 Welcome back to Moscone West in San Francisco. You're watching theCUBE's continuous coverage of RSA 2023. This conference is back in a big way. Many thousands of exhibitors. It's got to be 50,000, 60,000 people here in a day two. Really, things actually kicked off on Saturday. Tonight is the big crescendo. A lot of parties going on tonight, tomorrow night. You know, we'll be going all day through Wednesday. Rotem Eram is here. He's the CEO and co-founder of Atbay. We're going to talk about cyber and the insurance industry coming together. Rotem, good to see you. Thanks for coming on the team. Yeah, thanks for having me. You're welcome. So tell us about Atbay. Are you an insurance company or a cyber security company? Well, we're both. Yes, yes, okay. Yes, Atbay is, we are a cyber insurance and security company using cybersecurity expertise. We've built an insurance company from scratch to provide insurance coverage for businesses, small businesses, medium-sized businesses in the U.S. We have more than 30,000 customers by now in the country. And we use our expertise not only to help them with their insurance, we actually step in and provide them with security technology and operations to help them avoid a claim in the first place. Yeah, so, I mean, we always hear in the security business how, you know, several years ago security became a board level issue. We hear about culture and big organizations. Small business, they don't wake up in the morning thinking about security. They're trying to stay alive, that you're worried about cash flow, where they're going to get their next loan, how they're going to meet payroll, you know, how they're going to grow, whatever. They have a variety of challenges that they're dealing with. You know, security is not top of mind. So I presume security doesn't work that well in small business. What's your perspective? It doesn't, and you know, what we're asking small businesses is really unfair. You know, imagine you bought a car as a small business because you needed to drive to work and then your brakes fail. And after the crash, you realized that there was a critical vulnerability in the brake system. You needed to read the blog. You needed to patch yourself. The manufacturer of the brakes takes no responsibility. They're not going to let you know. They're not going to recall the product. They're not liable. And you have 50 different vendors in your car. Each one breaks three times a year. Now you need to have a full-time mechanic. The amount of expertise and the cost to keep your technology stack secure is more than what a small business can handle. And then on the other side, it's not like you're dealing with your neighborhood criminal. You're dealing with nation-states, organized criminal groups from and every 15-year-old on the planet with an internet access. And so it's not a surprise that they're overwhelmed and they are underserved by security because they have no buyer. They have no budget. And even if you gave them the security for free, they have no operator. It's like if I gifted you an airplane but you have no pilot license, you won't be able to use it. And so even though we've been doing this for 20, 25 years now, we're not making any progress. The gap isn't getting close, not even close to that. I want to ask you about some misconceptions that I hear from small business owners. Yeah, we're not a target. You hear that all the time. Or all our data's in the cloud. Right, they're taking care of my security. Easy question, but explain why that... First of all, why is that... I presume you hear that as well. Why is that prevalent? And why is that not the right way to think about it? So what I would say is that small businesses are correct that they are not targeted. But what they are is it's a different kind of targeting. It's more like a drive-by shooting. Basically, with a small business, the attacker cannot afford to spend a lot of time. And so what they do is they cherry pick. And so they scan every IP address in America and they look for predictable vulnerabilities that can be exploited relatively easily for a quick gain. And so that's why we see ransomware or phishing as the two most prevalent types of attacks. So yeah, you're not targeted, but everybody is targeted by those kind of sweeping, broad scans. What you don't want to be is you don't want to show up on their shortlist. As somebody that has this flashing light, that big vulnerability that can be exploited. To your second question on cloud, what I will say is that cloud's not perfect, but from what we see from our data from analyzing the claims of our own insurers, we see that companies that are digitally native, that are cloud-first, are dramatically more secure than companies that still manage their systems themselves. And the reason is that small companies fail at managing their own systems. And so even though Google or Amazon or Microsoft are not perfect, they're better at managing your stack than you might be managing your own stack. There's a but, though, because you still have a shared responsibility piece that you got to secure the S3 bucket, maybe not the physical bucket, but you got to make sure that you're not putting sensitive data in there, that your developers aren't putting hard-coded secrets. 