Coalition Inc., a cyber insurance provider that tries to curb digital risk, has designed technology that simulates large-scale attacks to help insurers identify potential weaknesses in their portfolios and prevent widespread losses.
The San Francisco-based company’s model measures cyber risks in the event of cataclysmic losses, such as if all the world’s computers were shut down at once. The “Active Cyber Risk Model” would give insurers an overview of their potential losses as a way to better target sales of their policies.
“The insurance industry is overly simplistic in the ways it thinks about cyber risk aggregation,” Coalition’s Chief Executive Officer Joshua Motta said. “Our technology provides both a framework to think about the risk and the technology to actually assess and measure it.”
Coalition, founded in 2017 by Motta and John Hering, has about 175,000 customers for its cyber policies, including publicly traded companies, governments and National Football League teams. The closely held insurance provider expanded outside the U.S. last year as its revenue surged nearly 200 percent compared with the previous year, the company said. Coalition is currently valued at $5 billion, Motta said.
The company provides what it calls “active insurance,” referring to a tool that continuously monitors a client’s digital infrastructure to detect malware and checks for vulnerable software.
As an example, the Active Cyber Risk Model — built on data from Coalition’s portfolio of companies — simulated what would happen if a catastrophic cyber attack hit 5,000 U.S. companies. Coalition determined that such an event could cost an estimated $29.8 billion across the entire U.S. economy.
“We believe that’s a level of loss that can be insured,” Motta said. “We’re trying to create a path forward for the industry to try to insure these systemic cyber events.”
The framework behind the Active Cyber Risk Model will be publicly available on Coalition’s website for other insurers to utilize, while the scanning technology the company uses to detect cyber risks is proprietary.
The need for greater cyber resiliency has come into sharper focus following a pandemic-era surge in ransomware attacks targeting industrial supply chains, hospital systems and software companies.
“There is a greater awareness today that cyber could be a systemic risk,” said Heidi Shey, a data security and privacy analyst at Forrester, a research organization. “Insurers offering policies have to do so in a way that’s careful—they don’t want to get wiped out.”