On this episode of the “AI Wisdom – Talking Innovation in Insurance” podcast, host Ron Glozman speaks with Phil Edmundson, CEO and Founder, Corvus Insurance, about the importance of cyber insurance and how commercial insurance brokers can help their customers better predict, prevent and prepare for cyber-threats. Click the play button to listen or read the full transcript below.
Get our viewpoints delivered to you inbox
Ron Glozman: Hello, and welcome to “AI Wisdom – Talking Innovation in Insurance.” On this podcast, we talk to business and insurtech leaders about how artificial intelligence is transforming the way we buy and sell insurance. I'm your host Ron Glozman, Founder and CEO of Chisel AI, and a strong believer in the power of AI to help people work smart and enrich their lives. So, let's get into it.
Over the past few weeks, as organizations have come to terms with how to manage the remote workforce, digitally pivot manual processes, and manage their IT infrastructure remotely, a new opportunity has emerged for commercial insurance brokers. With the rise of cyber incidents like financial phishing scams, ransomware, and data breaches, it is now more important than ever for organizations to ensure that they have adequate cyber insurance coverage. I'm very pleased to have with me, Phil Edmundson, CEO, and founder of Corvus Insurance join me today as we discuss the importance of cyber insurance and how commercial insurance brokers can help their customers better predict, prevent, and prepare for cyber threats. I love that, the three Ps. Welcome, Phil. Before we jump in, can you please introduce yourself?
Phil: Thanks, Ron. It's such a pleasure to be with you and your listeners. I have had a wonderful career in commercial insurance, mostly as a commercial insurance broker, starting out as most do as a junior broker and moving up to running a commercial brokerage firm with about 250 people, which we sold five years ago. And three years ago, I started Corvus Insurance with the idea that we can predict and prevent commercial insurance claims by using new types of data, new sources of information. We've built a series of software tools and cyber incident databases that allow us to do that with cyber risk.
Ron: Amazing, I'm looking forward to hearing more. So, Phil, let's just jump right into it. You know, cybersecurity risks are obviously on the rise because people are working from home. I can say we have seen for sure an increased amount of people trying to get phishing, for example, scams are becoming prevalent. And cybercriminals are lurking, just waiting to find that wormhole in a company's IT infrastructure. What do you think companies can be doing today to protect themselves from those costly attacks and breaches?
Phil: You're absolutely right, Ron. A lot more attention is being paid to cyber risk in this time of COVID. Of course, more of us are working from home. So that's one of the first questions. Have you hardened your defenses at home? Many organizations expect their employees to work on a company-issued laptop, and that's fine or a desktop even. But if you're at home, you're more likely to jump onto one of your personal devices. So, one thing that we emphasize to our clients is to try to make sure that home devices being used by employees during COVID have been vetted and have appropriate safety standards for cyber risk. In addition, unfortunately, much of the risk in cyber emanates from cybercriminals. A lot has been written about that. I won't go into that unless we have enough time.
But the criminals are very entrepreneurial. And they know that a lot more people are working from home these days. And they also know that so many of us are much more anxious in general because of COVID.
So, they've created new schemes to trap individual users into releasing information or clicking on links that sound like interesting storylines or information sources about the pandemic. And that's also led to an increase in cyber incidents arising out of this horrible pandemic.
Ron: That's very interesting. And it's very entrepreneurial. I'm curious that you use that word, but it makes sense that they figured out that providing, false information, or maybe it's factual information, but through a false website and capturing information or customers that way, it is very ingenious, I would say. So, what can you do to protect that? Is that, like, a firewall? Is that, I don't know, like, a router or a VPN? I can think of many buzzwords that probably listeners can think of as they're listening to you talk about this. What can they actually put in places to safeguard against that?
Phil: Right. That is the question. Companies like Corvus that have built software to evaluate the external IT security organizations are asking that question every day. So, as part of our underwriting process, we examine websites and email servers to find vulnerabilities. And in this market, there's a couple of issues that come up and have more importance to us that we see in the scans that we make of the IT security of organizations. One thing is called Remote Desktop Protocol (RDP). And all of us as desktop users can remember that magical moment 10 years ago or more when all of a sudden somebody from IT said, "I can just get to your computer remotely, and have the same experience as you, and help you work through a problem." Remember that, Ron? That was a great development.
Unfortunately, these RDP technologies frequently are, like, side doors in our cyber risk household. And they're easy for the bad guys to enter in. So we wanna make sure that any RDP tools that are used by organizations have defenses built into them, things like two-factor authentication, that annoying experience we have where sometimes we have to send a code that gets sent to our phone before we use a certain digital application. That's really important to master RDP.