100%, but I can tell you out of more than 30,000 customers and thousands of claims a year, I think we might have had one that had an S3 Amazon bucket involved in it. Everything else is- Your customers, yes. Okay, is that because of you? We definitely help, but what I will say is that I think there's, look, being here in San Francisco, in the hub of high tech, we often tend to spend more time talking about problems that tech companies have, and we take for granted the level of sophistication that companies in San Francisco have. But everybody east of Reno has a different technology stack that is 10 or 20 years old, that is still on-premise. It's not cloud-based, and the way that they get attacked is to be honest, it's kind of basic and predictable, but not anywhere close to being figured out. Explain how your model works in terms of insurance and cybersecurity practices, and so how do they go together and maybe give our audience an understanding of that? Yeah, so security's been around for 25 years. Cyber insurance is a little bit newer as an industry, but it has grown dramatically, and insurance policies pay for damages from cyber attack, whether it's data privacy issues or restoration of networks or data, or whether it's even dealing with a ransomware incident. It includes first-party damages and third-party damages to your partners or lawsuits from third parties. But what we see is that in the most small companies end up, they can't buy security for all the reasons I mentioned earlier, and then they buy an insurance policy, they have a claim and the insurance policy pays for damage that security could have solved. And so we're seeing this two separate solutions that by themselves don't really move the needle in terms of fixing this kind of broken system, and what our approach as a new entrant into insurance, we're a cybersecurity company first, but we've built an insurance company with the idea that we would step in and we would help companies solve their security gaps, we would avoid the claim altogether, and so we would need to pay less for the claims, we could charge in less on the insurance, and everybody wins. And you'd be more profitable in the long run. So, versus an insurance-only company, might say, either I'm not going to insure you or you have to show me that you have a relationship where you've got adequate cyber controls, which a lot of small businesses don't. How do you help the company? Do you come in and do an assessment? Are you their sock, or do you, how does that all work? Great question, so what we do is, first thing that is really trying to understand what are we dealing with? Which assets do you even have, and what is the status? Is there anything here that needs immediate attention before we can even provide you with an insurance policy? We do that ahead of partnering with our security team. We run tests from the outside in, similarly what an attacker would do. So, if the attacker's doing a drive-by scanning of every business in America, we do the exact same thing, and we want to see, would you pop up on an attacker's short list for companies they should go after first? If we feel that the risk profile makes sense, and we help companies get there, we then provide them with a security exposure manager solution, management solution, which is basically a vulnerability management tool that brings in information from the outside, trade intelligence, information from inside, existing security controls that the company already has. We run it through our own risk engine, so we run it against our own claims data to try and understand which one of these things matters, because we know companies, there's always something that needs fixing, so we want to make sure companies spend time only on the things that actually drive claims and drive incidents, and then we have our own security team that manages in some sort of a virtual kind of sock, virtual CISO relationship, where throughout the year and during these issues, we help them remediate whatever needs help. If they do have a claim, our own response and recovery team would come in on the scene and actually restore the systems and help companies get back to... This is interesting, so you make sure there's no, well, you look for open wounds and sort of identify them, and then are you a managed service? Is that right? There's a very strong managed service component here. We don't replace the MSP in terms of taking care of basic IT needs, but we definitely up-level the security team in terms of giving them that kind of depth of expertise, and also the 24-7 monitoring that we can afford to do, and they can't. So it's interesting because you mentioned IT teams. A lot of SMBs who are running mostly in the cloud, you don't have an IT team, right? So what do you do in that instance? Do you partner with sort of IT teams, managed IT service providers? Yes, 100%. So we find that about a third of our customers don't have any IT person in the company. By the way, not only those that are on the cloud, even those that are on-premise, many of them use Mike's computer shop from down the street to manage their security for them. Then we partner with Mike and his peers and we help them, we give them our tools, our services, our expertise, and we work with