How Two Former Spies Cracked The $11 Billion Cyber Insurance Market

News Room

Fintech startups Coalition and At-Bay, founded by security and spy-agency veterans, are using their tech smarts to transform the fast-growing business of protecting companies against hackers.

By Jeff Kauflin, Forbes Staff

Back in November 2022, Russian computers were surreptitiously scanning American computers when they stumbled into a trap: a network of 400 virtual servers with IP addresses that appeared to belong to real companies and organizations. Except these were decoys set up by Coalition, a San Francisco–based fintech that combines one of the world’s oldest industries—insurance—with cutting-edge techniques for detecting cyberthreats. “There’s no legitimate reason anyone should try to connect to any of those ser­vers,” says Coalition CEO and cofounder Joshua Motta, a 40-year-old former CIA analyst.

Coalition saw that the intruders were probing for the presence of MOVEit, a program used to transfer big files, often containing confidential information. It emailed four of its cyber insurance customers who had MOVEit installed on the outer perimeter of their networks, urging them to put the software behind a virtual private network.

Six months later, Progress Software, the Massachusetts company that sells MOVEit, announced it had a critical vulnerability and issued a patch. But the infamous Russian ransomware gang Clop had already exploited the flaw to burrow deep into some organizations’ networks and was sure to demand payment not to leak stolen data. Coalition scanned its customers again and saw 19, with revenue ranging from $10 million to $1 billion, were now using the program. It sent an urgent email telling them to apply the MOVEit patch. Within a month, 14 had.

Such vigilance appears to have paid off. So far, none of Coalition’s 85,000 customers has filed a MOVEit-related claim. Not bad, considering that thousands of organizations and more than 90 million individuals reportedly had their corporate or personal data exposed by the flaw.

Since 2017, Coalition and its closest competi­tor, At-Bay, also based in San Francisco, have been reinventing the way cyber insurance is underwritten and managed, particularly for small and midsize clients. Old-line insurers seemed hopelessly out of touch, sending prospective customers forms asking such basic questions as whether they had antivirus software installed. The newcomers, by contrast, scanned potential customers’ systems as a hacker might. Sometimes they required specific security upgrades before agreeing to insure them. Other times, they simply turned them down. “We’ll let AIG or Chubb have you,’’ says At-Bay CEO and cofoun­der Rotem Iram, a 43-year-old veteran of one of Israel’s elite military cyber intelligence units.

Motta says Coalition rejected a Texas school district for coverage in 2020 because its underwriting scans showed some of its IP addresses “were talking to the command-and-control infrastructure of a known hacking group.” When the district reapplied five months later, he adds, Coalition learned that in the interim, it had been hacked and had filed a $2 million claim with another insurer that hadn’t been as smart about underwriting.

Even after Coalition or At-Bay accept a customer, they keep scanning it and sending alerts to control both their own and clients’ risk. In effect, small enterprises that haven’t traditionally paid for stand-alone cybersecurity services but are ready to shell out for insurance get both—whether they like it or not. Iram describes a constant battle to make clients take risk seriously. “People don’t care about security,’’ he complains. “When you work in security for too long, you think that everybody cares about it just like you do. But nobody cares.” If a customer insists on installing software that’s notoriously breach-prone, he says, At-Bay will threaten to double its insurance premiums.

RISK AND REWARD

Losses from cyberattacks spiked at the start of the pandemic, leading to big increases in both the demand for and price of U.S. cyber insurance.

That combination of screening, vigilance and jawboning has allowed the two fintechs to charge lower premiums, winning the favor of insurance brokers and a foothold in the market. It has helped, of course, that cyber was a newish niche when they entered the market, and that both cyber­attacks and demand for insurance against them exploded during the pandemic. Total cyber insurance premiums in the U.S. shot from less than $1 billion in 2012 to an estimated $11 billion in 2023, according to San Francisco–based analytics firm CyberCube.

Policies typically cover remediation, investigation, lost business and legal costs related to everything from ransomware attacks and business email compromise schemes (in which criminals trick someone into paying a fake invoice) to privacy infractions.

Motta offers this chilling example: In 2020, using a single employee’s login, a hacker was able to move laterally within a Kansas distillery’s computer systems and shut the whole operation down. “The gaskets that sealed the different equipment where fluid was being transpor­ted dried up and cracked,” Motta says, causing property damage. Coalition and its reinsurers ultimately paid about $2 million on the company’s claim, including nearly $1 million in lost revenue, $600,000 in ransom to get back online and fees for attorneys and digital forensics experts. The business had bought a policy with a $10 million limit and had been paying just $21,000 in premiums a year, with a $25,000 deductible.

