Kovrr is a company that financially quantifies cyber risk on demand. By utilizing Kovrr’s Cyber Risk Quantification Platform, CISOs, CROs, and boards can make more intelligent data-driven decisions about how to manage the companies’ cyber risk (whether to accept, mitigate, or transfer the risk), prioritizing new technology investments and measuring the return on investment (ROI) in specific controls or programs. Pulse 2.0 interviewed Kovrr CEO Yakir Golan to learn more about the company.
Yakir Golan’s Background
Golan started his career in the Israeli intelligence forces. And Golan said:
“After the service, I worked in a variety of different positions, including software development, hardware design, product management, marketing, and business development, so I became familiar with multiple aspects of the high-tech industry and the global cybersecurity market. I also earned my undergraduate degree, a BSc in Electrical Engineering from the Technion, Israel Institute of Technology, and my MBA from IE Business School in Madrid. After several years of experimenting with various business perspectives, I decided to turn my attention toward cyber risk management and focus on bringing tools that quantify cyber risk to the market.”
Formation Of Kovrr
How did the idea for the company originally come together, and what are your primary responsibilities as CEO? Golan shared:
“The idea of ‘Kovrr’ started with an aspiration to develop a fully-fledged software solution that provided risk mitigation advice while simultaneously incorporating data-backed financial metrics. My co-founders and I envisioned a business world with enhanced cybersecurity conversation on the enterprise risk management level that transformed the way companies approach cyber risk.”
“From day one, we said we would build the best models, which ultimately meant we needed to be at scale for continuous validation and calibration. This need is why we started Kovrr with a focus on the insurance industry, enabling us to amass large data sets rapidly and, ultimately, give us a competitive advantage. After starting to gain a reputation for accuracy, we gradually onboard some of the largest global insurance groups, for example, Allianz and AON. Working with them gave us access to a unique stream of loss data, further enabling this necessary validation and calibration for our models.”
“Following our success in the insurance industry, in early 2022, we expanded to the enterprise arena, which quickly became the primary business target for Kovrr, and we’ve acquired many top brand clients since then, such as Staples, Royal Mail, and Playtech, to name a few.”
“As cybersecurity continues to demonstrate itself to be one of the top, if not the top, business risks, our platform and models offer chief information security officers and other executives a means to communicate cyber risk in broader terms key stakeholders are more familiar with. With our platform, CISOs can prioritize and justify budget requests and spending decisions and leverage externally verified data to pursue the most effective risk management initiatives or transfer strategies.”
“As a CEO, I’m always looking for ways to enhance our models further and ensure that clients feel confident in our CRQ forecasts.”
Favorite Memory
What has been your favorite moment working for the company so far? Golan reflected:
“During the 2019 coronavirus lockdown, everything was taken to the digital realm, and we really had to find creative ways to connect and collaborate. When we were finally free to travel and attend conferences, it was so exciting to experience the collision of our digital world and the ‘real’ world. There’s an energy when people with a shared enthusiasm and passion for cybersecurity are physically together, and to be around the exchanging of ideas and participate in meaningful discussions and to learn, face-to-face, the features our customers were really in need of, was really riveting. And, of course, remote work had surged, so there were all of these novel, innovative solutions trying to address the new cybersecurity risks.”
Core Products
What are the company’s core products and features? Golan explained:
“Kovrr’s platform quantifies cyber risks, meaning it employs statistical models to assess the likelihood of an organization experiencing specific cyber events and their respective potential financial costs. Using a Monte Carlo simulation, we produce a loss exceedance curve that forecasts the range of possibilities in the organization’s cyber landscape for the upcoming year.”
“One of the main benefits CISOs get is streamlined communication with key stakeholders who otherwise wouldn’t understand the technical intricacies of cybersecurity. Kovrr translates cyber risk into business terms that facilitate more meaningful, higher-level strategic discussions and drive data-driven cyber programs.”
