Cowbell’s Chief Product Officer Rajeev Gupta Talks to Risk & Insurance

“While we still conduct traditional assessments, such as scanning internet-facing systems to identify vulnerabilities, we take it a step further by applying AI models to truly understand the risk. There’s a common misunderstanding in the market that security scans and scores are the same as risk ratings, but there’s a significant difference.”
By: | June 11, 2024
Topics: Cyber | Underwriting

This spring, Dan Reynolds, the editor in chief of Risk & Insurance, caught up with Rajeev Gupta, the cofounder and chief product officer for Cowbell, a cyber and E&O insurer. What follows is a transcript of that discussion, edited for length and clarity.

Risk & Insurance: What inspired you to enter the Insurtech side of the insurance industry, given your background was not in insurance?

Rajeev Gupta: My background is indeed not in insurance, but in cybersecurity. In my previous role, I often discussed risk and risk transfer with customers, and noticed this topic was coming up more frequently around 2017 and 2018.

Coincidentally, an old colleague approached me in 2018 with the idea of cybersecurity insurance. This piqued my interest, as it seemed to align with the trend I was observing in my customer discussions.

Upon researching the industry, I was surprised to find that many underwriters, even today, assess risk based on basic factors like industry, revenue, size, and number of employees. They also rely on lengthy cyber assessment reports, which can be challenging to interpret and consistently use for underwriting decisions.

Given my cybersecurity background, I recognized the potential to leverage the vast amounts of standardized data generated by security products. By converging this data and applying AI, I believed we could provide underwriters with meaningful insights to make faster, more consistent decisions.

With the right ingredients (data), recipe (AI), and a hungry customer (the insurance industry), I felt compelled to seize the opportunity. If we didn’t do it, someone else would. That was the compelling reason for me to enter the Insurtech space.

R&I: How does Cowbell use AI to assess cyber risk, and how does this differ from traditional security scans and scores?

RG: While we still conduct traditional assessments, such as scanning internet-facing systems to identify vulnerabilities, we take it a step further by applying AI models to truly understand the risk. There’s a common misunderstanding in the market that security scans and scores are the same as risk ratings, but there’s a significant difference.

Consider this parallel example: a teenager living in a small suburban town, driving a Ford Mustang, will have a certain insurance premium. However, if they move to downtown San Francisco with the same car and driving habits, their insurance will spike dramatically. The risk profile changes due to the surrounding environment, such as higher traffic density and accident rates.

Similarly, a company’s cyber risk is not solely determined by their own security measures. It also depends on the actions and targets of threat actors. Are they actively targeting that particular industry? What types of vulnerabilities are they exploiting?

At Cowbell, we differentiate ourselves by using AI to match vulnerabilities with relevant threats, providing a comprehensive understanding of risk that goes beyond traditional security scans. This approach allows us to translate scan results into meaningful risk ratings, setting us apart in the market.

R&I: What are your thoughts on the advantages and disadvantages of standalone cyber coverage compared to add-ons or endorsements to property or general liability policies?

RG: The cyber insurance landscape has evolved significantly over the past decade. Initially, there was no standalone cyber coverage or even packaged cyber policies. Instead, cyber risks were covered under “silent cover,” where data was considered property under property policies. If not explicitly excluded, data was assumed to be covered as property.

This led to significant lawsuits against insurance companies during major cyber incidents like the NotPetya and WannaCry attacks. Insurance companies lost these lawsuits, with settlements reaching as high as $1 billion, as in the case of Merck.

In response, insurers attempted to be more specific by adding line items to restrict or limit coverage for data loss or breaches, typically around $250,000. This approach became known as packaged cyber.

However, packaged cyber policies often provide limited coverage with many constraints on when coverage can be triggered. Silent cyber has now completely disappeared, with property policies clearly stating that data is not covered.

