Alternative data can be a powerful tool to let challengers edge out incumbents through creative collection and analysis strategies. But, if regulations haven’t caught up with realities, then up-and-coming players may face major obstacles before their ambitions transform a sector in their image. Privacy and security concerns are real, too. 

Cowbell, an AI-powered cyber insurance provider for SMEs, leverages alternative data to provide timely policies to its clients, while also using data from the businesses it covers to provide security-based insights, which helps create a more secure business environment across sectors. Notably, regulation provides a sales opportunity for Cowbell, while providing fewer regulatory headaches than one would encounter in consumer-based spaces. 

In a conversation with The Financial Revolutionist, Cowbell Chief Strategy Officer Matthew Jones describes Cowbell’s bread and butter, compares their regulatory obligations to those of B2C insurtechs, and considers the future of insurance and security. 

This interview has been edited for length and clarity.

The Financial Revolutionist: What’s Cowbell’s competitive advantage?

Matthew Jones: We’re a cyber insurance MGA. Our products, Prime 100, Prime 250, and Prime 1000, are segmented for companies with annual revenue in the millions up to that number. 

Cowbell was founded three years ago, and at the center of the business are the Cowbell Factors, which are the proprietary rating engine we use to evaluate companies’ cybersecurity posture. We currently monitor about 26 million companies out of the 32 million that could in theory be insured by Cowbell.

For every company, we create eight different scores across a number of different attack vectors or exposures. We combine all those into what we call the company’s aggregate Cowbell Factor. And then we also create industry Cowbell Factors and our own our methodology is to do a relative rating compared to other companies in an industry. 

We have an incurred loss ratio below 40%, which we believe is market-leading. The average in our kind of SME space is just under 70%.

Where do you get this alternative data from—does that present any liability or compliance issues?

We subscribe to a range of data sources, and where needed, we go and build the scanners ourselves. But the information that we are getting our hands on is either totally public in the first place, or these databases are either being populated by these companies or these other companies are paying people to go and collect that data. The kind of data that we're collecting is out there anyway, and what we're doing is making sense of it.

What incentivizes companies to hand over their data for that purpose?

The reason that many potential policyholders come to us is because by the time that they come to us, in about 80% of cases we already have an opinion on that risk. Unlike other traditional insurance companies, where you have to turn up and provide them with pages and pages of data, we have a view before you turn up, because we've been we've been scanning that environment. Cyber coverage can be sometimes difficult to get hold of, and often companies want certainty as to their ability to get coverage very, very quickly.

Internal to companies we help insure, data shared with us is explicitly consented to. People at these companies are providing us with access because they want something in return. What they're getting is advice and nudges as to improvements that they can make. 

It’s worth noting that Prime 1000, your latest product for companies between $250M and $1B in annual revenue, offers dynamic pricing according to a company’s changing Cowbell Factor—but that product doesn’t appear beholden to the data-collection concerns of, say, an auto insurance carrier’s products.

It’s perceived to be very different when it's a consumer. And consumer protections are more stringent in the insurance industry than they are for businesses. It seems the assumption is that when a CFO is the one that's buying a policy, then maybe they're more informed about what they're buying and the risks around it. 

if you're making an investment into your cybersecurity posture, you can also get credits for that to make it worthwhile from a financial perspective. We'll also give you visibility as to what it's going to cost to renew your policy next year, to make sure that you're able to continue to get coverage in the in the future. A lot of these companies have to have cyber insurance in order to be able to do business with their suppliers, with their customers, with the government, and so they need some kind of certainty as to what it's going to cost them.

So compliance and regulation for clients become a wedge for you to use for customer growth.

For the last 350 years or so, insurance has been an enabler for economic growth, activity, and industry. It started with the fact that insurance meant that you could get a ship from the UK to the US; it then moved into skyscraper construction and property and liability insurance. I think this is the natural next step in development—so you can't operate and do business online or with certain kinds of entities unless you've got this kind of coverage.