“Another feature we offer is cyber insurance fit-for-purpose analysis. With the platform, organizations upload their current insurance policies, compare their actual risk likelihoods and expected financial losses, and then find room for optimization of the terms and conditions versus risk reduction ROI from other potential activities.”
“Our most recent offering is our Cyber Materiality Report. Organizations, such as those registered with the US SEC and the Australian Prudential Regulation Authority, are required to disclose “material” risks and incidents, even though there’s not a clear, shared definition of what that constitutes. After conducting extensive research, we came up with a preliminary basis of revenue that organizations can use as a starting benchmark for materiality determination, and we were the first to productize in the market.”
Challenges Faced
What challenges has Golan faced in building and scaling the company and has the current macroeconomic climate affected your company? Golan acknowledged:
“In the cyber industry, vendors are all competing for the same budget, which is usually limited. Plus, it’s a highly competitive economy, which puts service providers in the position of really putting our ear to the market and learning what CISOs and cybersecurity teams need from us. From what I’ve seen, this situation has brought about some really innovative solutions. It also is the reason we’re seeing a trend of organizations turning towards tool consolidation. The landscape forces us to really listen to what our customers need and figure out ways to deliver it to them, which can be challenging at times, but mostly, it’s a great excuse to implement valuable new features that serve as differentiators.”
Evolution Of Kovrr’s Technology
How has the company’s technology evolved since launching? Golan noted:
“From day one, we have been providing cyber risk quantification. However, in the beginning, our primary users were global insurers and reinsurers leveraging our models to underwrite policies. After we experienced several of these particular use cases, it became clear that a much larger pain point for the insurance industry was a lack of understanding of the accumulated cyber risk within portfolios. We then expanded the supported platform use cases and introduced our unique methodology of grouping cyber risks via CRIMZON, a framework that takes into account organization location, industry, and size, which was then widely acknowledged for its accuracy.”
“From that point on, we started receiving fantastic feedback on the accuracy of our models. We signed with more and more large insurance providers and, in 2020, crossed 1 million model validation data points, which was a huge milestone for us. As word spread, we received several inquiries from enterprises requesting assistance in their quantification efforts vis-a-vis data collection and modeling.”
“After working with several enterprise-level clients, we decided it was time to expand into the enterprise market “officially.” We launched our on-demand platform, Kovrr CRQ, which leverages the same cyber risk models that had been used and calibrated by the insurance industry.”
“To better serve our enterprise clients, we’ve also pushed our technology to capture organizational complexities by introducing the ability to integrate internal security control data. The additional inputs allow our CRQ models to produce more granular insights, enabling our solution to provide concrete recommendations for security control improvements at the asset level and justify resource allocation by reflecting the potential ROI of changes.”
Significant Milestones
What have been some of the company’s most significant milestones? Golan cited:
“One year after we were founded, we secured access to millions of proprietary insurance data points, significantly enhancing statistical calibrations for accurate risk assessments. In 2019, our model validation extended to 500,000 companies. 2020 witnessed the launch of an open framework for global cyber risk exposure measurement. The following year, 2021, marked a transition to a multi-model approach, broadening our strategies. In 2022, model validation expanded to cover insights from roughly 5 million companies. And, of course, expanding to the enterprise market was a huge transition and achievement.”
Customer Success Stories
After asking Golan about customer success stories, he cited:
“We worked with a PE firm with a portfolio of over €600 million assets under management. They needed to assess their cybersecurity insurance coverage in relation to their cyber posture and make sure that clauses and sub-limits were incorporated into their new policy to optimize coverage. They wanted to negotiate a better deal, but they also needed the confidence that they were buying enough insurance according to their risk appetite.”
“With our cyber-sphere (Kovrr’s approach to mapping an organization’s assets and processes to their internal systems and applications), along with our calibrated models, the firm was able to view each of the portfolio companies’ expected financial risk, as well as the entire aggregate risk. With our insurance analysis feature, it was then relatively straightforward for them to view the ROI of specific insurance policies, and they were able to visualize the areas in which it was more cost-effective to pursue alternative mitigation efforts.”
