Former Spies Unveil Breakthrough in $11 Billion Cyber Insurance Market
How Two Former Spies Cracked The $11 Billion Cyber Insurance Market
During his previous venture, an investor challenged Joshua Motta, CEO of Coalition, to siphon $100,000 from his own bank account. Adopting a hacker's mindset, Motta and his team accomplished the task in just three days.
Coalition and At-Bay, fintech startups founded by veterans from security and intelligence agencies, are transforming the rapidly expanding field of cyber insurance, protecting businesses from increasing cyber threats.
In November 2022, while Russian computer systems scanned American networks, they encountered a trap: 400 virtual servers with IP addresses mimicking legitimate companies. These decoys were orchestrated by Coalition, a San Francisco-based fintech that combines traditional insurance with cutting-edge cyber threat identification. "There's no valid rationale for anyone attempting to access these servers," Motta explains, a 40-year-old former CIA analyst.
When Coalition detected probing for MOVEit, a program used to transfer sensitive data, they quickly alerted four clients utilizing MOVEit on their networks, advising them to secure the software with a virtual private network. Just six months later, Progress Software, the company behind MOVEit, revealed a critical vulnerability that the Russian ransomware group Clop had exploited. Coalition scanned its clients again and found 19 companies at risk, sending urgent emails to encourage them to apply the MOVEit patch. Within a month, 14 companies complied.
This proactive strategy appears effective. To date, none of Coalition's 85,000 clients have filed a claim related to MOVEit, despite reports indicating that thousands of organizations had their data compromised due to the vulnerability.
At-Bay CEO Rotem Iram highlights a concerning trend: software companies often escape accountability for their security flaws, leaving small businesses vulnerable. "We've fostered a culture where it's acceptable to develop products that are barely functional, then release them and let attackers serve as our testers."
Since 2017, Coalition and At-Bay have been reshaping the underwriting process for cyber insurance, especially for small and medium-sized businesses. Traditional insurers rely on simplistic questionnaires that overlook vital factors, like antivirus software presence. In contrast, these fintech companies assess clients' systems like hackers, sometimes mandating security enhancements before offering coverage. "We'll leave you to AIG or Chubb," remarks Iram, a 43-year-old veteran from an elite Israeli military cyber intelligence unit.
Motta recalls how Coalition declined coverage for a Texas school district in 2020 after underwriting scans revealed communication with a known hacking group. When the district reapplied five months later, Coalition discovered it had been hacked and filed a $2 million claim with another insurer.
Even after onboarding clients, Coalition and At-Bay conduct regular scans and issue alerts to manage risk. Small businesses that traditionally haven’t invested in cybersecurity services but are willing to invest in insurance receive both benefits. Iram notes the struggle to prioritize risk management: "People overlook security. When you're immersed in it, you assume that everyone values it as much as you do."
Cyberattack losses surged at the onset of the pandemic, significantly increasing the demand for and cost of U.S. cyber insurance. The combination of thorough screening, constant vigilance, and assertive communication has allowed these fintech companies to offer lower premiums, gaining favor with insurance brokers.
This success is compounded by the market's relative newness and the spike in cyberattacks during the pandemic. According to CyberCube, total cyber insurance premiums in the U.S. rose from under $1 billion in 2012 to an estimated $11 billion in 2023.
These policies typically cover remediation, investigation, lost business, and legal costs from various cyber incidents, including ransomware attacks and data breaches.
Motta shares a sobering incident from 2020: a hacker infiltrated a Kansas distillery’s systems through an employee's login, causing operational shutdowns and significant property damage. Coalition and its reinsurers settled the claim, paying around $2 million, which included $600,000 in ransom and legal costs. The distillery had a policy with a $10 million limit and annual premiums of just $21,000.
Today, a similar policy from Coalition would cost at least $120,000, especially for companies lacking robust security measures. However, prices might be stabilizing; after three years of significant increases, average premiums fell by about 20% in 2023 as more insurers entered the market and many customers improved their defenses. Coalition reported over $630 million in gross premiums last year, a 15% increase from 2022, while At-Bay wrote $301 million, marking a 20% growth. Both companies transfer a substantial portion of their risk to major carriers and reinsurers like Swiss Re and Munich Re.
Despite not yet achieving profitability, Coalition and At-Bay's remarkable growth has secured them spots on Forbes' 2024 Fintech 50 honor roll. While they still have reserves, they might face valuation reductions if they seek additional capital soon, especially in the current industry climate.
Neither company has faced a catastrophic loss yet, though the risk looms. The challenge remains that established insurers can replicate their concepts and potentially outpace them. David Lewison from Amwins notes that traditional insurers like Chubb have now integrated network scans into their risk assessments but acknowledges that Coalition, At-Bay, and Corvus were among the first to actively scan for vulnerabilities.
Corvus, another cyber insurance fintech founded in 2017, was acquired by Travelers for $435 million in early 2024, a markdown from its $750 million valuation in 2021.
As Iram sits in At-Bay's San Francisco headquarters, the team updates him on "Citrix Bleed," a vulnerability in Citrix's remote access technology disclosed on October 10, 2023. Upon its discovery, At-Bay's engineers quickly identified 345 vulnerable customers, contacting the 70 most at risk. Within six weeks, 334 had applied Citrix's patch.
Timely patching is crucial; shortly after Citrix's vulnerability disclosure, hacking groups exploited it, leading to breaches at firms like Boeing and Toyota. Although only five businesses have filed claims with At-Bay related to Citrix Bleed, total losses are expected to remain under $2 million.
