corvus Insurance which is led by Philip Edmundson who prior to this venture spent 30 years running a commercial insurance brokerage, William Gallagher Associates, to later start investing in the insurtech sector to eventually become an active participant in the space. “I saw an opportunity to use new sources of data and a tech-driven approach to building tools for commercial brokers, and the idea for Corvus Insurance was born,” says Edmundson who founded Corvus on the idea that you can make commercial insurance smarter by utilizing novel sources of data, and using those insights not just to improve underwriting, but also to empower brokers and policyholders (of all sizes) to better predict and prevent loss. And while I don’t know how much traction Corvus picks up, I do know it is picking up funding as it recently secured a $31.8 million Series B round, bringing its total funding to date to $45.8 million. “We have a deep understanding of insurance and how it is distributed and combine that with experience in cybersecurity and data science. It’s that combination that leads to offerings that are differentiated from top to bottom: from the AI-driven underwriting process to the online experience for brokers; from the coverage we offer to the risk mitigation reports (what we call Dynamic Loss Prevention) and value-add services we provide.”
Frappolli, too, is optimistic, saying “There’s a price for cyber that makes it profitable and insurers are definitely on that path,” all the while acknowledging the difficulty in pricing as (1) there isn’t a lot of data on losses relative to exposure, and (2) policy language hasn’t been tested yet in the real world which suggests a future where insurers face an unknown cyber liability exposure, similar in nature to the unplanned asbestos exposure faced by some. “200 years ago fire was considered an unpredictable risk but over time fire insurance evolved with good hygiene to manage this risk.”
Today you can fireproof a home but how well can you cyber proof a business or an individual from hardware vulnerabilities, phishing or ransomware, is my question? “It’s a good analogy because no matter how much you fireproof a home, you still need to insure it; ‘fireproof’ is really a misnomer – there’s no way to make fire risk zero. Maybe fire resistance is more appropriate. It’s the same with cyber. You can do a lot to reduce your chances of getting attacked, but there’s no such thing as a perfectly safe IT system, especially when there are hundreds or thousands of employees connecting to it, introducing the possibility of social engineering as a vector for exploit. Cybercriminals are always finding new ways to get into systems and cause havoc. That’s why we provide information to our broker partners and policyholders: to help them mitigate the impacts of cyber events, and ideally to prevent them altogether, while also providing the best coverage for when something does go wrong,” says Edmundson.
Some say that “no two cancers, nor two patients, are exactly the same.” Others believe that in cyber, “no two incidents are alike.” It’s a crude similarity and one that suggests that possibly the only argument all parties agree on is that cyber insurance is never the only answer. And as far as data is concerned, the ability to normalize data remains a challenge. “At Corvus, we get an accurate, point-in-time snapshot of an organization’s security footprint from our scan, and provide regular reports for the policyholder throughout the policy year, as well as alerts when a new vulnerability or other urgent risk is discovered. In this way, we keep up with the constantly changing nature of IT while still providing the stability clients look for in a policy.”
