Corvus Insurance: Smarter Commercial Insurance for the Growing $10b+ Cyber Risk Market
From cyber to tech E&O to cargo insurance, Corvus is building smarter commercial policies to account for the growing threat of novel cyber risks.
Welcome to The Future State: Insurance where we profile the startups rewriting the future of insurance. If you like what you read, subscribe here:
In commercial markets, where accurate coverage matters more than price and where policies are predominantly sold through brokers – how do you beat out institutional safe choices like Chubb and AIG?
Fresh off a $100m round at a $750m valuation, Corvus Insurance, a commercial cyber, tech E&O, and cargo insurance MGA, comes in with a two-pronged thesis:
First, cyber risk is one of the foremost growing risks for businesses small and large. In a growing digital age, different facets of businesses (from data centers to cargo containers to gasoline pipelines) are digitally exposed to attacks that can detrimentally affect businesses. Corvus is creating a playbook to streamline the creation of commercial policies that meet these new and expansive cyber risks that leverage unique sources of data not only for underwriting but also for preventative and mitigation measures (enabling Corvus to be a better service provider in the long run).
Second – similar to the strategy of Openly, which we profiled last month – Corvus is all about making the broker the hero. Provide the broker with the tools and information – in a speedy manner – that make the broker sound smarter and more knowledgeable in front of the policyholder. Help the broker do their job. While customers won’t choose Corvus every time, in an industry built on relationships, easing the burden of the salesman (the broker) could very well increase the likelihood of a Corvus policy getting signed over a competitor.
Will Corvus take flight and take hold of all cyber-related commercial insurance?
Problem
Cyber attacks are increasing in frequency and severity, affecting businesses in numerous ways beyond just data breaches. Moreover, policyholders and brokers aren’t as well-informed as they could be when shopping for cyber-related policies, leading to policyholders not knowing about their vulnerabilities and what their true coverage should be.
The problem here exists at two levels. First, how do you measure and quantify cyber risk so that you can create better commercial insurance products in a world increasingly exposed to cyber threats? (And if you can quantify that risk, you can figure out ways to reduce that risk). Second, how do you better sell commercial insurance products?
Growing Cyber Threats
We’ve seen the steady rise in cyber-crime and the subsequent economic costs of cyber-breaches growing. We know that large enterprise customers underwrote this risk and believed that eventually companies would want to do this type of offering. (Marcus Bartam, General Partner, Telstra Ventures)
If there’s anything the recent Colonial Pipeline attack has shown us, it’s that cyberattacks leave rippling effects across a business, hurting consumers at the end of the chain. As businesses grow their digital footprints, they are exposed in more and more ways to cyberattacks – from network security vulnerabilities, breaches, phishing attempts, and more.
Cyber risk isn’t only related to cyber insurance – seeking to cover the losses of data breaches and so forth. In a world where businesses rely on other software businesses or where cargo shipments are heavily intertwined with software systems, a cyber attack can inadvertently result in the revenue loss for a customer or for cargo shipments to stall (or an entire gasoline pipeline to temporarily shutter operations leaving the southeast with a supply shortage).
The fact of the matter is that cyber breaches are costly. The average cost of a data breach is pitted at $3.9m, a malware attack $2.6m, a ransomware attack ~$220,000, and the cost of lost business due to cyber attacks is pitted at $1.5m. Cyber attacks are prevalent and are not slowing down either:
88% of organizations experienced phishing attempts in 2019.
Cisco estimates there will be 15.4 million DDoS attacks worldwide.
67% of financial institutions reported an increase in cyber attacks with 26% facing destructive attacks.
Attacks on IoT devices tripled in H1 2019.
Commercial Brokers
Nobody builds tech for commercial insurance brokers. These are the folks who are "buying" commercial insurance. Most customers just want to get to the point. They turn to the broker and ask: What should we do? Moreover, brokers have business pressures too. If the insurance policy is very small and the commission is only a hundred dollars, brokers care about efficiency, simplicity, and speed. (Philip Edmundson, Founder and CEO, Corvus Insurance)
The commercial broker market can be split between those that turn around lots of policies that look similar to one another and those that need detailed education information about their client’s risk profile.
In the first group, these are brokers need a fast, efficient online system for quoting for similar-looking policies.
In the second group, the more complex (or larger) the business, the more complex the policy. The broker needs to explain the benefits of coverages (and services) so that they can provide the proper risk management advice.
When commercial brokers sell policies, often the buyer (the business) isn’t exactly the shopper. The broker can get into the nuances of each policy but, ultimately, the broker is the one who recommends and provides the risk management advice they couldn’t otherwise get. When it comes to cyber policies, businesses aren’t sure what their vulnerabilities are (if they don’t already have a cybersecurity system in place) or where the buyer benchmarks against similar types of companies in order to make an informed decision about which policy to purchase.
