Joshua Motta is the co-founder and CEO of San Francisco-based Coalition Inc., which provides cyber liability insurance and security to organizations in the United States and Canada. Before the coalition, Mr. Receive senior executives and head of special projects at Cloudflare Inc., a web infrastructure and security company, following roles including Goldman Sachs Group Inc., CIA and Microsoft Inc. Mr. Receive discussed the pandemic's impact on cyber risks and insurance with senior reporter Judy Greenwald. Edited excerpts follow.
Q: How has the cyber market been affected by the pandemic?
A: The impact of the pandemic on the cyber market has been profound, both in the short and long term. The transition to working from home, the dramatic acceleration of technology in most organizations has made cyber as critical as it has ever been for most organizations, but has also increased their exposure to cyber risk. In the long run, it will continue to be deep, as the pandemic has indeed forced an acceleration of technology that would otherwise have taken years and compressed it into months, if not weeks, for organizations. I believe that it will have a very positive impact in the long run because the market for cyber insurance products is as critical and as important as it has ever been.
Q: Has work from home led to a significant increase in cyber losses?
A: It has, and the reason for that, is that it has opened up new opportunities for criminal actors to sacrifice organizations. For example, many organizations used to only accept checks by mail, but given the transition to working from home, criminals could take advantage of the change in behavior and trick people into switching funds instead of sending them to accounts controlled by criminals. Working from home has led to an increase in social technology losses, in ransomware-related losses and data breaches.
Q: What permanent changes will there be in the market due to the pandemic?
A: Remote access will be a more permanent function, perhaps not to the extent it is today but certainly to a much greater extent than before the pandemic. There will certainly be permanent changes in how organizations can configure their networks to facilitate teleworking. From the perspective of the insurance market, the deterioration of the loss environment has already caused a number of cyber insurance markets to withdraw. Obviously, there have been significant limitations in coverage from many cyber insurance markets. Some of these changes will be permanent, but others, even in the short term, have been profound.
Q: What do you see as the outlook for the cyber insurance market?
A: My overall view is positive because there has never been a greater need for cyber insurance. For insured persons, it is crucial to deal with what has become the most pervasive risk they face.
Q: Has the pandemic slowed or disturbed you?
A: On the contrary. The pandemic has accelerated our growth. There is a greater awareness among organizations of the risks that technology and cyber threats pose to them. There is a growing awareness that cyber insurance is an effective tool for transferring risk.
Q: Will companies return to pre-pandemic standards when we return to a normal environment?
A: Absolutely not. There will be a new standard, and the new standard will include more technology, more risk
from technology. There is no backward, only forward.
Q: How do you view the ransomware problem?
A: The topic of the day is ransomware. Ransomware is in fact the biggest culprit behind the significant deterioration of the loss ratio across the cyber insurance market. It has been Challenge No. 1
Q: Do you think companies should pay for ransomware?
A: No one stronger than I wants extortion ransomware to be paid for. Unfortunately, that is not the reality. I think there are circumstances under which they must be paid. In many cases, it is an existential choice between paying for ransomware or death (for the organization). It is inevitable, so my conviction is that it should be paid, in that respect, as an absolute last resort.
Q: What if the argument that paying for ransomware encourages criminals?
A: I would say "yes", but it is also a kind of stupid argument that the criminals will continue to do so, regardless of whether the insurance companies cover the loss. Kidnapping and ransom insurance has been around for a very long time, and there is a risk of moral danger, but I do not think that the fact that an insurance policy covers extortion makes a significant difference in criminal behavior. Organizations will have to pay for ransomware whether they are covered by insurance or not, as it is again a choice between destroying and rescuing the business. It's not a nice choice to make, and obviously there are a lot of insurance companies that can work with the government to combat this threat, but I think the criticism is a bit unfounded. Personally, as I said, we would never recommend that a customer pay a ransom, but as I said, we work to help a customer survive.
Q: What are the coalition's plans?
A: Our plans are to grow to protect millions of organizations both in the markets we are currently in, in the United States and Canada, as well as internationally. We also intend to introduce new products that help cover other forms of losses that organizations face, such as liability insurance for board members and executives. If an organization were to experience a cyber loss and it was thought that the board members and officials were negligent in protecting the company, they could have shareholders' disputes as a result. Cyber risk and cyber insurance are two different things, and simply put, our plan is to create insurance products, or expand the availability of our insurance products, to confirm comprehensive cyber risks in other lines of insurance.