While packaged cyber may still make sense in certain segments, the coverage is generally insufficient. When a cyber claim is triggered under a packaged cyber policy, the adjudicator handling the claim often lacks the necessary background in cyber to effectively manage the process.

R&I: What are the key differences between standalone cyber insurance and cyber coverage included in package policies, particularly when it comes to claims handling?

RG: Claims in package policies can take years to close, which is understandable given that the claims adjusters specialize in property damage rather than cyber incidents. They often rely on third parties to assess the situation, which can be unfair to policyholders.

In contrast, standalone cyber insurance is focused and specialized. The underwriters and claims professionals deeply understand the urgency of settling claims quickly, especially for small businesses facing ransomware attacks. They strive to get these businesses back up and running by Monday morning if an incident occurs on a Friday.

Standalone cyber insurers have the expertise to handle claims efficiently. Over time, they accumulate knowledge about threat actors and may even possess decryption keys, eliminating the need to pay ransoms. They provide 24/7 claims adjudication and assign a full panel of experts to the policyholder within an hour of receiving a claim.

Without this specialized insurance and support, policyholders can feel completely lost and frozen when a cyber incident occurs. They may not know whether to report the claim, engage with lawyers, or involve breach counsel. Standalone cyber insurance provides the guidance and expertise needed to navigate these challenging situations.

R&I: How does Cowbell go beyond underwriting and assist policyholders in defending against and mitigating cyber risks?

RG: Absolutely, and that’s the exciting part. The journey truly begins once the policy is sold and the insured becomes a policyholder. We provide comprehensive continuous monitoring as part of the policy during the coverage period.

This involves continuously scanning the attack surface to identify potential vulnerabilities that bad actors could exploit. We have developed a proprietary risk rating system called Cowbell Factors to assess and quantify these risks.

Through this ongoing monitoring, we can alert policyholders to emerging threats and provide them with actionable insights to strengthen their cyber defenses. It’s not just about underwriting the risk, but also empowering our clients to proactively mitigate those risks throughout the policy lifecycle.

R&I: What role do data signals and risk ratings play in Cowbell’s approach to cybersecurity and insurance?

RG: At Cowbell, we analyze thousands of data signals to assess cybersecurity risks, converging them into a manageable set of 8 to 10 key risk factors. These factors are presented to policyholders as risk ratings, providing them with a comprehensive trend analysis of how their cybersecurity posture is evolving over time.

If any risk rating dips below a certain threshold, the policyholder is alerted immediately. This proactive approach ensures that they are not blindsided by potential threats, similar to how credit monitoring services like Credit Karma keep users informed about their financial standing.

In addition to the risk ratings, we generate actionable recommendations and insights. These serve as a recipe for policyholders, guiding them through the exact steps needed to mitigate identified risks and vulnerabilities.

Furthermore, we keep a close eye on time-sensitive risks, such as newly discovered zero-day exploits. If we identify that a policyholder’s environment is vulnerable to such an exploit, we put a “spotlight” on their account. This triggers a chain reaction within our platform, activating our risk engineering team to reach out to the customer and explain the urgency of the situation.

By proactively addressing these “ticking bombs,” we help our customers avoid potential claims and provide them with peace of mind, knowing that someone is vigilantly watching out for their cybersecurity on their behalf.

R&I: What does the current dialogue look like when discussing ransomware preparedness with brokers and insureds, given the significant developments in recent years?

RG: Ransomware incidents reached record highs in 2023, with a 38-40% increase in both frequency and severity compared to 2022. The total ransomware activity in 2023 alone surpassed the combined incidents of the previous three years, indicating an exponential growth trend.

This surge is attributed to the increasing organization and sophistication of cybercriminal networks. Over the past decade, the nature of cyber threats has evolved from primarily targeted attacks to more indiscriminate “spray and pray” tactics. Cybercriminals now operate in specialized roles, with some focusing on selling stolen credentials, others providing exploitable toolkits, and even those offering money laundering services.

