Article
At-Bay at World Economic Forum: Sharing the Cyber Insurance Perspective
Video from panel discussion, “Demystifying the Economics of Security by Design”
At the 2023 World Economic Forum Annual Meeting on Cybersecurity in Geneva, Switzerland, At-Bay Co-founder and CEO Rotem Iram participated in a panel discussion titled “Demystifying the Economics of Security by Design.”
Larry Clinton, President and CEO of Internet Security Alliance, facilitated the session. Other members of the panel included Chief Information Security Officer at Lenovo, Jason Ruger; Deputy Chief Executive at Cybersecurity Agency of Singapore, Kuan Seah Chua; and Senior Consultant of Research Innovation at Dubai Electronic Security Centre, Bushra AlBlooshi.
The conversation examined the cybersecurity challenges created by the rapidly evolving technology landscape. Rotem shared the cyber insurance perspective, explaining how insurance can lead the way in pushing software providers to achieve “security by design”.
Hear Rotem’s point of view in this video, or read the transcript below:
Transcript: How Insurance Could Set the Standard for Software Security
Larry Clinton:
We are still faced with an environment where we are largely getting products that are insecure by design and default. So the market may not be completely managing this problem, even if some of us think it should.
You did mention the fact that you work in a vast majority of countries, Rotem Iram, CEO of At-Bay. I’d like to ask you, do you think that it is possible for us to structure a government mandate that would cover all of those various countries? Or would we be better off trying to evolve some sort of system of market incentives that would get companies to do this? In particular, would insurance [play this] role?
Rotem Iram:
Hey, everyone, I’m the insurance guy. At-Bay is a cyber insurance company [for] small and medium-sized businesses in the United States.
Let’s start with this idea: should we force everybody to secure by design [or] secure by default?
I don’t think we need everybody. From what we see from the claims that we pay, we can tell you that less than 1% of software causes more than 99% of attacks.
[In the] last five years, 50% of all ransomware in America came from a single remote access tool that is created by a company that’s bigger than $1 trillion. We all know this, yet we still sit here, and we’re not running to go and fix it. That’s half of all ransomware in America, from a single issue.
41% of all the claims we pay started in an email. There are only two email clients. (Or three, but there should be two. [Microsoft] Exchange needs to transition into Office 365.) There are two email clients by two trillion-dollar companies, and for some reason, they sell email security as a separate package.
When you look at the malware that is hiding inside the files as attachments inside those emails, more than 50% of the malware comes from [Microsoft] Office documents — which, again, is a single trillion-dollar company. Some of the vulnerabilities in those documents have been around for almost 20 years.
Yes, innovation is important. 25 years ago, when software really started, I think moving fast and cheaply and fixing later created huge functional gains and benefits.
Today, Microsoft Excel is one example: it’s a 20-year-old product, and version 2023 is not that much better than 2022. Yet the vulnerabilities that we incur with each new version are pretty meaningful. This is a mature technology with billions of users, and I think it needs to have [different expectations] of ownership over the risk that is created today and help[ing] fuel what is becoming a very large risk industry.
So if it’s all this easy and we all know the answers, [then] why is it not happening? I think that the reality is that when software was created as an industry — and [this] might have been the right choice back then — we put very little accountability, very little liability, on the software vendors. We pushed it out to the consumer. It’s basically “use at your own risk.”
That leads [to the] question: if there’s a market failure here, should we bring in government?
What I would suggest is, if you take a look at every other domain of risk, and you look at the risk stack that has been established as the standard stack, it has actually always been the insurance industry that [has] figured out the stack and has [created] a standard. The reason why there are smoke alarms in this building and not other fire prevention technology has to do with the code that was created by the insurance industry.
Government comes in at the very end, after the insurance compan[ies] have established the standard, and then decides whether: (A) We should turn this from a standard into compliance, and (B) We should make sure that the cost is incurred by the vendor and not by the consumer. I think that’s the role where government can come in and be effective.
Otherwise, my expectation is that […] insurance companies can really [dictate and help] figure out what is effective [and] what prevents damage from happening, then enforce it through the insurance policy and through the underwriting.
I think that is something that is probably going to be much more meaningful, and I think it’s an exciting opportunity because the insurance policy is a great tool for compliance. It’s a tool that the risk managers in the company and the board really understand.
Larry Clinton:
So, can I just quickly follow up? I understand the role of the insurance company and the collaborative role that you’re identifying for the government. But if you could quickly help me [in] understanding how that would work in the vast, diverse, international market that we have — who makes that mandate?
Rotem Iram:
So, even though insurance is [an] incredibly fragmented market based on every country with its own regulation[s], insurance capital is pretty concentrated. At the end of the day, there [have already been] a small number of relatively collaborative efforts [made by the] insurance [industry].
I can give you one example: as ransomware really picked up in 2020-2021, the insurance industry decided to take a step up in terms of how much we ask from our customers in return for insurance.
One thing that we started to mandate as an industry was: you must have [multi-factor authentication], MFA, which until then was a recommendation. I think we saw, in two years, more companies adopt MFA than in the previous two decades that MFA was there.
It is a way that we can push for those standards. Underwriting standards can be relatively well transferred across borders. But then there [are] specific regulation[s] that each country can enact.
Larry Clinton:
Okay, so the insurance companies would set this standard, and then the individual […] countries would have to follow up with some sort of regulation.
About Rotem Iram
Rotem Iram is the Co-Founder and Chief Executive Officer of At-Bay, the world’s first InsurSec provider designed from the ground up to help businesses tackle cyber risk head on. By combining industry-leading insurance with world-class cybersecurity technology, At-Bay offers end-to-end prevention and protection for the digital age.
Before founding At-Bay in 2016, Iram spent two years as Managing Director and Chief Operating Officer at K2 Intelligence, a leading global risk management firm focusing on cyber intelligence, cyber defense strategy, and incident response. He began his career as a captain in Unit 8200 of the Israeli Intelligence Corps and was a consultant at McKinsey & Company. Iram holds a BS in Computer Engineering from The Hebrew University of Jerusalem and an MBA from Harvard Business School.
