New Cyber Insurance Firm Unites Insurance With Cyber Intelligence
17.11.2017 securityweek Cyber
Mountain View, Calif-based cyber insurance firm At-Bay has emerged from stealth with a mission to shake up the status quo in cyber insurance. It brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.
At-Bay has partnered with HSB to bring to market a product to insure and defend organizations against cyber risks. It has closed a $6 million seed funding round, led by LightSpeed Venture Partners, with the participation of Shlomo Kramer and LocalGlobe.
"We founded At-Bay with the belief that controlling for cyber risk enables businesses to embrace technology and unlock great value to customers," said Rotem Iram, CEO and founder, At-Bay. "We match deep insights on a company's IT security with financial exposure that cyber attack vectors create, to enable insurance brokers and risk managers to more clearly and accurately assess and manage cyber risk. Our insurance products and supporting risk management services provide organizations with the confidence that they can take on the challenges of tomorrow."
Organizations are increasingly digitizing their businesses and becoming more reliant on technology. Technology is not secure and presents risk. Much of that risk is mitigated by security technology -- but each day there is further proof that security technology is not perfect. Risk managers need to consider that despite all the security technology employed to mitigate risk, there will always be residual risk that is best handled by risk transfer; that is, cyber insurance. Cyber insurance can be seen as a complement to cybersecurity technology used together to more fully mitigate the increasing risk of insecure digitization.
The primary problem for cyber insurers is that there is no established historical corpus of understanding for cybersecurity risk in the same way as there is for, say, motor or life insurance. Insurance works best with static risk, but cyber risk is intrinsically dynamic -- both the target (the IT infrastructure) and the attack methodology (attackers, tools, techniques, exploits and motivation) are continuously changing. Neither the insurer nor the insured currently understands how cybersecurity can be insured. For example, a survey by At-bay indicates that 50% of companies that do not have cyber insurance say it is because they do not know enough about cyber insurance.
At-bay proposes to solve this dilemma by uniting cybersecurity understanding with cyber insurance delivery within one supplier. At-bay's Rotem Iram points out that insurers have two advantages in this process. Firstly they are on the hook to pay out in case of loss; and secondly, as they develop their customer base, they become privy to a vast amount of information on cybersecurity and risk. The first provides the incentive for insurers to learn from the second, provided they have sufficient in-house understanding of cybersecurity threats, mitigations and response.
One of the problems for insurers is that each client's risk profile is continuously and unpredictably changing. "A rate could be set for a perceived risk; but two months later the NSA loses EternalBlue and the risk level changes," explains Iram. "The insurer cannot increase the premiums because its not the insured's fault -- so he has to carry that increased risk at the same premium for another ten months. But if the insurer has sufficient understanding of the security posture of the client, he can tell the client about the new risk and how to mitigate it."
The interesting part about this example is that Iram would still pay out on the insurance even if he warned a company about a new risk and the company did nothing about it -- and was subsequently affected. "Yes, 100%," he told SecurityWeek. He accepts that he may be being a little naive, but firmly believes the future for cyber insurance is the evolution of a mutually collaborative relationship between insurer and insured. If the insurer gives good advice, and the insured responds, the insurer could give an end-of-year rebate.
Key to that collaboration is that the insured must trust the cybersecurity knowledge of the cybersecurity insurer. This is what has been lacking and is precisely what At-Bay seeks to bring to the table. Iram himself comes from a security background, and even spent five years with the Israel Defence Forces where he became head of the techno-intelligence group. He believes that if the insurer can demonstrate that it gives good advice, the insured will respond. "Nobody wants to get hacked. There's always a cost. There will always be some aspects that aren't or cannot be covered by insurance." Insurance is about reducing financial exposure as far as possible, not about eliminating it -- it cannot, for example, insure against loss of revenue caused by brand reputation damage (think Target), or loss of share value (think Equifax).
"We will be collecting data and using researchers to push the limits of our understanding of risk," he told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.
"Our team," he continued, "is split between Mountain View and Tel Aviv. Tel Aviv is where we have access to incredible security talent from the intelligence community. What we've built is a nation-state level reconnaissance capability based on what we've brought from the intelligence community. Our team and machine gathers intelligence from different sources, contextualizes it, and relates it to the customer infrastructure. Long story short, we scan the entire market of publicly available resources every month. Whenever we underwrite a company we have a history of how their technology stack and their security stack has looked and evolved over a period of time. This is a good part of the underwriting process, and helps us offer really good security advice to our clients."
The Equifax breach is an example of how this model would work. Rather than sit back and wait for the breach that would trigger an insurance claim, At-Bay would detect and inform any client with an unpatched vulnerability (such as the Struts vulnerability at Equifax) and explain how it should be remediated.
If At-Bay succeeds in its model of uniting security intelligence with insurance, it could shake up the entire cyber insurance market. If it does that, then both cybersecurity vendors and technology companies will need to look at their existing own third-party liability insurance. If more companies adopt cyber insurance, then more cybersecurity insurers will start trying to claw back their payouts from third parties who may be deemed to have been at fault in the breach.