This compartmentalized approach makes it challenging to trace and apprehend the perpetrators. As a result, the onus falls on organizations with the weakest security postures, as they become the most vulnerable targets for these increasingly sophisticated and indiscriminate attacks.

R&I: What challenges do small and medium-sized enterprises (SMEs) face when it comes to cybersecurity?

RG: SMEs often lack dedicated IT and cybersecurity personnel, leaving them vulnerable to cyber threats. Many are unaware of basic security measures, such as configuring SPF records and email security on their DNS.

They may simply purchase a domain, point it to their Wix website, and start operating their business, assuming that customers will come. This lack of cybersecurity knowledge and resources puts SMEs at significant risk of cyber attacks and data breaches.

R&I: Is there a primary customer segment that Cowbell targets?

RG: Cowbell primarily targets small and medium-sized enterprises (SMEs), which we define as businesses with under $250 million in revenue. However, approximately 80% of our customers have revenues below $50 million.

In the UK, we have expanded our market reach slightly, insuring businesses with up to $1 billion in revenue. Despite this, our core focus remains on SMEs, as they often struggle the most with cybersecurity due to a lack of proper tools, personnel, and processes.

SMEs are particularly vulnerable to cyber attacks and may not have the resources or knowledge to recover effectively in the event of a breach. This is where Cowbell aims to provide critical support and protection.

R&I: Are their best practices for a smaller company to educate its employees about cybersecurity threats?

RG: Cyber training is one of the easiest and most effective ways to avoid attacks, as humans are still considered the weakest link in the cybersecurity chain. At Cowbell, we provide free cybersecurity training to every employee of every customer we onboard for the first year, regardless of the company size. In the second year, they receive a significant discount of 80-90% if they choose to continue the enrollment.

Apart from training, implementing multifactor authentication is crucial. Companies should ensure that no SaaS service or internal system can be accessed with just a username and password. Most companies provide multifactor authentication capabilities, which simply need to be activated.

Software updates are another important aspect. SMEs that have been incorporated in the last 8-10 years typically use online cloud software, which automatically updates. However, if they have custom apps or software, they need to conduct risk assessments and perform software updates on their side.

Phishing simulation is an effective training method that reaches users where they are. Instead of requiring employees to spend an hour in training, phishing emails are randomly sent to employees based on current events. When an employee clicks on the link, a pop-up banner appears, alerting them that they shouldn’t have clicked. This approach has proven to be highly effective in keeping employees vigilant and protected.

R&I: How do you envision the use of AI evolving or gaining more traction in the work you’re doing at Cowbell?

RG: There is a parallel between the current state of AI risk and what silent cyber used to be. Presently, AI risk is covered under various policies, such as cybersecurity or property, depending on how the risk manifests. This is similar to how silent cyber was previously handled.

However, I foresee AI risk evolving in the insurance industry. It will likely transition from being a packaged AI coverage to eventually becoming a standalone AI insurance offering. The exact timeline for this shift, whether it takes a year or the next five years, remains to be seen.

Interestingly, we are already observing instances where AI is being called out as a separate line item on insurance policies. This indicates the beginning of the evolution towards more comprehensive and targeted AI risk coverage in the industry.

R&I: What sets Cowbell apart in terms of your approach to the market and distribution channels?

RG: At Cowbell, we have an extensive risk pool that includes approximately 46 million businesses. This covers 97% of US SMEs, more than 80% of UK businesses, and about 60% of Japanese businesses.

The significance of this risk pool lies in our ability to understand risk well before someone seeks coverage. It enables us to conduct related benchmarking, allowing us to assess how a business stacks up against its peers when we evaluate their risk.

This unique approach to risk assessment and benchmarking sets us apart in the market.

R&I: How does Cowbell’s approach to risk quantification benefit agents and policyholders in the cyber insurance market?