them to help the customer. And you act as a fractional CISO, is that right? There's, yes. I would say that's a good way of saying it. Is that a fair way? Yeah, okay. And I think what matters here is that once we're on, once we sold you a policy, we tend to probably lose more money than you. And that gives us a really big incentive to help solve an open issue. And so we would deploy our own resources and use our own scale and our own expertise to make sure that we get the customer back on their feet. We are much happier spending money on improving security than paying claims or paying the attackers. Well, what's interesting is you've got a, at least a quasi-vertically integrated stack, if you will, between insurance and cyber. So you, like you said, have an incentive. And if, for whatever reason, something goes wrong, you're there to help fix it. You're taking responsibility for that. There's not that kind of finger pointing. And what I will say more, there's a real opportunity here to unlock savings. Because again, once we're your insurance provider, it makes sense for us to pay for the security controls that would improve your position. What we find oftentimes is that for us to subsidize, fully subsidize the cost of a security control would reduce our expected losses. And so we make money by giving you security. And we just feel that there's a magic here that happens when you combine the incentives and scale of an insurance company with the fact that smaller businesses, they can't really afford to buy these controls on their own. They don't have anybody who knows that they should even buy those controls. And look, if you take a step back a little bit, and when we're in the echo chamber of cybersecurity, it's hard to see kind of the bigger picture, but insurance has always been the one to standardize the risk stack. I mean, the reason why right here on this ceiling, there are sprinkler systems. It's not because whoever built this building is passionate about the brand of the specific sprinkler provider, or that the technology, there's a code in the building. It was created by the insurance company. Insurance companies provide the standards. They provide the not only kind of the trade-offs in the decisions you make and the incentive to improve your security, they also help standardize the ecosystem and say what should you get, what shouldn't you get, how much should you pay, how much is an EDR worth? You know, who can, what is the right price for an EDR? Insurance companies can tell you that because we see 25% of our book has EDR, the other 75% doesn't. I can tell you what is the average expected loss for each bucket, and that's how much you should pay. Okay, and you're in the business of reducing the expected loss. I mean, obviously, talk about the changing risk profile. I'm really interested in this. And the reason I bring that up is, I mean, cyber is so unpredictable. Now you got AI coming in, and not that you didn't have it before, but now in the last 150 days, it's on top of mind. And on the dark web, they're sure talking about how to exploit this. I heard Buffett the other day, and I think I heard this right because they got Geico talking about auto insurance. He says he's repricing now every six months. He wished he could reprice every month. I'm like, okay, that says the risk profile's changing. I heard the other day in the news that they had expected that the situation because of climate change with forest fires was going to be much greater 10 years down the road. Last year in California, it pulled forward that 10 years. So the risk profile's changing dramatically. How do you de-risk your business and your customers' businesses? Yeah, it's a great question. Insurance is a tricky product because you price it first and you learn how much it costs you a year later. And you use your experience in the past to forecast your experiences in the future. And then one thing we know about cyber with the rate in which technology changes is that that is never adequate. And what we found was that you could either try to reprice it every week and every month, which we obviously we do it for new accounts, but for existing policy holders, you went to a lot of effort to try and figure out what's the right price that represents the risk of a company. And then two months later, it's completely different. What do you do now? You definitely don't want to leave the company hanging without adequate coverage. And what we found was that if we step in and we help them fix the issues that they have, we can bring back the risks to its original levels. Some of the macro technology trends you mentioned, like AI, they represent a meaningful threat. We believe that we're going to see a significant uptick in social engineering and fraud. AI can impersonate a human in a way that is currently very crudely done by folks who are most of the times overseas, to try to impersonate American help desk providers and whatnot, not often very successfully. That's going to change and we will need to reassess, I think that the security of communication interfaces, whether email or in other ways, needs to improve dramatically. More accountability needs to be on the builders of the pipes. So if you provide an email solution, that solution needs to be a lot more robust. You can't just rely on a customer choosing to pay extra for security. Today, we're driving cars without seatbelts and we're telling people they can go and purchase a seatbelt for $25 a seat and most people don't. And I think that we probably need to bring that in-house. We might even need the government to apply a little bit of pressure here. How do people find you? How do you go to market? So we work with insurance brokers. Insurance brokers are the consultants that help companies understand what is the best solution out there and we partner with them to provide our products to customers. Once we bring them in as insurance customers, we then introduce our security team and we build a security relationship and we integrate our security products as well. And your security products, are they a combination of sort of organic products and sort of things that you OEM with some of the best of breed? Can you explain that? Yeah, so the most critical components in our offering, we build ourselves and then we partner with best of breed companies across all domains of security. So for example, this week we announced a partnership with Sentinel One on EDRs. We announced a partnership with MIMECAST on email security and it goes down the line with great companies across all important domains, identity access management and others. What are the most critical components that you want to have your own IP on? I think for us, the one area in security where we feel we are the most credible is in prioritizing which issue to go after first. It's because we are the ones who see at scale which issues get exploited by attackers. And so security industry has created frameworks with scoring and ways to try and quantify how critical is an issue. But they're all theoretical models. We use our own losses to score. You're real data. Actual data, and it's not just data, it's dollars that we spend. And we believe that the unit of measurement for risk is dollars and therefore everything we do, we measure in dollars. So that's the component that we want to bring in house and then the actual point solution that prevents or that blocks is probably where we would partner. You know the week leading up to RSA, you get inundated with reports as an analyst. And I was looking at one, I think it was Palo Alto Networks that showed a really interesting chart that 80% of the alerts come from 5% of the rules. Right, and so to your point about prioritization. You know, and this has been the case for years and years and years. It's always the same, the same, the same. You're saying you have IP because of your data and your information on actual loss that you can identify the ones that are most important. And I'll tell you, there's recommendation fatigue and security companies would only go to a certain extent to deliver a point where, because they still want to preserve the customer. Whereas we, when we feel we're going to lose a million dollars, we're going to be a little more intent in making sure that you understand what needs to be done and that you follow through. It's not always, I think it's, there needs to be a grown up here sometimes and the insurance company can play that role very effectively. People tend to also be more compliant when their insurance company calls. And I think that's an important job that needs to be done. So that brings me to my next question. There's certainly a narrative in the vendor community, the cybersecurity vendor community that we don't spend enough on security. And that the implication being if we spend more we'll be more secure. Should we? Is that true? I mean, because you're basically what you're saying is that you're more aligned with the customer because if you can eliminate the risk, the expected loss, you make more money. They spend less. So is spending more the answer? I think there are still meaningful gaps in security. Not all of them require spending more money. Some of them are better configuration. And using the tools you already have. A lot of people buy tools and then don't properly configure them and don't properly manage them. In some cases, there are definitely gaps that I would, as an example, anybody who's still using kind of endpoint protection and has not upgraded to EDRs, I would say absolutely upgrade to EDR. It's a meaningful de-risking. So spend there. Spend there. That's ROI. Absolutely. Other places just make use of MFA's and... It won't cost much. It won't cost much and make sure you secure your email environment. But I think that if we are successful in what we're doing we could potentially bring down the risk and with it the size of the category. But to me that wouldn't be a bad thing. So there's some $5 fixes that give you big ROI. The load denominator, high return. And then there are other areas where actually you get a faster ROI. It does make sense to spend. Yes. Rotem, great conversation. Thanks so much for coming on theCUBE. Thanks for having me. It's a pleasure. You're very welcome. All right, keep it right there. This is theCUBE's continuous coverage. Go to siliconangle.com. News is flooding the channel. We got all of our writers and journalists here. John Furrier, Dave Vellante. We'll be right back right after this short break from RSA 2023 from Moscone West.