A second thing is internal hosting. Most organizations have taken their operations and put them into some type of cloud environment. And we believe that cloud environments generally are safer than hosting essential functions, digital functions on your own servers. And, unfortunately, organizations have a tendency to forget about the security on their own internal servers or maybe they're not as good at updating the protections, downloading the latest patch, making proactive processes that help keep them safe. So, we're encouraging organizations to have as little internal hosting as possible.
Ron: I'm curious to hear a little bit about what you think around the concept of having a standalone cyber insurance policy versus having an add-on to an existing commercial policy as a package.
Phil: Ron, this is one of the big challenges of cyber insurance. Cyber insurance is a collective term, but policies come in so many different flavors and designs. A very comprehensive policy, like, the sort that we market has 12 different insuring agreements, you know, 12 different contracts built into one. Sometimes what other people might call a cyber insurance policy maybe only covers one or two of those types of things. So, there are so many types of losses, maybe easily bucketed between first-party losses. Do I lose my data? Is my business interrupted? Do I have to pay a ransomware? Do I have intellectual property at risk? And third-party risks, do I hold important information of a third party that might get stolen? And what's my legal liability? What if one of my employees misplaces a laptop that's full of private information of our customers? Do I have to pay fines and penalties? So, the distinction that I would say is really important to understand is that these add-on policies on a package policy or other smaller policies may have cyber insurance, but it tends to be very limited. Cyber insurance bears paying a lot of attention to because every policy covers very different things.
Ron: That was a great example of some of the different 12 ways that a full comprehensive policy can differ. So, for brokers who are selling and promoting these policies, what do you recommend they follow as a best practice?
Phil: Yeah, it's a real challenge, Ron, I think for brokers. As I said in my intro, I spent most of my career as a broker. Brokers work with organizations, and they're managing all types of risks for their clients. They only have a certain amount of time for cyber. At bigger brokerages, they may have cyber insurance experts on their team who can vet the policy forums, but even then, the explanation of the risk goes back to the individual client executive who talks to the organization that customer of the insurance agency or brokerage firm. And those people need as much education as possible. We've begun producing videos, just short videos from our underwriters that explain different components of a comprehensive cyber policy. We have a 90-second video about business interruption and contingent business interruption that is covered under our policy.
So brokers either need to build these tools themselves for their own team and for their clients where they need to partner with cyber insurance, specialty insurers like Corvus so that they have tools, whether they are video tools or FAQ documents or other explainers that help everybody understand what is covered, what isn't covered, and what has various sub-limits of coverage.
Ron: I love it. I think in many, many respects having expertise is what makes the difference between, you know, good or great customer service and amazing customer service or in this case, you know, good broker service or amazing broker services, really knowing what you're selling and knowing the differences between, you know, for example, a standalone policy, and just an add-on to an existing policy. So as the landscape continues to evolve, obviously, over the last 10 years, we've seen a lot of changes, and probably the next 10 years will be even more accelerated than the last 10. What can brokers do to help address some of the emerging risks impacting them and their customers that might not have been around a couple of years ago?
Phil: Great question, Ron. So, there are many general periodicals that speak to cybersecurity. There is some great journalism being done by the insurance press who recognize that this is a dynamic field. So, I think the important takeaway is to represent agents to become regularly acquainted with the changes in the types of threats that organizations are experiencing from these cybercriminals, in particular.
Four or five years ago, we were mostly concerned about the theft of individual data, where cyber-criminals would try to get inside a hospital or a retail firm or a credit card company and steal information, and then put that consumer information up for sale on the Dark Web. Today, the criminals have moved more popularly to ransomware. Ransomware is a type of cyber threat where the criminals get behind the firewalls of organizations, find ways to sequester and steal data or disable computer systems, and then offer to cure the problem in return for payment of a ransom, usually in Bitcoin or some other crypto-currency.
And so being aware today about trends in ransomware would be a great place to start. One of the sources we like a lot is an organization called Coveware. Their website, coveware.com, has a quarterly report about ransomware events, trends in ransomware. These guys are so good at servicing the needs of companies like Corvus and other insurers, that they actually get to know these individual criminal organizations, albeit in a very digital manner so that, for example, they know who to trust, right? I mean, think of it. You know, you're being held for ransom for cryptocurrency that can't be traced. How do you know when you pay the bad guys $50,000 worth of Bitcoin, that they're actually going to return your data? In order to figure that out, organizations like Coveware have come along and actually build relationships with these criminal organizations. And they can tell you which ones to trust, and which ones do be careful and watch out for, and not make a deal with. So, it's become cottage industry is the only word I can think of, but it's much more serious than that.