RG: Our methodology, which we call the Cowbell Factors, is built on a solid foundation of comparing a company’s security posture to their peers in the same sector and size. For example, if you’re a manufacturing company with $10 million or $50 million in revenue, we can compare your security posture to 120,000 other companies in the same sector and size.

This provides significant benefits to both agents and policyholders. Agents can analyze their entire portfolio and create a heat map to visualize the risk distribution of their clients compared to the market. Similarly, policyholders can assess their security posture against their industry peers, determining if they are taking the right measures to protect their business.

By accurately quantifying risk, we can enjoy lower loss ratios over time. This is a fundamental aspect of our business that we aim to communicate more effectively. In the risk transfer business, it’s crucial to understand the risk being transferred from the policyholder to the insurer. Without proper risk quantification, it’s like playing darts blindfolded.

R&I: What are your thoughts on the current capacity in the cyber insurance market? Do you believe it is sufficient to meet the demand in this sector?

RG: Capacity is no longer an issue in the cyber insurance industry, not just for Cowbell. There was a time when reinsurers were hesitant to enter the market, but over the last few years, they have seen the results of MGAs and lower loss ratios.

As a result, there is now more than ample capacity available. However, it’s important to note that the insurance industry typically goes through cycles of hard and soft markets. The current abundance of capacity indicates that we are in a soft cycle, but this can swing back to a hard market anytime, where capacity starts to disappear.

R&I: Are there any specific industries that you have observed to be more vulnerable or susceptible to cyber attacks recently?

RG: We have definitely seen manufacturing as one of the riskiest sectors. This is primarily because manufacturing is undergoing significant digitization. Any industry that goes through a major transformation, whether it’s cloud adoption or digital transformation, is prone to mistakes, which bad actors know how to capitalize on.

While we’re seeing an uptick in manufacturing, construction is another industry to watch. Although construction is not there yet in terms of cyber risk, it could be next. Many startups are emerging in the construction space, and the industry is also undergoing a bit of transformation. While we don’t see a lot of claims in construction today, it’s something I’m keeping an eye on.

R&I: What about the public sector? Do you have public sector clients, and are they significantly impacted by cyber threats?

RG: Yes, we do have public sector clients, including municipalities and schools. While they are not outliers or among the top 2, 3, or 5 in terms of claims frequency, they are definitely affected by cyber threats, much like other sectors.

Retail, for instance, tends to have a higher frequency of claims. Interestingly, when comparing the construction and manufacturing sectors, we observed a higher frequency of claims in construction but higher severity in manufacturing.

It appears that manufacturing is more prone to ransomware attacks, while construction sees more business email compromise (BEC) claims. Although I don’t have a definitive explanation for this difference, it’s an intriguing observation that emerged from my recent data analysis. I plan to discuss this further with our head of threat intelligence to gain more insights into the potential reasons behind this trend.

R&I: How is Cowbell leveraging generative AI to transform unstructured data and enhance various aspects of the insurance process?

RG: Generative AI is a hot topic in the market, and we at Cowbell have been exploring its potential in various areas within the company. One of the most significant aspects of generative AI is its ability to convert unstructured data into structured data.

In the past, analyzing unstructured data was challenging, as people would try to create templates and conform to them, which often broke and yielded inconsistent results. However, with generative AI, we can argue that there is no more unstructured data. It has become much easier to extract value from previously unstructured information.

This transformation starts with risk assessment, where the efficacy has improved due to generative AI. It extends to user experience, communication with agents, and interactions with policyholders. For example, we recently launched our new product, Prime Tech, along with our first copilot, Carwell.

Underwriters can chat with Carwell and ask for insights about risks or contract language. Interpreting lengthy, complex legal language in contracts can be time-consuming and challenging. However, with the Copilot, the information is deciphered, summarized, and presented in an easily understandable format, eliminating the need for underwriters to flip through numerous pages.

As a result, the speed and accuracy of the underwriting process are enhanced. This is the beauty of generative AI, and we are leveraging it in several areas, including our recently launched Copilot. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance