Joshua Motta is co-founder and CEO of San Francisco-based Coalition Inc., which provides cyber liability insurance and security to organizations in the U.S. and Canada. Prior to Coalition, Mr. Motta was a senior executive and head of special projects at Cloudflare Inc., a web infrastructure and security company, following roles at Goldman Sachs Group Inc., the CIA, and Microsoft Inc., among others. Mr. Motta discussed the pandemic’s effect on cyber risks and insurance with Senior Reporter Judy Greenwald. Edited excerpts follow. 

Q: How has the cyber market been impacted by the pandemic? 

A: The impact of the pandemic on the cyber market has been profound, both in the near term and in the long term. The move to working from home, the dramatic acceleration of the use of technology in most organizations has made cyber as critical as it’s ever been for most organizations, but also increased their exposure to cyber risk. In the long term, it will continue to be profound, as the pandemic has really forced an acceleration of technology that would otherwise have taken years and compressed it into months, if not weeks, for organizations. I think it will have a very positive impact in the long term in that the market for cyber insurance products is as critical and as important as it’s ever been. 

Q: Has working from home led to a significant increase in cyber losses? 

A: It has, and the reason it has is it has opened new opportunities for criminal actors to victimize organizations. For example, many organizations used to only accept checks by mail but, given the move to working from home, criminals were able to take advantage of the change in behavior and trick people into wiring funds, instead of mailing them, to accounts that the criminals control. Working from home has led to an increase in social engineering losses, in ransomware-related losses and data breaches.  

Q: What permanent changes will there be in the market because of the pandemic? 

A: Remote access is going to become a more permanent feature, maybe not to the extent it is today but certainly to a much greater extent than prior to the pandemic. There are certainly going to be permanent changes as to how organizations can configure their networks to facilitate remote working. From the perspective of the insurance market, the deterioration in the loss environment has already led a number of cyber insurance markets to pull out. Obviously, there’s been significant restrictions in coverage by many cyber insurance markets. Some of those changes will be permanent, but others, even in the near term, have been profound. 

Q: What do you see as the outlook for the cyber insurance market? 

A: My overall outlook is positive because there has never been a greater need for cyber insurance. It is critical for insureds to manage what has become the most pervasive risk they face. 

Q: Has the pandemic slowed or disrupted you? 

A: Quite the opposite. The pandemic has accelerated our growth. There’s a greater awareness among organizations of the risks that technology and cyber threats pose to them. There’s a growing awareness that cyber insurance is an effective tool to transfer the risk.

Q: Will business revert to pre-pandemic norms whenever we return to a normal environment? 

A: Absolutely not. It will be a new normal, and that new normal will include more technology, more risk
from technology. There’s no backwards, only forwards. 

Q: How do you view the issue of ransomware? 

A: The topic du jour is ransomware. Ransomware is really the main culprit behind the significant deterioration in loss ratios across the cyber insurance market. That’s been the No. 1 challenge in 2020, and I don’t predict that will change in 2021. 

Q: Do you think companies should pay ransomware? 

A: No one more strongly than me wishes that extortion ransomware should not be paid. Unfortunately, that’s not the reality. I do believe there are circumstances under which they must be paid. In many cases, it’s an existential choice between paying the ransomware or death (for the organization). It’s unavoidable, so my belief is that it should be paid, in that respect, as an absolutely last resort.

Q: What about the argument that paying ransomware encourages criminals? 

A: I’d say, “yes,” but also it’s sort of a silly argument in that the criminals are going to keep doing it, irrespective of whether insurance companies cover the loss. Kidnap and ransom insurance has existed for a very long time, and there is a risk of a moral hazard, but I do not believe that the fact that an insurance policy covers an extortion makes a material difference in the criminal behavior. Organizations are going to have to pay the ransomware whether or not they’re covered by insurance because, again, it’s a choice between ruin and saving the business. It’s not a pleasant choice to make, and obviously there’s a lot insurance companies can do together with the government in combating this threat, but I believe that criticism is a bit unfounded. Personally, as I’ve said, we would never recommend that a customer pay a ransom, but that said, we’re in the business of helping a customer survive. 

Q: What are Coalition’s plans? 

A: Our plans are to grow, to protect millions of organizations both inside of the markets we’re currently in, in the U.S. and Canada, as well as internationally. We also intend to introduce new products that help cover other forms of loss that organizations face, for example, directors and officers liability insurance. If an organization were to experience a cyber loss, and it was believed the directors and officers were negligent in protecting the company, they could have litigation from shareholders as a result. Cyber risk and cyber insurance are two different things, and simply put, our plan is to create insurance products, or expand the availability of our insurance products, to affirmatively cover cyber risks in other lines of insurance.