A Risk & Insurance Q&A With Joshua Motta, the CEO of Cyber Insurer Coalition
In late February, Risk & Insurance spoke to Joshua Motta, the CEO of cyber insurer Coalition, to get his views on where his company, and insurance underwriting in general, might be going.
The following is a transcript of that interview, edited for clarity and length.
Risk & Insurance: As the leader of a Coalition, and as you look ahead to this business year, what opportunities are you thinking about?
Joshua Motta: There are a couple. One is improving the technology of insurance. One of the problems with the insurance industry, and this wasn’t pointed out by me, I was reading Stephen Catlin’s book, Risk and Reward, and he talked about how the industry suffers from a structural timing problem, which is that you only get value out of an insurance product after something bad happens to you.
Simply put, one of our goals is, how can we improve the technology of insurance?
If you think of insurance as a technology to purchase protection today from uncertain loss in the future, what if a company didn’t just pay out that loss? What if they could reduce the uncertainty? What if they could prevent the loss or contain the severity of the loss or the instant when it happened?
That’s been a hallmark of our business model, but there’s a number of things we’re doing this year to really take that to another level. Most cogently, we’re releasing our first non-insurance product, which is to say, we’re releasing a software product that anyone can use. You don’t have to purchase insurance from us, which hither to now, that’s the only way you could use our services. We’ll be launching a cyber risk management platform that any organization around the globe can use at no cost. It’ll be free for the basic set of features, if you will, but they’ll be very powerful.
The goal is to, again, democratize access to some of the data and technology that we uniquely have as one of the largest providers of cyber insurance. Starting to expose that to organizations can help make them more proactive in preventing claims from happening. It’s redefining what you should expect from an insurance company. An insurance company shouldn’t just help you and shouldn’t just communicate with you after something bad happens. We should be proactively working with you, delivering value to you throughout the policy period to help you prevent the bad thing from even happening.
R&I: It sounds like the business motivation there is associating Coalition with being a giver, right? “Here, we’re giving you some risk management tools,” for free, essentially.
JM: Absolutely. I think also, obviously we are a for-profit entity, but if you think about the insurance industry, and I’m a big first principles believer, how do we just strip things down to the core?
The insurance industry is really about the flow of two things: money and data. Money to pay premiums, money to pay out claims; data to underwrite the likelihood a claims going to be filed, the expected severity to detect insurance fraud, adjust a loss.
When you think about it, it’s pretty simple. It turns out those are the two things that are at the core of the technology industry, and so we’ve argued both — that there is an opportunity to improve the technology of insurance and that every insurance company is going to have to become a technology company, because, of course, data is the lifeblood of the industry.
“Cyber insurance has rapidly become an unprofitable line of business for many providers in the market, particularly those that didn’t have the data to underwrite the risk.” — Joshua Motta, CEO, Coalition
One of the other benefits that we get by releasing this platform is that we learn. People interact with our software. In order to get more value out of it, they teach us, they train us, they tell us about the technologies they’re using. The more data we have and the more people use that software, the better we are at delivering value to everyone. The better we are at underwriting cyber risk. The better we are at helping people prevent losses from happening.
That’s one of the wonderful feedback loops in our model. It’s that even though we’re giving this away for free, nothing, as we know in life, is free. We’re actually collecting data, but we’re using that data not to target you with better advertisements, like a Facebook or someone; we’re actually using that data to help you by improving the profitability of our insurance products. It truly is a virtuous feedback loop.
R&I: What’s your background in?
JM: That’s a good question. I sometimes describe taking the Renaissance approach to my career. I’ve started off as an entrepreneur at a young age. I started a company when I was a teenager. That company garnered the attention of Microsoft, and ultimately, I folded into Microsoft. I started there when I was 15-years-old. I was working in the Microsoft business division, which was Microsoft Office.
From Microsoft, I worked at a number of other corporations. I worked for Sprint, a large telecom company, Honeywell, writing avionics software. I then graduated from high school, and I joined the Central Intelligence Agency while going to college. I worked for the CIA for a while.
When I left CIA, I joined Goldman Sachs, where I was on the technology investment banking team in London and worked in private equity firms, financial services. Eventually, I realized, “Nope, I’m still an entrepreneur. I want to go back to doing that.”
I joined the founding team of a company called CloudFlare, which at the time was a fledgling, technology upstart, and today it’s a $20 billion company traded on the NYSE. I left CloudFlare, I think, at the end of 2015, to found another company, which would then ultimately led me to founding Coalition.
I’ve had a broad career, but it boils down to financial services, the technology industry and the intelligence community. When you think about Coalition, that’s what we are. We offer a financial service — insurance. It’s very much a technology company, as well, and we take very much an intelligence community-approach to collecting and analyzing data at scale.
R&I: When you look at the environment and your business, what challenges do you see in the coming year? What is on the landscape that gives you pause or concerns you?
