From Passive Policies to Active Cyber Protection

Pete Miller [00:38]: Welcome to Predict & Prevent! I’m your host, Pete Miller, and today we’re joined by Joshua Motta, CEO of Coalition, one of the world’s largest providers of cyber insurance.

Coalition offers what it calls “active insurance” to prevent cyberattacks before they happen. In this episode, we’ll dig into what active insurance really means, specifically:

• How Coalition can spot and stop threats in real time…
• How Coalition’s Active Data Graph, internet-wide scanning, and honeypot network help customers prevent losses…
• And why aligned incentives and instant response can cut cyber claims frequency dramatically.

Let’s hear how Coalition does it….

Pete Miller [01:28]: So Joshua, can you please tell us a little bit about coalition and explain what active insurance is and how it differs from regular insurance?

Joshua Motta [01:37]: Coalition is one of the largest providers of cyber insurance globally. We serve hundreds of thousands of customers. We also uniquely provide cybersecurity services and products to our customers.

And of course, as you mentioned, know, active insurance. It’s really to denote how different it is from the traditional insurance experience, right? I think at this point, I imagine all the readers have purchased some form of insurance. And typically the process is you buy it, you set it on the proverbial shelf, and it sits collecting dust. In fact, if you’re lucky, you never get any value out of the product. You never use it. And it delivers no value to you, unless, of course, something were to happen, in which case it can be immensely valuable.

Active insurance is very different. It’s really designed to provide value to you all the time. It’s designed to help you prevent losses from happening. And when they do, it kicks in to help you reduce the severity of them.

You know, one of the analogies I like to use is sort of that of like a watch and a smartwatch. You know, of course, an Apple watch will do all the things that a traditional watch will do. It’ll tell you the time and the date. But uniquely, it has an incredible amount of computational power and an internet connection attached to it that allows it to do things you would have never imagined to watch could do in the past, right? Like check your blood oxygen level or whatnot.

And I think of active insurance and traditional insurance in the same way. You know, we do all the same things that a traditional insurance company would do. We pay out your claim, but we’ve also attached an incredible amount of computational power and an internet connection to our insurance product that allows us as your insurance company to do things you would have never imagined an insurance company could do for you, right? Whether it’s detecting that malware has been detonated in your network or detecting that you have a critical vulnerability that we see being actively exploited by criminals. There’s just a host of things that we’re doing over the course of the policy period in which we’re helping our customers dramatically reduce the likelihood that they suffer a claim in the first place. It’s really a very different model that’s really evolving to the risks that our customers have, which in the case of cyber risk are quite dynamic.

Pete Miller [03:48]: Yeah, and I think when we were looking into your organization, this podcast is Predict & Prevent. So we thought, well, that’s really cool. So how does Coalition help clients see threats emerge in real time?

Joshua Motta [04:01]: Yeah, so look, it all starts with the process and means by which we go about collecting data. So Coalition is continuously, 24/7/365, collecting data on every single computer connected to the global public internet. That includes all of the infrastructure of our customers as well as everyone who’s connected to the internet. And we’re seeking to understand what technologies are these devices running, what vulnerabilities exist? How are they networked? What services are they operating? Obviously, we take particular interest in the infrastructure that belongs to our policyholders. And so all told, we’re collecting literally trillions of log lines of data per month that’s used to help us see from the outside what our customers’ IT footprint looks like, what their risk surface looks like. In fact, it’s a very similar view to what a criminal hacker or to what any other threat actor might see. And so if we can look at our customers in that way, we can potentially help them identify issues before they become claims, is maybe the best way to put it. And so it’s that large data model, that data foundation that powers us, that allows us to see these threats emerging.

The other thing we’re doing is we’re actually listening to what’s going on to the internet. And so we’ve deployed something that we call a honeypot network, which sounds somewhat technical, but if you’ve ever read the tales of Christopher Robin, you’ll be familiar with it, which is to say that we kind of spin up infrastructure and we stick it out on the internet that’s designed to look like our customers and to imitate them. It’s running the same services, the same technologies, it has the same vulnerabilities. And then we just watch it. We watch and see what threat actors are doing in cyberspace. What are they attacking? What are the tools, the tactics and the procedures they’re using?

