8 Questions for Mario Vitale, President of Resilience
Industry veteran Mario Vitale joined Resilience in September of 2019 as president.
Recently, he sat down with Risk & Insurance® to talk more in-depth about his reasons for joining the Resilience team and hopes for the future. Here’s what he had to say.
Risk & Insurance: Mario, what attracted you to Resilience?
Mario Vitale: By mid-2016, I was semi-retired, but I was doing board and advisory work. I came across Arceo (now branded as Resilience) in the middle of 2018 and met some really great guys; that would be our co-founders Raj Shah and Vishaal Hariprasad. What I loved about them, besides the fact that we hit it off, is that they are legit American heroes — they are both combat veterans — defending us against cyber attackers. They wanted to take those skills and do some real good in the insurance space.
So, I started working with them as an advisor and a board member a year before I joined them full time. I liked them so much and wanted to help them. At that point in time, they were focusing on cyber security, cyber technology and Insurtech to aid the insurance industry. We worked together on closing some opportunities for them and helping them on that phase of their development.
I got to know them better — they got to know me better — and their model continued to evolve. Their ambition was to take cyber security and Insurtech and build in risk transfer. What they didn’t realize was the fire they lit under me. There are a couple of reasons: One of them, I’m an insurance veteran. It’s all I’ve ever done. I even went to college for it. So to come out of semi-retirement and help build something at the foundational level was exciting.
But two, what they were building was incredibly compelling. I remember from the earliest days of my career, FM Global was the first company on the property side to marry risk assessment, risk engineering and risk transfer. No one was doing that in cyber, and I couldn’t resist.
R&I: Was that what really clicked for you, your knowledge and memory of that FM Global approach?
MV: It went off like a rocket in my head. “Wow, what cyber insurance needs is someone to replicate the FM Global model.” As things stand, everybody is buying the various elements of cyber risk management in separate buckets. Cyber security is in one bucket, technology runs in a different bucket and then risk transfer is in yet another. One doesn’t help each other, and there are huge gaps between them.
I dropped everything and joined them full time in September 2019 to focus on building a value proposition that was different than anything else that had been done before. That, of course, is built on the foundation of cyber security, cyber technology and cyber risk transfer in one preferred package; it’s the FM Global model for cyber.
R&I: That FM Global model is something we’ve been writing about for years. If you work with us to engineer and protect your roof, we’ll cover you for storms. It makes a lot of sense.
MV: I’m glad I’m not the only one who feels that way. I love the idea and was actually pretty happy to see that it wasn’t being done in cyber. It makes so much sense, especially in this really threatening world. It aligns everyone’s interests around making companies stronger.
If you think about what FM Global did after the industrial revolution, they separated what I would call high risks, medium risks, and low risks and charted that against preferred protections — sprinkler systems, brick construction, workplace safety features. That gave them a platform to write better coverage for preferred risks and provide a higher order of value than a policy and claims service.
I remember as a young man trying to compete against them. I realized their clients are embedded in there. They followed FM Global’s criteria, invested in the security of their business and as a result, got a preferred risk transfer package and great claims service. They were married to FM Global forever. And I remember, when I saw that FM Global was the incumbent, I didn’t even try to compete against them. It worked for the insured, it worked for the insurance carrier and it worked for the broker.
R&I: So when you think of the competition, and the markets, where is Resilience going to position itself?
MV: I looked at this chaotic marketplace, and the first item I noticed is that for most of the companies in the cyber security/cyber insurance space, their ceiling is going to be my floor. We’re not doing small commercial. Nothing wrong with that market, and you can service it with the high tech/low touch model that a lot of Insurtechs subscribe to.
But remember, I’m an insurance student — so I’m looking to address complex risks that require thoughtful, integrated solutions working with CISOs and risk managers.
That market puts us in the space where the client is making significant investments in their cyber security measures, because they can’t afford the reputational risk of losing client data, suffering ransomware where they’re shut down or just having their physical equipment shut off, and they can’t operate with their customers. They can’t afford those losses and will likely have a full time CISO to help protect them against the various means by which the hackers are attacking.
Then, once you have that seriousness about the risk, you think about engineering to help prevent the risk, making you resilient, which is why we named the company Resilience Insurance. When you are hacked, how do you keep a breach from becoming a loss? And how do you keep a loss from becoming a large loss? And how do you keep a breach from becoming a reputation risk or a ransomware situation where you’ve got to pay more money to get back to business?
