Neil Gurnhill: Our capacity is provided by a number of Lloyd’s of London syndicates. Lloyd’s of London is a very old and well-known institute for insurance. It’s conducted insurance for over 200 years. Within Lloyd’s, there are syndicates.
If a syndicate wants to participate in the cyber risk arena but doesn’t have the internal capabilities themselves, they will look for specialists like Node. They will grant us capacity to underwrite on their behalf.
We then build a product around that capacity. Then we engage with brokers who introduce us to their clients. We work with the broker to bring about the correct insurance.
Sramana Mitra: Let’s talk about what you insure and how you insure. What are the technology touchpoints in your business?
Neil Gurnhill: The framework for the insurance is relatively simple. There are two sides. Once we’re aware of an event, our first job is to get to the bottom of the problem as quickly as we can. It’s very much first-party risk.
The policy would cover all costs and provide all services to the insured for forensic and legal investigations. It’s a bit like the cavalry in a way. Instead of the insured having to try and find these services instantly, they are made available to the insured.
Straight away, the first point of trigger would be all the responsive measures in place. Once that has been assessed, identified, and stopped, and once the necessary measures are done, the trigger becomes possible third-party liabilities whether there’s legal duress from another company.
It’s really addressing first-party events and then any third-party liabilities that arise after the circumstance.
Sramana Mitra: It sounds like there are a bunch of technologies and protective measures that you recommend to your clients. You work with vendors who provide those.
Neil Gurnhill: We do.
Sramana Mitra: In particular, I’m also trying to understand the business model around that. For a security vendor, you are a channel. What is that relationship?
Neil Gurnhill: We are very unique. The way that we operate is completely unique in the sense that we’re the only company that we’re aware of that employs InfoSec professionals. We bring people in from the InfoSec and cyber security world to sell our products versus using insurance brokers who have never sold digital risk insurance. It’s a very bad mix.
It’s far easier for InfoSec professionals to understand insurance than it is for insurance professionals to understand InfoSec. What we do is a combination of external monitoring provisions using some of our own in-house tools. The way we work is, we have a large list of vendors and security partners. We identify the ones that we feel bring the most value to.
We approach the insured who either have never bought cyber insurance before or don’t understand how it fits on to their risk mitigation. We meet with a lot of boards. The insurance broker will bring us in. At that point, we do an assessment.