And then we can use that information to then try and protect our customers and help them understand, you know, hey, you’ve made a decision that’s visible on the internet, you know, that we think is going to get you in trouble, you know, based on the activity that we’re seeing across our honeypot network. And so these are all things that, again, you would have never imagined your insurance company would be doing for you. But because of the amount of data we collect, you know, we can continuously do this over the course of the policy period.

Pete Miller [06:28]: I have five kids, so I’m intimately familiar with Christopher Robin’s honeypot. That’s really cool. That’s a very, very interesting way, and I think you’re right. The average insurance company doesn’t do that. That’s really progressive and forward looking.

Joshua Motta [06:41]: One other aspect which is maybe somewhat unique is when you have an insurance claim, a cyber insurance claim specifically, typically the last thing you’re looking for is for the insurance company to cut a check. More often than not, we’ve found that our customers, what they’re really looking for is someone to help them operationally recover, even before the financial recovery part, because a cyber claim often involves some sort of interruption in their operations.

And so the other way in which we’ve helped our clients really address these threats is we have vertically integrated and have an instant response team inside of Coalition that’s available typically within minutes to begin helping a customer recover their operations, which has been incredibly important. The other value of having that team is that we have a full forensic level of detail as to what happened to that company, how it happened, how it could have been prevented. And that’s all information that, again, we can use to then help other policyholders sort of avoid a similar fate or to help inform how we work with them. So there’s a very differentiated way in our model to really not only help customers prevent losses, but even how to address them when they do happen in a way that is valuable for all of our customers.

Pete Miller [08:02]: One of the things I found very interesting was your “active data graph.” So can you talk about that, what it is, and how does it help your customers stay safe?

Joshua Motta [08:12]: Yeah, so look, if you’ve ever used LinkedIn or Facebook or TikTok, you know, all of these technologies are built on top of a data graph. You know, in the case of Facebook, it’s a friend graph. Of course, in the case of LinkedIn, it’s a professional graph. It understands your professional connections and your connections to different companies. Very similar. You know, the atomic unit of our data graph is a corporate entity because ultimately we’re ensuring a business entity. And we want to know and understand everything there is to know about that business entity, particularly of course as it pertains to their cyber risk. And so that might involve understanding all of their subsidiaries, all of the infrastructure, the IT infrastructure of those companies and subsidiaries, their IP addresses, their domain names, their autonomous systems and so on, all the people who are working there and their titles, financial information.

Really anything that we can collect and of course then we map out the relationships among all of them. You know, it could be who were their suppliers, who were their customers, you which can allow us to do predictive modeling in the spirit of our the name of this podcast, you know, where if we know that if there’s a failure of this particular entity, it could have a ripple effect that might impact one or more of our customers.

And so by creating this massive graph of data and understanding all the relationships between them, you know, it gives us, of course, a superior ability to underwrite the risk of our customers. In an insurance parlance, our underwriting strategy is very simple. It’s to collect so much data about the cyber risk of our customers that not only do we know more than our competitors, we know more than the insured themselves does about their risk, which is something that’s quite rare in insurance where it’s the buyer who often has more knowledge of the risk than the insurance company who has to avoid being adversely selected against.

Of course, the flip side of that coin is what makes us superior at underwriting also makes us superior at managing risk for our customers. We can expose that data to them. We can sort of give them the snapshot of their infrastructure and point out to them, you know, things that might lead to a loss. You know, and we of course are very motivated and incentivized to help our customers prevent losses from happening in the first place. And of course, when they do happen to try and contain the severity.