Solution
Corvus Insurance is a data-driven commercial insurance MGA that offers cyber, tech E&O, and cargo insurance.
Corvus’s solution is two-fold: (1) smart insurance products and (2) tools for brokers. By making it easy for brokers to inform their customers and sell insurance policies, Corvus is greasing the pipeline so that they can streamline commercial insurance distribution. When it comes to insurance products, it’s not just about innovating on the coverage, it’s also about innovating on the prevention and mitigation techniques.
First, we’ll start with Corvus’s current product suite:
Cyber: Corvus offers cyber policies (for both primary and excess risks) for businesses up to $2b in revenue. Corvus serves industries such as healthcare, retail, financial institutions, and more. Corvus’s average policy size is $9,000 per year.
Tech E&O: While cyber covers the damage caused to the business, Tech E&O covers the legal fees related to damages caused to a business’s clients or customers. If you offer a software product that other businesses rely upon, a system failure or an error could result in lost revenues for said businesses. Corvus serves most technology-based services with the exception of social networks, UGC sites, adult content, and online dating.
Cargo & Cyber: Building on the theme of where there’s technology there’s data to leverage for smarter underwriting and preventative measures. Cargo is now so intertwined with software systems and IoT sensors, enabling Corvus to build out more sophisticated cargo policies. Cargo insurance, simply, covers the costs associated with loss or damaged cargo. Corvus targets life sciences and food & beverage companies and covers most transit forms. Enhanced forms of coverage are for perishable products (e.g. spoilage or product deterioration).
Corvus’s capital partners are Hudson Insurance Group (cyber), Crum & Forster (tech E&O), and Skyward Speciality Insurance (cargo and cyber).
Businesses across industries are digitizing their operations and with that comes increasing cyber risks. Corvus’s proprietary products enable customers to mitigate those risks upstream, creating a virtuous circle for a multitude of stakeholders: their software can detect actionable IT security threats to organizations (better return for capital providers), simultaneously building data sets and tools (added value for brokers and policyholders) that ultimately inform policyholders of opportunities to avoid cyber attacks (financial benefits for organizations and, again, better results for capital providers thanks to lower claims). (Vishal Vasishth, Co-founder, Obvious Ventures)
What we do is use data not only to inform our underwriting, but to help the broker look heroic. And we do that by producing a variety of metrics, benchmarking information, and calculations that help them answer questions like: How much insurance should I buy? How do I compare to other organizations like mine? I’m a bank with $100m in revenues each year. Boy, it looks like I got a really good score of 92. Does that mean I’m in a good place? Well, probably not because for most banks, they score 98 because banks tend to be really good at cyber security? (Edmunson, Founder and CEO, Corvus Insurance)
As part of all of its policies, Corvus uses its Corvus Scan for Dynamic Loss Prevention (DLP), which acts as a way to assess and benchmark a policyholder’s cyber risk. The Corvus Scan is a mix of penetration testing (i.e. a simulated attack with permission of the customer) and a non-invasive scan of the IT infrastructure that is visible to the public. When policyholders are quoted, they get put through an automated scan that pulls in these risk assessments across ransomware & cyber extortion, disclosure of sensitive information, network security & privacy, and more. These assessments are weighted into the Corvus Score. In general, the higher the score, the broader the coverage and the more competitive the premium.
The policyholder is then benchmarked against their peers and given recommendations on how to fix those vulnerabilities. Corvus routinely scans and monitors policyholders so that policyholders can fix issues before they arise. Corvus provides cybersecurity alerts and provides access to breach coaches in the event of an attack. Insurance companies, at their core, don’t want to pay out claims, so by helping prevent the calamity, it’s a win-win for both the insurance company (Corvus) and the policyholder. Moreover, through these additional services, Corvus hopes to boost its retention by providing a valuable policyholder experience.
On the broker side, Corvus has its CrowBar platform that enables brokers to easily access quotes, receive DLP information for submissions, and manage claims. The platform offers the following information:
Quick Quoting: Corvus enables brokers to get a bindable quote and a Corvus Score within a few minutes (on simpler accounts).
Risk Management: The CrowBar platform also provides pre-claim support services, risk management, and learning resources to ensure (potential) policyholders are educated about emerging cyber risks.
Easy Applications: By building out automations that help auto-populate information on policyholders, Corvus reduces the number of inputs required for quoting – making it easier and faster for brokers to obtain quotes. Applications can be completed in less than a minute.
