Pleasanton, California-based cyber insurance firm Cowbell Cyber has emerged from stealth, announcing its Cowbell Factor product with $3.3 million seed funding from leading insurance, cybersecurity and artificial intelligence venture funds, including ManchesterStory Group, Holmes Murphy & Associates, Tri-Valley Ventures and the Global Insurance Accelerator.
Founded in January 2019 by Jack Kudale, Cowbell describes itself as a cyber risk and insurance observability platform.
The cyber insurance market is growing, and has the potential to grow substantially. German reinsurance giant Munich Re said in September 2018 that it would grow to $8 to $9 billion by 2020. Separately, Allied Market Research has predicted it will grow to $14 billion by 2022. But it has problems. Cyber insurance is primarily a gap filler — a product developed by the insurance industry to fill the cyber gaps left by other insurances. At the same time, the industry has little history on which to base the premiums to fill these gaps.
Two basic problems for the insurance industry are that the buyers don’t know what they need (to fill the gaps in what they have), and the sellers don’t know how much to charge for what they sell. Both sides need to get this right. If the premiums are too low, the industry won’t make a profit; if they are too high, then the market will struggle. The danger, Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, is that if the insurance industry badly miscalculates the balance between premiums and exposure, “several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover.”
At the same time, if the policy holder doesn’t fill the right gaps, he won’t be covered. An example in point is the issue between Mondelez and Zurich. Mondelez believed it was covered against NotPetya losses through its property insurance. Technically, it was — but was subject to the standard ‘war exclusion’ clause that applies to property. Zurich denied the Mondelez NotPetya claim ultimately because it was a property insurance rather than a cyber insurance. There is no known example of an insurer denying a NotPetya claim against a cyber insurance policy (largely because there is no standard war exclusion in cyber).