So really it’s that data graph that allows us to do it. You know, as I mentioned, you know, we’re literally talking to every every single device that’s publicly addressable on the internet. So all told, that’s probably upwards of about 6 billion devices. We’re ultimately talking to those devices thousands of times a month, and in some cases, tens of thousands of times a month where, of course, when you multiply billions by tens of thousands, you get to a very large number, the trillions number I mentioned. So, scanning the internet is a little bit like eating an elephant. That’s one of sort of the core technologies and intellectual property that we built is to do that.

Then of course, bringing in other data like threat activity, whether it’s through honeypots, whether it’s intelligence that we gather through data leaks, hacker chatter, we have an entire team that’s doing nothing but gathering threat intelligence.

All of that is sort of fused together with our insurance data, the actuarial insights we have, the claims data we have, to both inform customers, here’s what your risk looks like as accurately as we can tell, to help them make better decisions. Hey, if you were to implement this protective action or this control, or if you were to address this particular vulnerability, this is how it would sort of bend the curve and dramatically reduce the expected financial loss you would have. Down to how to recover, these are things that this active of data graph are all helping our customers do, providing them insights, ultimately to make better decisions and dramatically reduce the probability that they suffer a loss.

So again, our idea is to make insurance magical. We want our customers to feel like it’s a magic experience, to be frankly surprised that their insurance company not only has this level of information but has made it so easy to remediate these issues because ultimately our North Star, mission as a company is to protect the unprotected, to protect businesses that are digitizing very rapidly and you who want all the benefits of technology without having to worry about all the risks that come along with it.

Pete Miller [12:48]: Yeah, it seems like one of the elements of magic is that, you say, is the alignment of your interests with that of your customers. And there’s a lot of cybersecurity companies out there. So can you contrast what you do with maybe a cybersecurity company?

Joshua Motta [13:07]: Yeah, mean, look, there are obviously a lot of cybersecurity companies that are focused on oftentimes point solutions that are helping with one thing or another. You know, and certainly we partner with a number of them, you know, in order to deliver solutions to our customers. We, of course, also offer a number of solutions to our customers, many of which are absolutely free. They come with the insurance policy and that are designed to really address the most common risks and the most costly risks that we see, right?

So, whether it’s providing things like managed detection and response, where we offer a fully managed service for our customers, where we will monitor the security of their network, we have the ability to detect threats and we even have the ability to respond on their behalf. So, for example, you know, someone downloads an attachment and executes malware on their laptop, you we would be able to detect that and we could respond by isolating that machine from the rest of the network, working with our client to refresh it, if you will, get the malware off the machine and restore access to the user. If we can do that very quickly, we can prevent what is, at the end of the day, a claim, right? There’s been a security failure, but we can prevent it from spreading potentially in a ransomware-like instant across the whole network. We provide things like security awareness training, so sort of a preventative measure to educate the policyholders, the employees of our policyholders, rather, provide compliance tooling to help our customers automate their compliance obligations. So, there’s just a number of different tools that we offer.

But I’d say what is unique, as you mentioned or alluded to, is the aligned financial interest. Most cybersecurity companies don’t truly have an aligned financial interest with their customers. If the products fail to address something, it’s still on the company to survive. And it’s not to say that they’re necessarily mal-aligned interests, but in our case, we have very directly aligned interests with our policyholders. If for whatever reason the tools or the technology or the services we offer fail to prevent an attack, and of course that’s always possible. It’s impossible to eliminate cyber risk. We ultimately take it on with the insurance product. And so we have very much a vested interest in helping our clients minimize losses as much as humanly possible. And we have a clear feedback loop that helps us prioritize those controls and actions that are going to get the biggest bang for the buck, right?

You know, many of our customers have limited budgets. They have limited time, even more than they have limited budgets. If we can really help them focus on the things that are the most impactful, the most likely to reduce the likelihood that they suffer some sort of incident, you know, we’re very much aligned to do that. And so that’s a big part of our approach as well. It’s not just overwhelm our customers with data and information. It’s really helped them build clear, precise, actionable plans, step by step, here’s how you should prioritize the things you’re doing in order to get the biggest reduction in your risk.

