When it comes to cyber fraud, complacency is a corporate killer, and what executives don’t know about how they are vulnerable to sophisticated hacking attempts can hurt them.
Coalition, which focuses on cyber risk and insurance, said earlier this month in a press release that it had raised $40 million in a funding round led by Ribbit Capital, with participation from other investors as well, including Greenoaks Capital and Hillhouse Capital Group. The Series B funding, the company said, will be used to boost data analytics and hire staff across its engineering and incident response teams.
Broadly speaking, the company offers a hybrid model of cyber insurance and cybersecurity. As Coalition CEO and Co-founder Joshua Motta told PYMNTS’ Karen Webster, it’s in the early innings for the evolutions — yes, plural evolutions — of technology, technological risk (which includes cybercrime) and multiple lines of defense against those risks.
To offer some illustration, he told Webster about a graphic that ran in The Economist a few years back, where 4.5 billion years of the earth’s geological timescale was represented, with a red dot demarcating that “you are here.” This indicates that we as a species haven’t been on earth terribly long, relative to what has gone before.
We’re not all that far along the technological evolutionary journey, he added, where we’ve just made the somewhat short physical leap from rubbing sticks together to, nowadays, jabbing at keyboards and computer screens to make things happen. Along that time frame (and what’s beyond the horizon), the pace of technological change has been enormous. Technology and digital processes are increasingly transforming everything from the way cars operate (using bits and bytes, rather than purely mechanical processes) to, of course, the use of Internet of Things (IoT).
However, along with technology comes a double-edged sword. Companies know they must adopt technology for any number of operational reasons or risk lagging behind competitors. That’s a risk, of course, that is written across the competitive landscape, though Motta noted that the benefits of embracing technology can be immediate. Conversely, there’s another risk: When companies do adopt technology, they may be exposing themselves to threats that have scarcely been considered — if they’ve been considered at all.
Yet, he said, “technological risk has become one of the most pervasive risks facing society, and certainly facing businesses, right up there with climate change.” (Cybersecurity, he noted, should be viewed as a subset of the overall technology industry, and it exists as a $100 billion to $120 billion vertical.)
Underestimating Cyber Risk
“The state of cybersecurity now in the world is that there is this mindset that ‘we will worry about it later,’” said Motta. He explained that, for smaller firms (where executives take note of the headlines swirling around sensational data breaches), there may be a false sense of security — namely, that such attacks only target larger companies.
The irony is that the accepted solution for cybersecurity risk has simply been to adopt more technology, an approach that Motta likened to circular logic. Thus, despite firms spending record numbers on defense, they are also experiencing record numbers measured in economic losses ($1.5 trillion in annual losses across the global economy, as Coalition said at the time of the funding announcement), which, he suggested, is “positively correlated and not negatively correlated.”
The Three Options
The overall approach to cyberthreats should be one of risk management, said Motta, which can take a page from how we view, prepare for and insure against the risks of, say, a hurricane or flood.
In managing this risk (at the individual company level), he said, there are three options. The company can simply accept the risk, knowing it is out there. It can take steps to mitigate that risk — “and this is where, of course, technology will play a role,” said the executive. Finally, he added, the company “can transfer this risk — and that is the domain of insurance. You cannot eliminate the risk, but you can eliminate the cost of the risk by transferring it to someone else.”
Coalition, explained Motta, takes on risk much in the way an insurance company would (by taking on the transference of risk), but also differs from a layer of service that goes beyond those offered by an insurance company. Coalition works with its clients — now numbering at nearly 10,000 smaller and mid-sized firms across a number of verticals, and averaging roughly $20 million in annual top lines — to prevent the loss in the first place. The result, the company said, is one that “democratizes access” to cybersecurity technology.
The Business Model
He explained that Coalition’s corporate clients apply for insurance with an application that helps the firm “collect enormous amounts of data about the risks that your company faces.” The data platform analyzes hundreds of millions of data points within an organization.
Just as an auto insurance firm might hesitate to insure a driver who’s been known to leave their seatbelt unbuckled while behind the wheel, “we do the equivalent. If you're doing something, it is very likely going to get you targeted [by cyber fraudsters. We’ll] tell you, ‘Look, sorry. We can’t provide you [with] insurance until you fix [this] particular issue, and we [can] help you do that.’ So, the application process itself can be helpful,” he said.
Upon becoming a Coalition policyholder, he added, there can be suggestions to address vulnerabilities throughout the life of the policy. Coalition can elect to not renew a firm if it does not address these issues, or it can increase premiums along the way. “If you do do the things we recommend, then you qualify for a lower premium upon renewal, or you qualify for better coverage,” he told Webster, likening the model to a stick-and-carrot approach. The constant sifting of data, and pooling of risk with careful underwriting, leads to a coalition approach to insurance, said Motta (giving rise to the company’s name).
The liability insurance covers any fallout tied to negligence, as well as first-party losses, and can be used to replace hardware. In the case of social engineering, it will reimburse all the money that has been wired out. About 80 percent of the time, the root cause of all the claims the firm pays “has a social engineering element,” which involves, for example, phishing attacks via email that trick Coalition clients’ employees into sending passwords or wiring money. If only those companies had multi-factor or two-factor authentication processes in place, said Motta, the number of claims could conceivably be cut in half.
The company, he told Webster, makes money by selling insurance (not technology), and offering its platforms and apps — which, for instance, guard against ransomware or warn against password compromises — for free. That can help smaller firms defend themselves, even if they don’t have the capital needed to spend on cybersecurity.
As Motta put it, “We are 911 for our policyholders.”
That’s done through the company’s platform, and an internal team that provides instant response to its clients’ security issues.
“One of the greatest inhibitors for cybersecurity is that they don’t know what they don’t know,” he said. “Our hope is that we can expose [what they don’t know] to them … and, more often than not, they will fix the problem that we tell them about.”