“Leveraging our platform, they were eventually able to negotiate a deal that better suited their potential cyber risk and reduced the insurance costs of the entire portfolio, on average, by 17%.”
Differentiation From The Competition
Q.) What differentiates the company from its competition? Golan affirmed:
“Time-to-Value – Other cyber risk quantification methods are extremely resource-intensive, but our platform eliminates the slow, manual processes and efficiently delivers insights such as the top risk drivers and the largest contributions to the cybersecurity program.”
“Insurance-Grade Models – Because of our unique background, we have privileged access to an extensive database of insurance loss data sources, including cyber insurance claims. Our models, therefore, have been validated at scale to highlight the specific events a business may experience and their relative costs.”
“Granular Risk Visibility – Our cyber sphere maps a company’s environment, taking into account which business units have access to specific data or how sensitive information is stored. CISOs and business leaders can review cyber risk at any of these levels, like the group, subsidiary, or any other business unit.”
“Most Significant Cyber Risk Identification and Prioritization – You can easily see which cyber events are most likely to cause significant financial damage and then prioritize risk mitigation efforts accordingly. We also offer risk mitigation recommendations according to the most prevalent risk frameworks, such as NIST, CIS, and ISO, which allows organizations to see the specific ROI of initiatives.”
Future Company Goals
What are some of the company’s future company goals? Golan pointed out:
“In our mission to spearhead the CRQ revolution and empower CISOs with communicable, data-driven insights, we recently launched an initiative that promotes the elevation of their role and cybersecurity as a whole to ensure business resiliency. This ‘Shift Up’ strategy supports CISOs in their efforts to build relationships with key executives and encourages them to incorporate cybersecurity into high-level business discussions. Ultimately, by adopting the Shift Up approach with a CRQ solution, CISOs can help these stakeholders understand, in broader business terms, how cyber efforts directly drive organization value.”
“The broader market conditions, like increased cybersecurity regulations, the growing cost of cyber events, and the need to ‘do more with fewer resources’ have really fostered an environment that demands CISOs to embrace the CRQ revolution. The need for consistent, clear communication between cybersecurity leaders, board members, and other executives has never been more apparent.”
“By translating cyber risk into event likelihood and potential monetary impact, CISOs can easily speak the language of the boardroom and “Shift Up” the conversation. With the financial insights from Kovrr’s CRQ solution, stakeholders can then understand which risk mitigation initiatives will have the biggest effect and produce a positive ROI. They can also use these figures when determining the organization’s overall risk appetite. Our CRQ solution gives them an on-demand overview of the risk landscape they face, facilitating this all-to-necessary Shift Up strategy and allowing them to make data-driven, strategic plans that align with business needs and ensure financial and ‘cyber’ security.”
Additional Thoughts
Any additional thoughts? Golan concluded:
“Despite the SEC’s July 2023 regulations requiring public corporations to disclose ‘material’ cyber risks and incidents, their definition of “material” is conspicuously vague. On the one hand, this makes sense – materiality is going to vary according to the organization. At the same time, it’s caused a lot of confusion.”
“Many organizations don’t even know where to begin when it comes to determining materiality. To aid them, in addition to our Cyber Materiality Report, we’ve also released the Fortune 1000 Cyber Risk Report, shedding light on the likely occurrence and relative costs of ‘material’ cyber incidents anticipated in the coming year according to various industries, which may carry consequences significant enough to warrant SEC disclosures.”
“These benchmarks offer organizations a deeper understanding of the types of cyber events and their corresponding financial impacts most likely to be disclosed in the coming years. They also help CISOs to transcend traditional cybersecurity terminology, facilitating effective communication with board members who may not be well-versed in the technical aspects.”