Pete Miller [16:22]: Well, that’s very, very unique and very interesting. And the idea that you have the technology at the front end and if it, as you say, it’s a rapidly changing threat environment, and if something bad happens, then the insurance component kicks in. So I’m very curious. Did you start as a tech company and add insurance later or was a hybrid approach always the plan? Because it’s truly unique.

Joshua Motta [16:45]: Yeah, look, I guess I’d say it’s a hybrid approach. You know, I sometimes tell the company that the insurance companies of the future will be technology companies that are also insurance companies. And, you know, that’s an interesting nuance because, you know, at end of the day, we are an insurance company. We are regulated like an insurance company. We have to meet the regulations of all 50 states here in the U.S. Every province and territory in Canada we’re regulated in the overseas markets we’re in.

And there’s no doubt that we have the same business model and same objectives of an insurance company. We have to be world class at underwriting. We have to be world class at handling the claims of our customers. And we are, right? There’s no one who handles more cyber instants in a year than we do. And we are purely focused on that. I think you would be hard pressed to find an insurance company that is as sophisticated as we are when it comes to cyber.

With that said, you know, we, my DNA personally is building technology companies. And if you were to, you know, start as a software engineer, and I know I think you mentioned to me once before you dabbled as an engineer once upon a time, you know, you would, you would feel like you were in any other technology company. We have all the same functions, the same processes. You’d be working with stunning colleagues, you know. My CTO was literally the head of all engineering product and design at Tesla for everything post production of the car. You know, and now he’s, he’s working here at Coalition solving another important mission. And one that involves using technology, you know, in a very significant and scaled way, you know, to, address the core problems that we’re solving, whether it’s as an insurance company or in the technology solutions we provide to our customers.

So, you know, I think it’s a hybrid approach. And we certainly, we remember that we are subject to all the laws of gravity and all the other rules of insurance companies. But from a DNA perspective, it’s my belief that all businesses have to become technology businesses, and frankly, artificial intelligence businesses at this point in time, if they’re to succeed and win.

Pete Miller [18:55]: Couldn’t agree more. So let’s suppose I’m a new customer, say a manufacturing company, and I come to you, what would you tell me about the kind of cyber threats that me and other manufacturers are facing?

Joshua Motta [19:09]: Yeah, it’s a great question. And I think this is really where bringing like a really deep and innate knowledge of cyber as a form of peril, bringing that into the insurance industry has been something that’s really allowed us to innovate in subtle, but I think important ways. And you may remember that my background, I spent some time at CIA focusing on some of these problems. And I think there was a realization that the cyber and physical worlds are also coming together. A cyber or a security related failure, technology failure, can result in very real world physical losses. Whether that’s property damage, whether that’s bodily injury, whether that’s pollution liability, these are all coverages that we introduced into the cyber insurance market back in 2017, 2018.

You know, as far as I know, I think we’re still the only cyber insurance policy that, you by default you can get coverage for property damage, first and third-party bodily injury and pollution liability. And these are, these are, you know, losses that are very realistic for a manufacturing company. In fact, we’re probably the only cyber insurance company that’s paid out a property damage loss on a cyber insurance policy.

As a fun, as a fun little side story, we had a customer in the Midwest, it was during COVID. Traditionally their business was in blending alcohol or whiskey together. They converted their production to actually make hand sanitizer at the time. But they experienced a ransomware attack. And that ransomware attack took offline their entire network, all their computer systems, including those computers that were operating the factory equipment. And while there wasn’t anything as spectacular as an explosion, thank goodness, and no one was injured, the equipment wasn’t functioning. And again, I’m not an expert in manufacturing, but because of course the fluids weren’t going from one part of the factory to the other, the gaskets that were connecting the machinery together sort of dried up and were damaged. They cracked. And of course it was as a direct result of a computer security failure. And so in that particular instance, in addition to the business interruption losses, our policy stepped in to cover the property damage to their manufacturing facility.

