Coalition is making its formal debut into the cyber insurance space, but with a twist. The San Francisco-based startup is also a cybersecurity firm.
Founded in March 2017, Coalition is co-founded by technology entrepreneurs John Hering and Joshua Motta, and Motta is also CEO. The company is venture financed, though it declined to disclose specific investors. It offers customers free cybersecurity tools, and business customers can acquire up to $10 million of insurance coverage.
Licensed as an insurance producer in all 50 states and the District of Columbia, Coalition distributes its products through insurance brokers, who can access the company’s products from an online platform for their small-to-midsize clients.
Both founders are cybersecurity experts, and they’ve brought in others, including Catherine Lyle, former head of cyber claims at Swiss Re, and Shawn Ram, the ex-head of technology and cyber at Crystal & Co. and Aon, as part of their initial team of experts.
Broadly speaking, the company’s team includes technology entrepreneurs and executives that helped build Cloudflare, Lookout and OpenDNS; ex-members of the U.S. Intelligence Community; and cyber insurance innovators, according to the company’s debut announcement.
Coalition also said that it is “supported by the financial strength of Swiss Re Corporate Solutions and Argo Group.”
Carrier Management Editor Mark Hollmer asked Motta a series of questions via email about the company and its launch. Here are highlights, edited for brevity:
Q: Could you describe your company?
A: Our mission is to solve cyber risk. We do this by combining free cybersecurity tools and services to help businesses prevent and mitigate risk, and comprehensive insurance coverage if the worst should come to pass. And it’s entirely available online. Insurance brokers can generate quotes and issue policies of insurance for companies in minutes. Meanwhile, our policyholders receive coverage that is tailored to the specific risks they face and a full suite of cybersecurity tools and services to manage them. The result is far fewer breaches; far less cost to detect, contain and recover when one occurs; and the backstop of insurance to make a company whole again.
Q: Why did you choose insurance as a focus for your entrepreneurial energies?
A: Coalition is the culmination of all that I’ve done. My experience within the U.S. Intelligence Community, at Goldman Sachs and most recently at Cloudflare have afforded me a unique perspective into what, I believe, is the most pervasive risk facing society—cyber risk.
We live at a time when a technology failure or cyber attack can cause everything from data theft to disinformation, election manipulation, hospital shutdowns, hotel room lockouts and even widespread blackouts. The Internet has changed everything, yet the means by which we protect ourselves is broken. This is an enormous problem.
That’s very much what we started Coalition with—a problem. Fortunately, my co-founder John Hering and I felt that we had a unique vision and capability to solve this one. We asked ourselves “how can we do this better?” and came to the conclusion that insurance is the primary, although not exclusive, solution to cyber risk. So I wouldn’t go so far as to say that we chose insurance. Insurance chose us.
Q: Are you venture funded?
A: We are well capitalized. John and I, and others on the Coalition team, have been fortunate to have founded and helped build a number of leading technology companies including Lookout, Cloudflare and OpenDNS. This has afforded us the opportunity to work with some outstanding partners. Unfortunately, I can’t say more at this time.
Q: What do you bring to the P/C insurance landscape that others don’t?
A: There are a number of innovations Coalition is bringing into the P/C landscape in underwriting, coverage, risk management and claims handling.
We underwrite without any underwriters.
We are able to rate, quote, bind and issue a policy of insurance in under four minutes. Brokers just type in their client’s website and other minimal information, and we go out and gather the rest. We use publicly available information to access an enormous number of data points to understand a company’s risk surface and accurately price that company’s risk. We look at not just historic information but a continuous stream of data that enables live pricing based on actual risk and usage. This enables us to not only collect tens of thousands of data points relevant to a risk but to also then use that data to make underwriting decisions in milliseconds.
For example, in these few minutes we are able to understand what technologies a company uses, whether they are vulnerable to exploitation, what security protocols that company has in place, and even what data has been leaked and is being used and traded in criminal forums.
We underwrite like an adversary. That is to say that we look at a company in the same way a real-life human adversary would, and in the same way many on our team once did within the U.S. Intelligence Community.
Gone are the days when a risk might be underwritten with a handful of data points.
That we are able to do this has allowed us to greatly simplify the procurement of insurance for insurance brokers.
We are addressing significant gaps in cyber coverage. And we are offering brokers the opportunity to completely configure a policy to meet their clients’ needs.
This is especially important for an SMB (small-to-midsize business) that shouldn’t be paying for coverage it doesn’t need. For example, if an SMB does not accept credit cards, then it is not subject to PCI [payment card information] risks. If that is the case, we are able to take out PCI coverage from our policy, and that decreases the price. On the flip side, we offer the most comprehensive coverage for SMBs because we get an up close view of their risk exposures in our underwriting process, which allows us to address them.