JM: Organizationally, people are always the biggest challenge. It’s attracting phenomenal talent. We joke, internally at the company, that we’re 1% of the way there. Every week we have a team meeting; we talk about how much we’ve accomplished; we’ve rolled out these new products, new features, what not.
Finally, we get to 1%. It’s this idea that our vision is expanding at the pace of our ability to execute against it. We’re in this constant struggle to get ahead. Definitely attracting top talent and getting to work on things is always a struggle. I’d say within our business, certainly we’re in the insurance industry, but uncertainty is the name of the game, and it’s always trying to predict the future.
That is a significant challenge. How can we detect and understand when things are changing and, ideally, before they’ve changed?
Particularly in the cyber insurance landscape, ransomware continues to be a significant challenge. I would say it’s the single greatest challenge to the industry over the past year. Cyber insurance has rapidly become an unprofitable line of business for many providers in the market, particularly those that didn’t have the data to underwrite the risk.
But even for those of us that do, it’s a constant challenge, because the threat is evolving rapidly. Cyber criminals are adapting rapidly. And it’s a large business opportunity.
R&I: I remember, on the talent front, meeting Shawn Ram seven, eight years ago. He blew me away. I just thought his was a really top-quality mind, and so it caught my attention when he went over to you guys.
JM: Yes, yes, that was a huge win. It’s kind of a funny story. I was in the CFO-COO position at CloudFlare, and I purchased our insurance. Not because I knew anything about insurance but because I was the only one there to do it. We hired Aon.
I remember being invited to their box at the Giants stadium. Shawn was the big wig. He was responsible for Aon’s technology clients globally, so that’s actually where I first met him.
You know what? I had a similar reaction to you,.
And I can tell you that starting an insurance company was nowhere, even anywhere remotely close to my mind at the time I met Shawn, but he was the person who came to mind when I was founding Coalition. And to his credit, I think he very quickly understood what our vision was and wanted to be a part of it, at great risk, because he had a pretty stable career.
R&I: Do you have tips for us about some folks whom you’re working with, beyond Shawn, that really impress you that we should keep our eye on?
JM: Who do I not put on the list?
There is, frankly, such a focus on bringing in top talent, but I would say that Catherine Lyle, who runs our claims team, is exceptionally sharp, very bright. She is one of the most gifted claims attorneys I think I’ve ever met.
On the underwriting side, risk engineering, Marcin Weyrk, who we took out of AXA XL, just a phenomenally talented underwriter.
On the insurance side of the business, starting with insurance sales, Alex Pazooki is just really gifted. I think he’s won a number of rising star awards. He’s definitely someone to continue to focus on as well. He’s now leading the entire western half of the United States for us, so just again, really talented group of people. I could pick more.
R&I: Looking back at ransomware, the evolution of social engineering has been a threat and it remains a threat, but is it this piece of the attack or the threat of “I’m going to shutdown your manufacturing line and I’m going to demand ransom until you pay me” the bigger ticket risk these days?
JM: It is. And the thing is, it’s getting more severe, because it’s evolving.
It started with, “We’re going to lock up your data and unless you pay us, we’re not going to give it back.” And then it went to shaming, or maybe even worse, revealing your competitive secrets, destroying the value of your intellectual property by saying, “If you don’t pay us, we’re going to expose your data publicly.”
“Physical risk is very much, I think, one of the next frontiers of cyber risk. It’s not just the intangible data, it’s the tangible. Everything is a computer.” — Joshua Motta, CEO, Coalition
Where it’s going now though is, you mentioned manufacturing, are physical cyber attacks. When you stop an industrial process, it can result in property damage, bodily injury or even pollution-related effects. Coalition, kind of interestingly, was the first, and I believe we’re still to this day, the only in the cyber insurance market that provides coverage for property damage, bodily injury and pollution liability resulting from a computer security failure.
We’ve actually paid one of those claims last year for the first time. We had a manufacturer in the Midwest that blended alcohol for different providers. They shifted to making hand sanitizer, because this was in the midst of the pandemic. They’d retooled. But then they were hit with ransomware. It was nothing as spectacular as centrifuges erupting in flames in Iran somewhere, as we heard about once upon a time, but their production stopped. Their fluid was no longer going in between the various parts of the manufacturing process and the gaskets in between the equipment dried up and cracked.
Our cyber insurance policy actually covered the cost to replace the gaskets for this manufacturer. Physical risk is very much, I think, one of the next frontiers of cyber risk.
It’s not just the intangible data, it’s the tangible. Everything is a computer.
R&I: Insurance is highly regulated on a state-by-state basis. From your perspective, what could government and the private sector be doing better together?
JM: I think that the regulatory regime is not set up to allow insurance companies to use data. The laws are still quite archaic, and there’s a significant gray area.
I’ll give you a couple of examples. This obviously applies for the admitted insurance market, but there are very few admitted carriers that offer cyber insurance in the state of Florida, simply because the frameworks for how you might use data or introduce them is so cumbersome. It’s like a chicken and an egg problem. You lack the necessary history to show that the data. We could have a very reasonable hypothesis that this data would be very useful to underwriting a risk, but in the absence of meeting, sort of an impossible bar, it can’t be used.
And as a result of that, most cyber insurance, even to this day, irrespective of whether it’s Florida or any other state, is written in the non-admitted market. This question is maybe slightly less relevant for us than it is for other Insurtechs or other carriers, because a good deal of the business we write is in the non-admitted market. It’s frankly because it’s so difficult to use data to make better decisions in that process.
Another example, though, is think of things like anti-rebating laws. A big part of our model is we want to create software that helps us mitigate risk. Well, if you purchase our insurance policy, we give you that software.
Now I think in the vast majority of states, it’s crystal clear that there is a carve out to the anti-rebating law, which typically says you can’t give someone something of value in exchange for purchasing insurance. The one carve out is something that is helping them manage their risk. I can give you something that is of value, as long as it’s helping you manage your risk. But in other states, sometimes these things just border on the level of absurdity, which is we’re hamstrung from providing data or providing software to a company, because it could be perceived as violating some sort of law that was really intended to prevent an insurance company from giving someone tickets to the Warriors game in exchange for purchasing insurance.
I think that there could definitely be far more collaboration in working with industry to determine how insurance companies can use data and do so appropriately.
Meeting public policy objectives, not using data to push predatory prices, but using it to better price risks for the benefit of all and to help businesses make better decisions, because certainly in the field of cyber risk, one of the most frustrating things is that there’s very little discernment in price for a company that is doing the right things technically, and the wrong things, because pricing is still based on what industry you’re in and how much revenue you have. It’s not based on, “Did you incur the cost to adopt two-factor authentication in your organization? Did you incur the cost to regularly back up your data?”
Simple things like that, technological decisions, it’s very difficult to price for those, which means that businesses aren’t getting the information they need to make better decisions. Does that make sense?
R&I: It makes sense. Doesn’t it also speak to the relative immaturity of the product, if you look at all the insurance products that are out there?
JM: Yeah, there’s two components of it. One is the immaturity of the carriers or the underwriters themselves, but I’d say that that’s being bridged very quickly. And then the second part of it is, are you actually permitted by a regulator to use that data to influence price in the admitted marketplace? Because at the end of the day, price is information.
R&I: Exactly. One last question for you: Are there any initiatives, Joshua, or just market directions that you are thinking about that are exciting?
JM: At the risk of giving you my grand vision of where the insurance industry is going, if you think about the modern insurance industry, which I’m going to peg to the late 1700s, Lloyd’s Coffee Shop, et cetera, the industry is, hither to now, really been about insuring tangible assets.
Quite literally the goods of the East India Trading Company, steam boilers during the industrial revolution, automobiles at the turn of the 20th century. That’s the past. The problem is that things are shifting very quickly. For most corporations, it’s no longer the tangible assets that they derive their value from. It’s the intangible ones. It’s the people who work at that organization. It’s the data that’s created, the technology, so on and so forth.
The industry hasn’t really kept up with that. It was never built to insure intangible assets, and it’s harder to do it, because the risk to the tangible things — water, fire, wind, et cetera — are fairly well known and have a long history.
The risks to intangible assets — people and data — are considerably more amorphous. You need a lot more data to underwrite them,
That means you need technology to do it, because while humans are very good at recognizing patterns, there’s just too much data for a human to compute at this point in time. That’s the struggle the industry is going through right now, and that’s one of the struggles I think our society has, which is if you were to think about the exposures, the intangible asset exposures, risk exposures, you can’t even purchase insurance products for them.
If you think of that lens, Coalition is very much positioning itself to be a specialist underwriter of risks for intangible assets.
We’ve started with data, and I think you will see us in 2021 starting to think more about humans and the risks to those assets — the human capital assets that organizations have. The hallmark of that, of course, is going to be using data at a scale that has not generally been used in the insurance industry to better try and underwrite those risks, to better try and manage those risks, or risk engineer them.
That’s some of the initiatives I’m excited about in 2021, focusing on releasing new insurance products I believe plug in some of those gaps.
R&I: Maybe reputation being one of them?
JM: Yes, certainly. Intellectual property. Even innovating on some other traditional spaces.
We didn’t invent cyber insurance, of course, but I think we’ve done a lot to improve it and to think about it, really, as cyber is a form of peril.
I think there’s an opportunity to do something like that, even in other executive lines or the management liability space, with D&O or EPL or things that exist today, but I believe there’s an opportunity to continue to innovate as those exposures increase for businesses.
R&I: Given the way those markets are functioning, I think a lot of people would agree with you, Josh.
JM: Cyber is not the only one hardening. That’s for sure. &