Interview: How Adaptive Cyber Insurance Can Reduce Risk And Lower Premiums 

Isabelle Dumont is the SVP of Marketing and Technology Partners at cyber insurance provider Cowbell. Isabelle has extensive experience in defining and launching go-to-market strategies in the tech space. Cowbell specializes in cyber insurance, security software, and cloud technologies. In her current role at Cowbell, Isabelle has launched the company’s partner programs (Cowbell Connect and Cowbell Rx), leads their marketing team, and actively contribute to risk and security initiatives. 

In an exclusive interview with Expert Insights at RSAC 2023, Isabelle discusses Cowbell’s ML-powered, adaptive approach to cyber insurance. She goes on to explain the benefits of adaptive insurance over traditional, static coverage, and the best practices that SMEs should follow to help reduce cyber risk and lower insurance premiums.

This interview has been edited for clarity and length.

Could you give us an introduction to Cowbell? How did the company come about, and what differentiates you from other cyber insurance providers? 

Cowbell started four years ago, with the idea that cyber insurance was too complicated for a lot of businesses. We wanted to bring simplicity to that process, whilst making use of all the data and technologies that cybersecurity companies have nowadays. We saw an opportunity to bring technology into cyber insurance in the evaluation of risk in the underwriting process. Using AI and ML, we assess an organization’s risk and can issue a policy in less than five minutes, instead of that process taking several months. 

So, that was our goal, and we felt that was really important in the SME market, which has been underserved by insurers, just as it has with cybersecurity solutions. We estimate that four out of five businesses in the US are either underinsured or uninsured. By “underinsured”, I mean they might have some form of cyber coverage as part of their general liability coverage, but it’s a half page on a contract that’s very unclear about what is or isn’t covered, with limits that are way too low for today’s cyber incidents—you’re looking at $50k-250k. With us, they could receive a million dollars in coverage so that, if a bad incident happens, they can get proper financial protection. 

Today, we operate across the US, with a network of 20,000 agents across the country, and we have a good reach into the SME market, which is about 32 million small businesses in the US. 

Cowbell provides what you call “adaptive” insurance, powered by an AI-driven model. How does that work, and what are some of the benefits of adaptive coverage over more traditional, static coverage? 

Last year, we announced the concept of adaptive cyber insurance, which starts with continuous risk assessment. By assessing risk at the beginning and then continuously updating our assessment based on new data that comes in, we can see how that risk evolves. Businesses can also log into our system themselves and see where they stand that week or that month. 

We’re going to launch a new product this year that will enable us to say, if you get better at cybersecurity, we’ll be able to give you a premium credit on your policy. Our whole goal is for people to get better at cybersecurity. If they get better, they’ll have fewer incidents, they’ll have less to claim, and we’ll have less to pay. It’s a positive outcome for everybody. That’s partially in place on our product today, because everybody can see where they can get better and then, at renewal, their premium is optimized. This will be an iteration on that.  

As well as providing insurance, Cowbell offers a range of risk management services to help businesses lower their risk of suffering a breach and, in turn, lower their insurance premiums. Could you tell us a bit more about how some of these services work? 

First, we have a team of risk engineers that get on the phone with the policyholder and guide them through anything they might need to do to improve their cybersecurity and reduce their risk. That could even involve things as simple as creating backups or having an incident response plan in place. These teams have proven really effective—none of our policyholders who had a security audit with our risk engineering team have had an event in the past four years. 

We also have a team of claim experts whose job it is to understand the type of incident that has occurred when someone calls us, and to match them with the best incident response partners, which are many of the cybersecurity companies you see here at RSA.

Finally, we offer our cyber risk assessment. We use all the data we can—firmographic data, information on whether they’ve had any exposure on the dark web, and claims data—to get an understanding of the organization’s footprint, level of exposure, and whether they’re doing the right things with their technology. We’re also partnering with some key vendors like Microsoft and Google, which are offering a lot of the basic infrastructure companies are using such as email and collaboration tools. This collaboration allows us to connect to their technologies to get real-time data for those risk assessments, on a continuous basis. 

What factors do you take into consideration when assigning a risk score? 

We measure by what we call the “Cowbell Factors”. So, it’s not just one score for the company; it’s a set of eight different ratings across different areas for the business, including cloud security, network security, and compliance. The complexity of cyber is such that you can’t just assign one score; an organization might be very good in network security, but not so good in training their people. 

The idea is to benchmark the company against their industry peers, and to find out whether they’re doing better or worse than the average in terms of cyber risk. If they’re doing better, they’re most likely going to go through the underwriting rules automatically—that’s how we can get them a quote in seconds, and they can get their policy very quickly. For more complex risk, depending on what we find, they’re referred to an underwriter that applies the traditional, more manual process. Even then we can still go faster because the underwriter gets all the data we collect, in a way that’s easy to process. And all of that is powered by AI, looking at around 1,000 data points for each account and normalizing them. 

The risk assessment stage is a very important part of deciding what coverage to provide. If a company’s risk levels were too high, would you ever refuse to offer them insurance?

Yes, we have had to do that. We found an organization, for example, that was so high-risk that we said we couldn’t insure them. We gave them everything we found, and we were happy to work with them to help them improve. Everything we find is available online to the company that applies for insurance. They see their ratings and how they compare to the industry average, and they can see the individual findings that range from things like not having implemented Multi-Factor Authentication (MFA), to having JavaScripts on their website that need to be patched. They have access to all of that. 

So, if they then went through the risk assessment that you provided and implemented your recommendations, would they become eligible? 

Yes, exactly. And that’s where our risk engineering team comes into play—we’re happy to sit down with them and get them to a better place.

What are some of the best practices or tools that SMEs can implement from the outset to help reduce their cyber risk, ensure that they qualify for insurance, and lower their premiums? 

MFA, backups, and having an incident response plan. We have two templates for creating an incident response plan: the first is for businesses that don’t have any IT resources on board and rely on third parties; the second is for companies that do have internal resources. We also recommend cyber awareness training for their employees, and we offer that ourselves to all employees for free, because we feel that it should be very easy to address that. 

Once you have that covered, we start to move into things that are more specific to your industry, like network segmentation. If you’re a manufacturing company, for example, you need to separate your factory floor from your enterprise environment, and so on. 

If you look at the news, you’ll see everyone reporting that insurance premiums are going up and up. Cowbell gives policyholders incentives and resources to improve their cyber risk profile so that they can optimize their insurance premium, avoid drastic premium increase at renewal, and even see it go down. So, if I were a company trying to get cyber insurance, I would line up everything first, making sure I had MFA, I had backups, and that I’m compliant with any data protection regulations that outline specific security processes I need to have in place. And I would put all of that together before going to request insurance.

And if, despite having these measures in place, a business does experience a breach, what does that process look like from your end? 

The policyholder has one phone number to reach out to, and our team always responds within an hour. As I mentioned before, we try to understand the first parameter of the breach and, based on that, we assemble for them the team of incident experts that are going to be able to help them. We also assign breach council, which is a legal person who will represent the company and help get them back to normal. Following this process, the legal matters around most types of claims are resolved well within 90 days.

Thank you to Isabelle Dumont for taking part in this interview. You can find out more about Cowbell’s adaptive cyber insurance for SMEs via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.