We understand the reality of cyber exposures and how the Internet has reached in, grabbed hold and made the world we once knew totally unrecognizable. And we fully protect our clients from the accompanying risks. Businesses need better tools to manage this risk, and better coverage to insure them.
Cyber insurance has traditionally focused on coverage for the liability that arises from a company’s failure to protect the security of its data. More recently, coverage has expanded to include the costs that arise to respond to a breach, to restore lost or stolen data, cyber extortion, and even business interruption losses. However, there remains a lot that cyber insurance fails to cover.
For example, many insurance policies do not cover funds to transfer fraud losses, whether caused by security breach or social engineering, nor is this loss covered by a traditional crime policy. They don’t cover the replacement costs of computer equipment compromised by malware, nor is this typically covered in a property policy. They don’t cover the losses associated with a physical cyber attack—that is to say a cyber attack that results in damage or destruction of tangible property, harm to people or even release of pollutants. These are all gaps in coverage that we’ve addressed and introduced into the P/C market.
We provide a number of risk management apps, including automated threat intelligence alerts, security benchmarking, DDoS mitigation, anti-ransomware software and more. These services are offered to all policyholders, and this is a tremendous value that brokers can provide their clients.
For example, the largest companies with the most sophisticated cybersecurity have systems in place to monitor compromised credentials. (This is just a small aspect of a larger security platform.) Monitoring compromised credentials can cost large companies on average $20,000-$30,000 per year. We are doing this for free for our policyholders.
However, these initial apps are only the beginning. One of the most challenging things about cyber risk is not only how pervasive it is—it literally affects everyone—but also how heterogeneous it is. By that I mean that as a form of peril, like “fire” or “tornadoes,” cyber risk is both highly diverse and dynamic. Phishing, ransomware, denial of service attacks and network intrusions are only a few forms of cyber risk, and the list continues to grow. You will see us add more apps and more features that allow any business owner to manage this risk in its many forms.
Timely response to an incident is critical to mitigate loss. It can mean the difference between a road bump or a severe disruption of a company’s business operations.
When someone calls Coalition, they are speaking to an incident response expert who can help them immediately. We also make significant use of technology to deliver efficiencies in how quickly claims are handled and resolved. In many cases, we can advance to the policyholder up to 50 percent of an estimated loss within 24 hours.
Q: Are you competing against insurers, or do you work with them to complement or supplement their offerings and capabilities?
A: We primarily seek to complement and supplement the offerings and capabilities of insurers. To that end, we have joined forces with two of perhaps the most technical insurance organizations on earth—Swiss Re and Argo. Incidentally, they are also two of the most skeptical as pertains to the insurability of many forms of cyber risk. That provided an opportunity for us to demonstrate a novel mathematical and technical approach to the management of cyber risk throughout the entire cycle of underwriting, risk management and claims handling. We believe that our ability to help businesses before, during and after an incident is powerful, and especially when supported by the financial strength and claims commitment of Swiss Re and Argo.
Beyond these two particular insurers, we also increasingly find ourselves on risks with multiple insurers. Where we are providing insurance for the same company, our provided cybersecurity apps to detect, manage and mitigate threats are highly complementary to everyone. And where we are the primary insurer, we are often able to directly assist in the response and recovery to the incident without erosion to the company’s retention, or the insurers’ limits. It is highly complementary.
Of course, on the other hand, we also complete with insurance carriers as well. This is one of the things I love about the insurance market. We are always competing, but we are also always cooperating. In the end, it’s the insured who wins, no matter what.
Q: Do you plan to get into other lines of insurance other than cyber?
A: In addition to cyber, we are releasing a technology error & omissions product for companies that build or offer technology products and services—which is, increasingly, every company. This includes broad coverage for the losses and liabilities that can arise and severely hurt a company should their technology fail, whether that failure is of their security or otherwise. Like our cyber insurance product, we’re also looking to introduce a number of innovations, such as coverage for property damage, bodily injury or even pollution caused by the failure of a business’s technology, as well as enhanced coverage for the liabilities faced by “sharing economy” companies, social media content and cryptocurrency.
Beyond this, our focus will remain on the development of other innovative products to protect businesses and individuals from the risks posed by the digitization of everything.
Q: What is your long-term business strategy/exit strategy—to standalone and compete with other insurers or to be acquired by larger P/C carriers?
A: We founded Coalition to create something we believe in and to build a company that will last. The only question we’re asking ourselves at this point is: “How can we better help our customers?” How we exit couldn’t be further from my mind. We’ve only just begun!