And so that’s just kind of one way in which, know, coalition, we can be very helpful or very specific to businesses in particular industries and design coverages that maybe, and for exposures that maybe the companies themselves didn’t even realize they had, right? They just simply didn’t realize how dependent on technology they were. So that’s one example.

Of course, you know, all of the technology that I mentioned, that data graph, you know, take from a manufacturer. We’re looking at their internet facing infrastructure. You know, we’re looking for things that shouldn’t be on the internet, like industrial control systems or SCADA systems. You know, manufacturers have operational technology that’s used to operate real world equipment. You know, the best practice is that not only is that equipment or that technology segmented from the IT network, but it’s not attached to the internet at all.

And of course, you know, the best laid plans of mice and men, they will say, you know, occasionally people make mistakes or it is connected or accessible to the internet. These are things that we can detect in many cases and we can be very helpful in pointing out to a manufacturing business, hey, these are critical security issues that need to be addressed. So that’s just another way in which even beyond the coverage enhancements, you know, we can be very helpful to a manufacturing organization. In fact, coalition is, is the preferred cyber insurance product for the National Association of Manufacturers. So this is maybe a very good example to pick and one in which we excel at. You could have picked any industry and we have sort of a specialized solution and specialized capabilities that we can bring to bear for them.

Pete Miller [23:12]: Joshua, tell us what you think the threat landscape looks like two, five years from now?

Joshua Motta [23:19]: Look, I think threats are growing and for multiple reasons. One is that the world is digitizing very quickly. Digital transformation is in two words the fourth industrial revolution that we find ourselves in. And organizations are digitizing as quickly as they ever have. And so just simply the assets that they’re depending on to deliver value in their businesses are increasingly technology assets and tangible assets. And so not only is that risk surface growing, assets growing, of course then the threats to them are as well because cybercrime is among the most lucrative forms of crime a criminal can conduct.

Of course there’s more surface area for technology to fail. And so even absent criminal activity, you know, we see a growing number of technology failures that result in real world business losses for our policyholders. And so we’re predicting a fairly significant and steady increase in loss costs across the space for those reasons, you know, both that the exposure is growing, as are the threats and of course when you throw AI into the mix, you know, criminals are becoming more sophisticated and more efficient, you know, at attacking companies. They can now do that in multiple languages almost flawlessly, which is something that they were never able to do before.

And so, you know, most companies now that are in non-English speaking countries I think have much more risk exposure in the future than they did before, where most criminals either operated largely in English. So, kind of a handful of tidbits, but you know, I’d in the next two to five years, we would absolutely expect loss costs to increase in this space.

Pete Miller [24:52]: Joshua, what would be the one thing you would want listeners to remember?

Joshua Motta [24:56]: When you think about insurance in the context of active insurance, just for your listeners, right? You know, most insurance brokers in particular, are not used to insurance companies that have the capability to reduce the likelihood of a claim. We do that, in fact, and we can substantiate it. If you were to look at the annualized claims frequency across the U.S. cyber insurance market, it’s just over 6%. Coalition’s annualized claims frequency is 73% lower than the U.S. market average. You are objectively less likely to have a claim if you purchase insurance from us, either because we’re better at the selection piece or because of course we’re better at managing the risk as we’ve discussed, predicting and preventing it, to use the right tagline.

You know, and in my conversations with brokers, it’s like, how much would you value that? How much do you value an insurance policy where your customer is, you know, 60-70% less likely to have a claim than if they purchased another insurance policy? You know, I think many in our profession are just so used to that, these products being commoditized, that they’ve sort of stopped asking these sort of fundamental questions.

And so maybe that’s the one last thing that I would leave the audience with, particularly those in the broking space, broking cyber insurance policies. How much is that worth to you? How much is that worth to your client to place your client with a product where they just have a dramatically lower likelihood of having a claim in the first place? And if they do have one, it tends to be less severe. That’s probably a good note to end on.