So that’s where we get to shine. We get to have a tri-part relationship — us, the client and the broker — and everyone’s interests are in sync. We get to talk about what systems they have and what improvements they could have. How we can make a marked improvement in their defenses.
Also — relative to where we are positioning ourselves and differentiating ourselves — I believe we are the only company in this space with an in-house claims team with the authority to settle claims. So, if you have a breach and you’re with one of the well-known MGAs out there, when you call in your claim, you’re dealing with an insurance company that doesn’t know you. Not the same people who sold you the policy.
With us, your claims person is on the same team as the people who sold you the policy, and we have an 800, 24/7-staffed response phone line where, as soon as there’s an incident, we can help minimize the damage and again, help them from becoming a bigger problem. Then, post-breach, we work with you to improve your systems. So, our value proposition is different than what’s out there, not only in binding a policy and playing claims, but making companies stronger and safer.
One other point on how we’re positioning ourselves — several of our leaders are veterans. If they can protect our missile systems from cyber threats, they can take on the risks that companies face.
One of them, Mike Convertino (the CSO of Resilience) is not only ex-cyber warfare — he was the CISO of Twitter. You can imagine when he gets on the phone with a CISO of any company out here, these guys relate to each other, not as insurance people or not as people with a manufacturer’s or retail lens, but as CISOs. What it is like to protect the company and what it’s like to confront the challenges you face, including getting an IT budget that you need to be successful.
R&I: You mentioned the size of the company, Mario, that you want to deal with, or the partner you want to deal with, and you’re mentioning they’re big enough that they probably are going to bring in a CISO, or they’re going to have a CISO. Do you feel that in that size company, that the CISO and the risk manager are going to be better schooled and working hand-to-hand and understanding holistically what they need to do together?
MV: I’m reluctant to offer a blanket statement as the CISOs and risk managers working together is more a function of culture than company size.
More often than not — and not their fault — they report to different functions and have different KPIs. So while they share a common objective, they aren’t always operationally aligned on how to build a more secure enterprise.
R&I: Let’s talk about ransomware some. I was talking to some experts recently and we’re starting to see some pretty eye-popping ransomware demands. Years ago, you would think of a certain number, but now you’re hearing maybe as much as a billion. Do you find that part of it daunting, or how do you look at that pretty rapidly expanding risk, if we could phrase it that way?
MV: Yeah. It is becoming a bigger problem. And of course, it’s not only the amount but also navigating possible government sanctions depending on who is demanding the ransom — and what country they’re in. Our chief claims officer, Michael Phillips, is one of the experts in this area. We’re prepared not only to advise pre- but post-breach.
While a lot of the action is about the protection you take beforehand, what you do after — when there’s a breach — is just as important.
R&I: There is still confusion, not just in the mainstream media, but even in the distribution community, about what cyber coverage is and how a broker can sell the coverage or bring the coverage to a client. When you think about distribution, what should a representative be stressing to the insured about what cyber can do and what the most important policy points to focus on are?
MV: Cyber insurance continues to evolve at a steady state — the broker/client relationship is evolving. At some point in everyone’s career, they learn that trying to be all things to all people isn’t a strategy that you can execute. So our strategy is to work with the top 25 to 30 brokers in the U.S. and partner with them. Our mission is providing comprehensive solutions for the cyber risk market. Bringing together security, insurance and recovery, we go beyond risk transfer to help our clients become cyber resilient.
Where we’re different from the other cyber insurance players is that our model starts with cyber security, which helps make the clients stronger. With the increase in breaches and cyber crime, that’s a strong starting point for the conversation with the insureds — so we’re working with brokers to help them see how our model is different and help them deliver a higher order of insurance value, as I mentioned earlier, starting the cyber insurance conversation with a discussion of making the company stronger against cyber attacks and building from there to the insurance conversation.
R&I: You’ve been in the business for quite some time. When you look back at your career, Mario, and you think of the changes you’ve made and times you’ve innovated, is there a point in your career that you would compare to the point you’re at right now?
MV: Well, I’ve never launched something quite like this before, plus in the middle of a pandemic, I’m feeling like the kind of chaos that we had after 9/11.
There was a lot of confusion. Rates were up in all lines of business. Coverage contracted — and the government backstop was born. Combine that with launching a new product, that’s just coming to maturity.
It’s a hard market and a very important product, so we’re at an inflection point where I feel it’s the right time and the right place for somebody to step up and do it differently and better and set an example the world should follow. &