Q&A with Forgepoint EIR Anthony Dagostino on Cyber Risk Management and Insurance for the Digital Age
Tanya Loh
December 8, 2021
- Blog Post
Anthony Dagostino was an Entrepreneur in Residence at Forgepoint Capital. Now Global Chief Cyber Underwriting Officer at AXA. Learn more about his background and expertise here.
Anthony, you began your career as a financial analyst and then an underwriter – fast forward and you’re now a leading authority on cyber insurance and risk management. Can you share your story and how you got here?
It has definitely been a wild ride. In college, I took pre-law and entrepreneurial studies so venture capital always interested me which led me to my first job after I graduated. While I loved the analysis and due diligence on early stage companies, an opportunity arose to help The Hartford grow its Financial Products division by becoming an underwriter focusing on errors and omissions insurance, which is a financial loss insurance product for different types of companies. I quickly became enamored with the industry given the financial, legal, sales, and human relationship aspects of each day. As my career progressed, so did the digital evolution that companies were undergoing. Almost every company was becoming a technology company in some way and with that, the risk of security continued to grow and mutate. Insurance not only remained as a balance sheet protection mechanism but also became a means to improve organizations’ cyber risk management. These firsthand experiences with companies led me to opportunities to create cyber insurance products, develop risk management software platforms, and stand up a global consulting practice focused on cyber risk management and quantification.
Of all the pivotal moments in your career, which situation are you most proud of?
What first comes to mind is the 2013 Target breach, which had tremendous impact on me and my career. At the time, I had been in the insurance underwriting industry for close to 10 years. The industry, for good reason historically, was very focused on actuarial analysis and having history predict the future in terms of underwriting approach and pricing. More traditional property and casualty insurance underwriting methods were used, and the people involved in the underwriting analysis typically had limited IT background. Imagine technology and cyber insurance being underwritten with very limited subject matter expertise! At the time, I worked at the company who was first in line to pay the Target claim and was heavily involved in the underwriting of Target as well as the claim process. During the underwriting process, we were very focused on the fact that Target ‘encrypted’ its data, seeing it as a major benefit. However, we quickly learned during the incident that while encryption was done at the point of sale terminal, end to end encryption was lacking across the organization. This eye-opening realization led me and my team to start proactively meeting with cybersecurity companies to learn first-hand the intricacies of system architecture and cybersecurity. No one has all the answers and from that point, I committed to always being a student and constantly learning, both inside and outside my professional life.
What will you be doing as an EIR here at Forgepoint?
I’m excited to be a part of the Forgepoint team. My focus here is to bring a cyber risk management lens to work with the current portfolio, help identify new opportunities, and look to challenge the current approach to cyber and technology insurance.
Ransomware is on the rise, with serious implications. How would you describe its impact?
I’ve seen the impact it can make on organizations across all industries, sizes, and levels of security maturity. Large companies unable to communicate with their own employees to small firms going close to shutting their doors if the adequate insurance wasn’t in place. While the size of the ransomware demands can be daunting at times, the magnitude of the net income lost associated with downtime is very concerning and should be at the forefront of every organization should something happen. The insurance industry is a great component of improving security posture given the rich claim data. In one recent study I conducted across companies of all sizes and industries, the average ransom amount paid after negotiation was around $1.5M but the average business interruption claim arising from ensuing loss as a result of the ransomware was $5M. While these are pure averages over a large range of data, it shows the magnitude of how companies can be impacted.
More and more companies are opting for cyber insurance to help offset the costs of responding to and recovering from cyber attacks. How would you describe the state of the cyber insurance market?
First of all, premiums and deductibles are increasing, while capacity and coverage are decreasing. Then controls are being scrutinized more than ever. These days, companies need to stay on top of a multitude of controls in order to get the best coverage. We’re in a state of change while insurance companies figure out how they will best meet policyholder needs while ensuring profitability. While premiums are increasing to make up for inadequate pricing of the past, new ways to underwrite are emerging which could lead to better cyber risk management and a good way to incentivize better and more effective controls.
What should companies think about when considering their cyber insurance coverage and how much to get?
What’s the company’s exposure if something should happen? Companies need to consider what a ‘really bad day’ looks like and how a disruption in technology or theft of data or funds impacts that scenario. Aside from contracts that may require a certain amount of insurance to be carried, the cyber risk quantification space has improved dramatically over the year. Forgepoint portfolio company CyberCube for example, uses data from many sources to look at probability of loss. When I was on the risk advisory side, I used CyberCube often to assist boards, CISOs, and risk managers on how much coverage to buy. Lastly, the insurance companies look for certain controls to be in place in order to get the best coverage – MFA, network segmentation and data encryption, privileged access management, employee training, having a strong incident response plan, offline backups, endpoint detection and response, patch management, AND attack surface testing are among the standard controls needed for the broadest coverage.
What’s the most rewarding aspect of what you do?
It’s two-fold – meeting people, building relationships and then being able to connect them to others for their own success is extremely rewarding. Second, the mission around improving cyber risk and security contributes more broadly to national security, company resiliency, and employee well-being. I’ve seen this first-hand and it definitely defines our roles as being meaningful to the greater good.
What cybersecurity trend are you most excited about?
Telemetry for cyber risk management. Given the growth in the cybersecurity market, along with new, cutting-edge solutions entering the market, and the claim data harvested by the insurance industry, there are a lot more signals to pull from for a more informed view of threats, vulnerabilities, and best practices. Put these together and there are exciting approaches to not only underwrite cyber insurance better, but also provide more effective risk management solutions for companies.
If you weren’t advising companies on cyber risk management and insurance, what would you be doing?
Advising my wife and three daughters on cyber risk management regarding their social media and online activity!
Thank you for reading. Have a question for Anthony? Get in touch: adagostino@forgepointcap.com.