Today, such a Coalition policy would cost at least $120,000—and much more for a company with poor security controls. But prices might finally be leveling out. After nearly three years of stiff hikes, average premiums actually declined about 20% in 2023, as more insurers entered the market and many customers hardened their defenses. Despite lower prices, Coalition wrote more than $630 million in gross premiums last year, up 15%-plus from 2022, while At-Bay wrote $301 million, up 20%. Those are, again, gross premiums: Coalition retains just 10% of the risk and At-Bay keeps 20%. The rest of the risk and a big chunk of the premiums get passed on to large carriers and reinsurers such as Swiss Re and Munich Re. Net revenue last year was nearly $300 million at Coalition and more than $110 million at At-Bay.

While neither startup is yet profitable, their growth stands out in the struggling fintech sector, earning them spots on Forbes’ 2024 Fintech 50 honor roll. Both still have money in the bank, but should they need to raise more capital soon, they’d likely have to take a valuation cut given the state of the industry. Coalition last raised funds at a $5 billion valuation in 2022, making Motta’s 20%-plus ownership stake worth a bit less than $1 billion, by our estimate.

Neither Coalition nor At-Bay has yet suffered a catastrophic loss—which is always a looming risk. Plus, there’s another buzzsaw that other fintech innovators, including robo-financial advisors, have run into: Huge incumbents can mimic your ideas and maybe beat you at your own game. David Lewison, a national practice leader at insurance brokerage Amwins, which writes $500 million a year in cyber insurance premiums for small and midsize markets, notes that Chubb and some other established insurers have now made network scans a standard part of their risk assessments. But, he says, in his experience, Coalition, At-Bay and Corvus were the earliest and have been the most aggressive to act­ively scan for weakness and call problems to their customers’ attention.

Corvus? That’s a third cyber insurance fintech founded in 2017. Travelers acquired it at the start of 2024 for $435 million, a steep discount to the $750 million it was valued at in a 2021 fundraising, but two and half times the $170 million investors had poured into it.

Even while seated at the conference table in At-Bay’s San Francisco headquarters, the six-foot-four Iram towers over his employees. On this January morning they’re briefing him on the impact of “Citrix Bleed”—a vulnerability related to Citrix’s remote access technology that it disclosed and issued a patch for on October 10, 2023. After third-party researchers figured out how it could be exploited, At-Bay’s engineers, all based in Tel Aviv, sprin­ted to build code to determine which customers were most likely to become victims. They finished in two days, identifying 345 customers (out of 35,000) using the product and contacted the 70 highest-risk ones individually while simultaneously urging all 345 to apply Citrix’s patch. Within six weeks, 334 had done so.

Timely patching is crucial; after Citrix flagged the vulnerability, hacking groups with names like Lockbit, Medusa and Alphv began piling on. So far, Citrix Bleed has been blamed for breaches at companies including Boeing, Toyota Financial Services and ICBC, China’s massive state-owned bank. In December, Comcast’s Xfinity internet service notified 36 million customers that their user names, birthdates, security questions and parts of their Social Security numbers may have been exposed. But just five businesses have filed Citrix Bleed claims with At-Bay, and it expects total losses will be less than $2 million.

“Everything is bad in our world, but this is medium to low risk,” Iram concludes—particularly when compared with a vulnerability in Microsoft’s physical email servers, which affected 10% of At-Bay’s customers in 2022 and led to more than $10 million in losses.

Iram has had a lot to put in perspective since Hamas terrorists’ October 7 attack on Israel and Israel’s subsequent invasion of Gaza. “Everything has been incredibly traumatic for us,” he says. A fifth of his 110 Israeli employees have been mobilized to fight, forcing some lower-priority projects to be shelved as other workers scramble to pick up the slack.

The CEO began his own mandatory military service at 18 and was assigned to the Israeli Intelligence Corp.’s 8200 unit, famed for producing cybersecurity stars including billionaire entrepreneurs Gil Shwed, the CEO and cofounder of Check Point Software, and Assaf Rappaport, the CEO and cofounder of Wiz, a cloud security outfit. Iram stayed in the unit for five years, ending up a captain, with 300 people reporting to him. Then it was on to Hebrew University of Jerusalem for a computer engineering degree, jobs in software engineering and as a McKinsey consultant, a Harvard MBA and a stint running the cybersecurity practice of New York–based global risk advisory firm K2 Intelligence (now K2 Integrity).