Corvus’s many flight paths
With the growing cyber threats affecting all parts of a business, Corvus has ample opportunities outside of cyber alone (and is already on its way) to reach a $1b valuation.
We saw two market opportunities for Corvus, one straightforward to size and the other more speculative. The cyber insurance market is already sizeable and growing quickly. We believed Corvus could become a leading player in a medium-sized market. The second opportunity involves other commercial lines like Employment Practices, D&O, and more, which have historically been built and sold without any sense for the related cyber risks. Making businesses “cyber aware” is a 5-10x larger opportunity than pure cyber. (Matt Harris, Partner, Bain Capital)
Incumbent commercial insurers are valued between 1x and 3x forward-looking revenues. To be valued at $1b, Corvus would need to generate between $333m and $1b in annual premiums. As of January 2021, Corvus had $120m in annual premiums growing 250% year-over-year, so Corvus looks to be on the path to reaching that goal. Growth won’t always be 250% each year. But given its advanced risk assessments (Edmundson relayed that their Corvus Score is “immensely predictive in terms of severity and frequency of cyber losses” which could suggest that loss ratios are quite low), we can easily imagine Corvus trading at something (much) higher.
Corvus currently operates in the cyber, tech E&O, and cargo insurance markets. In these markets alone, Corvus doesn’t have to branch out to become a $1b company. Cyber is a $5.3b market in the U.S. (expected to grow at a 21% CAGR globally through 2025), (U.S.) E&O is a $2b market, and (U.S.) ocean marine (cargo) is a $3b market1.
When just taking into account the cyber market alone, the path seems apparent. Looking at the professional liability market, the top 4 players have ~10% of the market each2. Extrapolating that to the cyber market, 10% of the U.S. market today is $530m in cyber premiums, which is more than the $333m requirement at a 3x multiple (all assuming that Corvus becomes a leader in the market). Mix this with its other lines, one can imagine there are multiple pathways to get to a $1b valuation. All being said, Corvus is currently valued at $750m against $120m revenues.
Though, Corvus isn’t stopping with cyber, E&O, and cargo. Corvus has its eyes set on the prize and they won’t go after a market they don’t believe they have an advantage in.
When it comes to insurance products, Corvus is building a playbook to streamline the creation and distribution of commercial insurance products. When deciding to create a new product, Corvus takes into account the availability of data sets, whether that data can help predict and prevent claims, the size of the market, and the state of the competition. It’s very much a top-down approach to product creation. Corvus is seeking to carve chunk by chunk out of the ~$300b U.S. commercial insurance market – going up against players like Chubb, Travelers, Liberty Mutual, and Zurich.
Corvus is already working on an insurance product for financial institutions –– which seems like a logical extension of their Tech E&O and Cyber policies. For this product, Corvus can start bundling in other coverages like D&O, ID fraud expense reimbursement, and other P&C coverages. Especially as banks (and insurance companies) become more and more digitized (and are increasingly the target of attacks), more novel risks emerge that Corvus can have a leg up on.
Where there is extractable and replicable data, you will probably find Corvus building. Workers compensation seems like an easy one to cross off the list (as corresponding data sets, like social media data, are heavily fragmented3). Other interesting areas where Corvus could play include commercial auto and fleet insurance with the rise of telematics (which is a $52b market in the U.S., as of 2021), flood insurance leveraging aerial and sensor, or even agricultural insurance as more farmers adopt IoT solutions for soil and crop monitoring.
New products aside, Edmundson understands the business hinges on distribution and the broker (and numerous investors believe Corvus has cracked that code). Edmundson said himself: “The idea of using data to make better insurance products… we’d get laughed out of the room. With every new product line, we’re still going through the broker channel and we need to make sure we’re making them look the best they can at the end of each meeting and closing more deals.”
Thank you to Philip Edmundson and Stephen Tarleton of Corvus Insurance, Marcus Bartam of Telstra Ventures, Matt Harris of Bain Capital, and Vishal Vasishth of Obvious Ventures.
Did you like what you read? Please share! 😊
In case you missed our previous posts:
Upcoming Posts (released every other week, in order):
Wrapbook on embedding entertainment production insurance and workers comp into payroll software. Wrapbook is the top ranked Series A companies by our Investor Signal score, having raised a $27m round led by a16z.
Embedded insurance landscape breakdown
Founder and investor interviews
How did you like the post?
Great | Good | Could Have Been Better
Have any other questions, comments, or feedback? My email is harry@radicleinsights.com. Please reach out 🙏. Would love to hear your thoughts!
The U.S. Tech E&O and Cargo market estimates were provided by Corvus Insurance.
J.P. Morgan. (2018). P&C Insurance: Finding Opportunity in the Business of Risk, but Value Scarce.