Ron: It's interesting. As you were talking, I was recently watching a documentary a little bit about the mafia and the mob. And it's interesting because as you were saying that it sounds exactly like that because they come into a store that doesn't have any problems, and they break a window, and they say, "Hey, it looks like somebody broke a window. We wouldn't want that to happen again, would we?" Basically, they create value from a problem that they inherently created themselves. It's very similar to what it sounds like a ransomware attack does, right? Like, they're creating their own problem.
Phil: That's right. And you, the good, honest organization, have to figure out, do I trust these bad guys? Will they keep their promise? They're bad guys after all, right? But what alternative do I have? And so, it's a very dynamic environment. And while ransomware carries all the headlines in cyber insurance, last quarter, and this quarter, I can promise you one thing that a year from now we'll be talking about some new emergent risk because not only do the risks change the vectors if you will of attack, but the defense has changed. The good news is around ransomware that most organizations are getting more aware of this risk. And the software providers that they rely upon are getting better at backing up data in a way that can't be disrupted by the cybercriminals. So, if you have a hack-proof backup of all of your data, you're much less exposed to ransomware.
This kind of cat and mouse game has been going on for years in the cyber risk world. We’re already starting to see a little data that suggests ransomware claims are going down.
Now, we don't know if that's because of this phenomena where defenses are improving, or whether it's because the criminals are moving more into COVID-related attacks. We do know that recently ransomware events are diminished in number.
Ron: That is a very interesting data point. And you mentioned, you know, in a year we'll probably see something different. Would you be comfortable to venture a guess? Is there anything that you're starting to see now that you or Coveware, based on the research you guys are doing and Covewave is doing, are seeing an uptake or an increase in?
Phil: No, nothing other than what we talked about at the top of the interview where hacks that are taking place on home computers and devices that are not part of the corporate or organizational networks. That's the big news story in the COVID period.
Ron: Perfect. All right. So, this is a perfect time. We're going to take a quick 20-second break to tell you where you can find out more information and insights about insurance innovation. We'll be right back.
[If you liked this episode of AI Wisdom, subscribe to our blog, Writing the Future: AI in Commercial Insurance at www.chisel.ai/blog for feature articles, interviews, opinions, and more.]
Ron: We're back with our featured guest. Phil Edmundson let's jump right into the next question. COVID-19 aside, I'm curious to see what trends you think are gonna have the biggest impact on the commercial insurance space in the short term.
Phil: As with respect to cyber insurance, you mean?
Ron: It could be in the cyberspace. It could be in general.
Phil: Well, generally, of course, we're moving into a marketplace that's hardening overall. This low interest rate environment is hurting the bottom line of big P&C insurance companies, and claims trends in many areas are worsening. All of that's leading to price increases, rate increases in most lines of business, including cyber insurance. Prices are going up modestly, but noticeably cyber insurance.
Ron: And would you say COVID has increased? Have you seen more appetite for coverage for cyber insurance during this period?
Phil: Yeah, we've seen two trends that are of note, Ron. One is that we've seen the number of applications from smallest organizations diminish. So that is probably consistent with the fact that in this down economy that small businesses are feeling more pain. So, prior to COVID, we were seeing growth in every segment of the economy. We have seen a reduction in the rate of increase of small business applications.
At the other end because of the increased reliance on IT assets during the time of COVID, medium and large-size organizations are buying more cyber insurance, and they are noticing more about the coverage differences, and they're buying broader policies.
Ron: Those are some very, very interesting trends. I'm curious to see if AI has been a game-changer as far as cyber insurance is concerned because I think on a broad spectrum, it has impacted and changed many ways that people think about claims and submission intake and policy check and all of these, you know, specific workflows in the underwriting process. I'm curious to hear if AI has changed the cyber process, as well.
Phil: Yes. So, we use a series of tools that are best defined as machine learning tools. That's one part of AI by most people's definition.
Machine learning tools allow us to take data inputs and analyze our underwriting rules more quickly. This is a challenge for most conventional insurance companies who don't choose to move their underwriting levers very frequently. We, instead, take the view that we're getting new data every day, and that in a field like cyber insurance where the risk is very dynamic, as we've been talking about, and the defenses, the response to risk, is also very dynamic, it's important to be feeding the underwriting machine with new information and changing underwriting rules much more quickly.