In 2016, he left K2 and started working on his startup with three cofounders and a little backing from HSB, a tech-focused unit of Munich Re. At-Bay formally launched in 2017 with seed funding from Lightspeed Venture Partners, among others. When a 2020 surge in ransomware attacks led many established carriers to lower their coverage limits and increase prices, At-Bay hit the gas. “Everybody else ran away,” Iram says. Gross premiums sextupled from $20 million in 2020 to $120 million in 2021. So far, At-Bay’s tech-first approach has helped it hold down losses; its incurred loss ratio for 2022 (the most recent year with meaningful data, given that claims take months to realize) was 29%, compared with a 45% average for the top 20 U.S.-domiciled cyber insurers.

These days, At-Bay is increasingly focused on creating security software to bundle with its insurance. A vulnerability monitoring tool comes standard with its policies. It recently added a managed detection-and-response product that starts at about $5,000 a year and hooks up to clients’ internal systems, monitors their physical computers and provides dedicated customer support for detecting threats.

While keen to expand his security software offerings, Iram has resisted the temptation to broaden At-Bay’s insurance products—an allure to which Motta has yielded. So far, At-Bay has raised $292 million in investor money, getting a $1.4 billion valuation at its last fund­raise in mid-2021. It says it still has nearly $200 million in the bank.

If you use a computer and an internet connection, congratulations, you have cyber risk,” says Motta, whose customers range from doctors’ offices to NFL teams, hot sauce manufacturers and cryptocurrency startups. He’s sitting in his home office in the posh Los Angeles neighborhood of Pacific Palisades, with a view of the ocean. No fewer than six signs outside his fence announce 24/7 monitoring and secu­rity. “It’s like Fort Knox,” he says. Self-protection is a necessary fact of life in this line of work. When someone takes a job at either Coalition or At-Bay and announces it on LinkedIn, they are typically bombarded with phishing texts purporting to be from their new CEO.

Motta grew up in a Kansas City suburb and got hooked on the internet early by two uncles who worked in networking technology. By 12, he was building websites for local realtors. By 15, he had a $15-an-hour summer programming job at Microsoft, which was impressed by the shopping cart software he’d created for DogToys.com and others. While majoring in international studies at the University of Chicago, he got a part-time analyst gig at the CIA, where he studied hacking campaigns by America’s adversaries. After gradu­ation, he tried investment banking at Goldman Sachs in London, did short stints in private equity and venture capital and then, in 2011, became the 20th employee of Cloudflare, the internet infrastructure security company.

In 2016, he cofounded Redacted with Max Kelly, Facebook’s former chief security officer, and John Hering, the founder of security com­pany Lookout. But while Kelly wanted to build security tech for big companies, Motta was focused on insurance. So Hering and Motta spun out Coalition into its own company; investors including Vy Ventures, Ribbit Capital and Valor backed them with $10 million in funding. Coalition announced its birth on December 5, 2017, three weeks after At-Bay’s launch.

From day one, Motta positioned Coalition to grow faster than At-Bay. Both companies had great tech, low prices and fast underwriting. Motta added a critical human ingredient: He hired insurance industry veterans who had existing relationships with the independent brokers who sell most business insurance. That helped it capitalize more quickly on the 2020 surge in demand.

Motta was also more aggressive about tapping into the venture funding that flooded into fintech during the pandemic—by mid-2022, Coalition had raised $770 million. But this large pot also enabled a big mistake. Flush with VC cash, in 2021 Coalition paid $200 million to acquire Attune, a New York–based insurer and digital marketplace serving 15,000 brokers selling small-business policies of all sorts, from profes­sional liability and workers’ compensation to flood insurance. Attune’s insurance book was already losing money, and after Hurricane Ian hit Florida in September 2022, its finances got worse. After just 15 months, Motta sold Attune. Coalition won’t say how much it sold for, but accor­ding to a source familiar with the deal, it was at a steep loss. Motta, in his defense, points out that as part of the sale, Coalition secured the rights to become the exclusive seller of cyber insurance on Attune’s platform, which he now insists was his primary goal in the first place.

Coalition has also expanded laterally into another insurance niche: liability coverage for directors and officers. “The idea is to become the domi­nant insurance provider for a digital business,” Motta says, adding that offering multiple products also makes Coalition more attractive to brokers.

There’s a bigger systemic challenge facing both Coalition and At-Bay. Despite the rapid growth of cyber insurance over the past few years, some industry insiders question its sustainability. They fear hacking schemes are changing too rapidly to reliably assess risk and most customers are still unprepared, raising the specter of a catastrophic event causing tens of billions of dollars in damage.

Of course, if old-line insurers have an awful year in cyber, other parts of their business could provide a cushion. The startups don’t have that luxury. “There’s a real thing called having scars from losing money. And I admit I do not have a lot of these scars,” Iram says. “I try to surround myself with people who have developed those scars, because there’s an intuition and a per­spective that you develop when you’ve done this for 25, 30 years.”

RELATED ARTICLES

Read the full article here

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *