Cyber security is a hot mess and insurance is our best shot at fixing it.

Announcing our $34M Series B.

Nobody realized cyber risk was going to be this big of an issue. Software has been eating the world for the last three decades. In the early days, functional gains were huge, and cyber risk was very low. Shipping early and fixing later was better for everyone. Terms and conditions were created that put no liability on the software vendor, giving them freedom to move fast. We were all better off for it.

When the entire economy is built on a minimally viable product — not just one MVP product, but a leaning tower of hundreds of minimally viable products — we are setting ourselves up for a catastrophe.

Fast forward to today, in mature software verticals, functional gains from upgrades are diminishing, and cyber risk from vulnerabilities is exponentially increasing. The average security breach costs an American business more than $8 million. As many as 60% of small businesses go under within a year of a cyber-attack. Ransomware attacks hit 174 municipalities in 2019. Just one example, New Orleans was forced to declare a state of emergency after being hit with a devastating ransomware attack that caused major disruption to the city and expenses north of $7 million. That is millions which could have gone to schools, infrastructure or police, and instead being diverted to clean up this cyber house of cards.

The way we manage cyber risk as a society is flawed, from top to bottom. As value was transferred from the physical world to the digital one, bad actors proliferated to exploit the inherently vulnerable system we built, nation states, organized crime, petty criminals and even activists. The risk is only going to grow as every part of our economy is digitized. When the entire economy is built on a minimally viable product — not just one MVP product, but a leaning tower of hundreds of minimally viable products — we are setting ourselves up for a catastrophe.

If you are a business owner, the cyber security deck is stacked against you. You likely have hundreds of technologies in your stack. Each technology is a possible trojan horse through which criminals can pillage your company. You’re up against sophisticated, well resourced nations and crime syndicates, with no help from your government. Managing this risk is nearly an impossible task for anyone.

So where do you start? The cyber security landscape is equally difficult to traverse, with thousands of vendors each pushing their own product, offering very little proof of return on investment. Wading into the security sector only adds to the complexity.

It’s not that I believe all software vendors are bad, but rather have bad incentives that today are causing incredible damage, to an extent that was unimaginable when software was new.

One cyber security partner, financially aligned with your business

What you need is a single partner, with the technical expertise to manage risk across your entire technology stack, unbiased in navigating security solutions, and most importantly, financially aligned with your business, equally motivated to keep you secure.

For centuries, insurance has helped businesses manage the risk of deploying new technology and business models. The insurance industry previously set standards in buildings, industrial equipment, and automobiles, just to name a few.

Today, At-Bay is helping businesses manage cyber risk.

At-Bay is building a new kind of insurance company, designed from the ground up to manage the unique risks associated with doing business in the digital age. We employ a team of security professionals who complement our insurance team. We built a fully automated reconnaissance engine which maps out all of your externally-facing technology assets, running each one against thousands of vulnerabilities, updated continuously to stay ahead of the newest attacks. Every time a new vulnerability is found in any one of the hundreds of technologies in your stack, At-Bay is there to notify you of the issue and help you address it. This service is free for every client as part of your insurance coverage. As your insurer, we have clearly aligned incentives to help you avoid risk.

And in the absence of other market incentives, we fully intend to bring accountability to the software landscape.

It’s not that I believe all software vendors are bad, but rather have bad incentives that today are causing incredible damage, to an extent that was unimaginable when software was new.

Here is one example how misaligned incentives lead to significant losses. Microsoft’s Office365 is a wildly popular product with more than 200 million active monthly users. In theory, moving your operations to office365 should be much more secure than on-premise Exchange servers, since Microsoft has far more resources and expertise at their disposal to secure their cloud than a small company has to secure their own server.

But in practice, Office365 is far riskier than any other email client in our portfolio. About 35% of our portfolio companies use Office365, yet it accounts to more than 70% of losses due to cyber breaches that originate in email.

Why is this so? Microsoft defaults all Office365 security settings to low to ease the migration from Exchange. Given the incentives for Microsoft, this makes perfect sense. They are an IT company, not a security company. Microsoft gets paid for functionality, not security. Furthermore, they face no liability for attacks that exploit these low settings. Their customers don’t even realize they are making this tradeoff.

But we do, and we’re underwriting for it. We explicitly tell out prospective customers that run on Office365 that their insurance coverage will be limited unless they show the security settings are set back to adequate levels.

The bottom line: insurance gives people and companies clear incentive to change practices.

We intend to be the missing link in the security feedback loop. Insurance will assign a premium to functional technology choices, from the configuration of your network, to the specific technology vendors you choose. Understanding the relationships between technology and security choices, and the associated financial risk exposure of each of those choices, will provide businesses with guidance and standards for their cyber security program. The bottom line: insurance gives people and companies clear incentive to change practices.

A $34M Series B with new partners in the fight against cyber risk

I am honored to announce that we have gained new partners in the fight against cyber risk, as we raise a $34 million Series B led by Acrew Capital, joined by Munich Re Ventures, with returning investors Lightspeed Venture Partners, Khosla Ventures and Shlomo Kramer also participating.

We couldn’t be more thrilled by the investors that chose to support us. Mark Kraynak and the Acrew team bring deep security and fintech expertise, and a team. We welcome Mark to our Board of Directors and look forward to his mentorship and support. Acrew is joined by Munich Re Ventures, our business partner for the past three years. Their confidence and support means the world to us and is an incredible validation of what we are building.

This new investment follows an incredible year in which we doubled our team, opened offices in New York and Atlanta, refined our insurance offering with two new products, saw 400% growth of our broker network and 10x revenue growth year-over-year. I am most proud to say we have negative churn with a 100% client retention rate, every client we signed up has renewed their policy over the past year.

Rethinking cyber risk from the ground up

As we move forward as a company, we want to rethink how cyber risk is approached across the entire landscape, from business owners, to software vendors, to government agencies and security companies. If you are also passionate about helping organizations manage risk to adopt innovation with no reservations, check out our open roles at: https://www.at-bay.com/careers.