Pleasanton, California-based cyber insurance firm Cowbell Cyber has emerged from stealth, announcing its Cowbell Factor product with $3.3 million seed funding from leading insurance, cybersecurity and artificial intelligence venture funds, including ManchesterStory Group, Holmes Murphy & Associates, Tri-Valley Ventures and the Global Insurance Accelerator.
Founded in January 2019 by Jack Kudale, Cowbell describes itself as a cyber risk and insurance observability platform.
The cyber insurance market is growing, and has the potential to grow substantially. German reinsurance giant Munich Re said in September 2018 that it would grow to $8 to $9 billion by 2020. Separately, Allied Market Research has predicted it will grow to $14 billion by 2022. But it has problems. Cyber insurance is primarily a gap filler — a product developed by the insurance industry to fill the cyber gaps left by other insurances. At the same time, the industry has little history on which to base the premiums to fill these gaps.
Two basic problems for the insurance industry are that the buyers don’t know what they need (to fill the gaps in what they have), and the sellers don’t know how much to charge for what they sell. Both sides need to get this right. If the premiums are too low, the industry won’t make a profit; if they are too high, then the market will struggle. The danger, Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, is that if the insurance industry badly miscalculates the balance between premiums and exposure, “several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover.”
At the same time, if the policy holder doesn’t fill the right gaps, he won’t be covered. An example in point is the issue between Mondelez and Zurich. Mondelez believed it was covered against NotPetya losses through its property insurance. Technically, it was — but was subject to the standard ‘war exclusion’ clause that applies to property. Zurich denied the Mondelez NotPetya claim ultimately because it was a property insurance rather than a cyber insurance. There is no known example of an insurer denying a NotPetya claim against a cyber insurance policy (largely because there is no standard war exclusion in cyber).
The obvious solution is for the insurance industry to call upon the expertise of the security industry to find and rate risks. But there is a natural reluctance by the insurers to do anything that might appear to be endorsing a specific security product. One area that is slightly different is the security ratings industry, where different firms assess the security of organizations by examining multiple aspects of their internet-facing infrastructure. In June 2018, the world’s largest insurance company AXA announced that it would partner with ratings firm SecurityScorecard to help set premiums.
But this merely highlights the existing problems with finding insurable risk and setting the right premiums. Risk is largely found by organizations completing long insurer questionnaires, while premiums are set by looking at the organization from the outside. This is the current state of the cyber insurance market that Cowbell seeks to change — by finding insurable risk from inside the organization using the continuously running AI-based insurable risk detection Cowbell Factor.
“With the increasing magnitude and frequency of cyber-attacks, organizations not only need to focus on prevention and detection but also on managing risk mitigation in the aftermath of attacks,” said Jack Kudale, founder and CEO, Cowbell Cyber. “Cowbell Cyber has demystified enterprise-specific insurance coverage through the development of an early warning system that enables companies to gain complete insight into risk exposure and take control of loss mitigation while increasing insurability.”
Factor is not a security product in the traditional sense. It does not detect and block specific threats — instead it provides ongoing, automated insurable cyber risk assessments. It calculates the probability of a threat based on the organization’s actual security posture and combines this with the likely financial impact. It adds the risk signals emanating from the organization’s internet-exposed infrastructure (similar to the risk ratings companies), together with threat insights gleaned from continuous scans of the dark web and years of industry-specific business interruption data to determine a very precise level of exposure. This can then be used to buy the right level of cover for the area needed — filling in the gaps that are not already covered by other insurance.
The intention is not to sell Cowbell Factor as a separate product, but to allow insurance brokers to use it for their customers. The brokers will then take the details back to Cowbell for the required insurance tightly aligned to the actual risk. The Cowbell policy, Cowbell Prime, is designed for companies with annual revenue up to $250 million, and will be rolled out in the first quarter of 2020 starting in California. The new funding will be used to expand the offerings into other states including Oregon, Arizona, Nevada, Colorado and Illinois before expanding across the country.