Ron: I would totally agree. Machine learning is a hundred percent a part of artificial intelligence. So, I don't think you're off-base there. Customer-centricity is a key objective for many carriers and brokers. Obviously, you've had much experience as a broker. So how do you feel insurance carriers can align with insurtechs to better deliver a customer experience? And in this case, when I say customer, I think as a carrier, you have two customers. You have the broker, and then you have the end policyholder.
Phil: Ron, we think exactly alike. These are both important customers. And, in fact, we have a third customer, which is our internal customer, our underwriters. We try to build technology that brings value propositions for all of them.
By using machine learning to make underwriting decisions for many of the accounts that we evaluate, we hope to provide value to everyone, including making our underwriters more productive and allowing them to focus their energies on the more important and difficult judgment calls, rather than the routine repetitive exercise of much commercial insurance underwriting today.
But we also want to build value propositions for brokers and policyholders. The technology that we use to evaluate cyber risk does not require the usual long application be completed by the insurer organization.
We've replaced these 50 and 75 questions with 5 or 6 questions. What's your name? What industry are you in? What are your revenues and what's your main URL? And that information put into our digital application we call the crowbar kicks off our proprietary cyber scan where we evaluate the IT assets of organizations. We evaluate their email servers and their websites as we discussed earlier and use that to score and benchmark IT security of an organization.
Of course, that allows us to make underwriting decisions and to do so in an automated fashion. But it also means that that long application doesn't need to be completed. That's a big relief to agents and brokers as well as the policyholders. And our software also produces actionable prioritized recommendations. When we see a result from our scan that indicates that IT security could be better, maybe it's just something as simple as the email's software hasn't been updated with the latest patches from Microsoft or some other provider.
Being able to inform the broker allows the broker to bring real risk management advice to their client. And that after all is what every good broker wants to do. Then the client gets real value because they're informed of usually fairly simple and easy ways to prevent a hack from ever happening. It's classic risk management.
You know, it's no different than the old school that I grew up with of somebody with a clipboard and a hardhat walking around a factory or an office building to evaluate risk. But in our case, this is all done digitally. So, it can be done quickly, cheaply, and provide value for everybody in the chain.
Ron: I love that. That's so actionable and so powerful. I agree there's always the internal stakeholder. It's one of the most important stakeholders. All of them are equally important. So, to wrap up, we'd love to hear one piece of wisdom that you'd like to share with the listeners. And this can be business-related or general life advice, things that you've had on your mind that you think other people need to hear.
Phil: I've spent most of my career working for conventional insurance brokerage organizations. And when I started Corvus, I was determined to learn a lot from the tech industry. So, we have built our team equally composed of tech and data science people, and, on the other half of the house, insurance people from traditional big property and casualty insurance companies and brokers. And what we've learned is that there's a lot that the tech industry can teach our industry. Some of it is facilitated just by tools that we use. So, subscribing to or using new types of communication tools like Slack, or Trello increased our productivity immensely. Being willing to adopt more digital tools in our own operations is extremely important. Treating people in the tech sector as equals, rather than, as some type of IT department that, you know, keeps the lights on, is a cultural change that has to happen in the insurance industry. It is happening, but perhaps a little slower in our industry than in some others.
Ron: Amazing stuff, Phil. If people want to find out more about you and Corvus Insurance, where can they find you?
Phil: Well, thanks. This has been really enjoyable. Our website is corvusinsurance.com. I'd also like to make a plug. We hope that our technology makes the world a little bit safer. It's something we remind ourselves about at Corvus and one of the things we have done in response to the COVID-19 pandemic is to offer free IT security reviews for any healthcare organizations or first responder organizations. Right now, we feel that those organizations are incredibly stressed. And we know that they are being targeted by these cybercriminals, and we want to help them with their defenses outside of the process of quoting their insurance. If any healthcare organization or first responder organization goes to our website, they'll see a ribbon at the top inviting them to get a free scan of their IT security. It's our honor to try to help those organizations in this time of difficulty for our world.
Ron: I love that. That's amazing stuff. I hope people take you up on that. As always, you can find out more about Chisel and our podcast at www.chisel.ai or on LinkedIn, Facebook, and, of course, anywhere you listen to podcasts. Phil, thank you again and have a great day everyone.
That’s a wrap for this episode of “AI Wisdom” hosted by Chisel AI and me, Ron Glozman. Thanks for listening.
Join us next time for more expert insights and straight talk on how AI and insurtech innovations are transforming the insurance value chain. See you on the next episode!