Some of the topics that Gene discussed:
- Experiencing the fundraising winter firsthand
- Currently, nobody to call for digital incident response though we already enjoy physical incident response services
- The Great Fire of London (1666)
- Do we need a Cyber 9/11
- The combination of cyber incident response with insurance
- Data collection and modeling patterns of risk
A couple of other titles we considered for this episode, but ultimately rejected:
- What Is the Activation Rate?
- The Forensics Is the Most Important Data
Read the best-effort transcript
Read the best-effort transcript below (This technology is still not as good as they say it is…):
Michael Waitze 0:10
Now we actually are officially on Are you ready to go?
Gene Yu 0:14
Yes, I am.
Michael Waitze 0:16
Hi, this is Michael Waitze. And welcome back to the Asia Tech Podcast. These are some of my favorite episodes we have. Gene Yu back on the platform, the CEO of BlackPanda, it’s good to have you back. How are you doing today?
Gene Yu 0:29
Thank you, Michael. I’m honored to be back I enjoyed our first conversation quite a bit. So I’m excited today.
Michael Waitze 0:35
Yeah, and you know, I always say this to the best guests. But we always like to have you back after there’s a follow up. And so my thought I think it was May 2022, I checked almost nine months ago. So perfect. Cannot before we get into one of the really big topics that I want to discuss with you, we can just do a little bit of a wrap up, like, what did we learn in 2022? And what does it mean for 2023? For you and for black panda?
Gene Yu 1:00
I mean, I think it’s a good segue into the announcement with the series a close, I think 2022 was a was a big wake up call for the venture capital community, right, you know, with the market. And when I say a wake up call, I mean, particularly for founders and getting the feedback of making sure we get back to the fundamentals, you know, business and you know, all those aspects that kind of flushed out with the drive of capital. So 2022 was a learning experience along those lines of a the plays over a bit, you know, that market, that market feedback and signal is very clear, and certainly impacted us quite a bit through the, through the due diligence process and the series A raise as well.
Michael Waitze 1:42
So everybody talks about how hard to series A is right. And you know, from my money if you’re funding an early stage company, basically funding an experiment. But if you’re funding a series, a company, you believe in the story, you believe in growth, and really what you’re doing is saying, Let’s fund some growth. But again, you’re right in from the middle of 2022 until the end, like the market just felt really tenuous. Did you feel that personally when you were out raising? And I’m curious, like how the tenor of those conversations changed as you got closer and closer to actually getting people to invest? You know what I mean? Because it builds Yeah, sorry, go ahead.
Gene Yu 2:19
Yeah, totally. So So I think that the, the main, the main observation, lesson learned was that I can literally watch it happen across the end of 2021. And 2022, as previously, a very long conversation suddenly began began becoming very cold, meaning out, slow responses, or just straight up just getting good at all of a sudden, that went from, you know, what, 2021, where we’re getting ready for the series A raise to have, you know, dozens of VCs interested to talk, quite active with their teams, engaging us in speaking and then just to watch that suddenly drop off, that was kind of the process across 2022. I’ve just seen that, that interest in responsiveness from the market, dissipate, right, just in front of in front of your eyes, right. And so, and then, of course, the conversation is becoming much, much tougher with the other ones that are still even staying in the staying in the conversation. So
Michael Waitze 3:16
to a certain extent, I think it says a lot about your business and about the team that you’ve put together. I mean, raising $15 million in this environment in this region, to me is fantastic, right. And that’s one of the reasons why I reached out to you. The other thing that I feel like happened at the end of 2022, is this whole idea of now we’re really going to start paying attention, not just you and I but everybody else to open AI. And I’m just curious if that had any impact on your business, per se, but also on the raise, right? Did people ask you about it at all?
Gene Yu 3:47
interesting for us. No, you know, we’re not, you know, to be very precise about our tech, we’re still in the machine machine learning phase, I will be able to claim any real AI at that at that stand standpoint, or that from that standpoint, but no direct there was no impact for us as a cybersecurity company. But yeah.
Michael Waitze 4:08
Okay, can we talk about this? Look, one of the other impetus is for me, contacting you was the story and the narrative around the democratization of cyber responses. Right, we take response for granted in a whole bunch of different ways, right? To be fair, I live in a condo if something goes wrong in my condo, I just called the juristic office. They’re right there. They come upstairs, they fix my life, they fix my pipes, like whatever it is. They’re just there and they’re there constantly. And to be fair, even if they’re not in the office, there’s a phone number they were I can reach them. This is a very simple process. I want you just a little bit to do some storytelling for me and go back to this idea of 1666 in the fire in London so you can explain to people where the concept comes from, and then what it looks like today in the context of black panda. Is that fair?
Gene Yu 4:50
Absolutely. Michael, thanks. So I always like to describe exactly what you just said is the problem out there is that we deserve it. The enjoy democratized physical incident response services. Here in Singapore we down 999 states 911 Somebody will show up if there’s a fire ongoing at our house, right? We all enjoy those democratize this. But if somebody attempts to digitally vandalize Rob, or murder you, there’s nobody for you to call, right? There’s no, there’s no well put simply, there’s no democratized version of the service in the digital or cyberspace. Right. So when we think about where these physical crisis response services came from, I always like making the analogy for Black Panther in digital forensics as a response as cybersecurity firefighters and arson investigators. So I want to go look very specifically back at that example. And in our research, we discovered an event in 1666, called the Great Fire of London, which nearly destroyed the city forever. And out of the ashes of this event, fire insurance emerged as a product. Prior to the Great Fire of London, the only type of insurance that existed in the world was marine insurance for vessels traveling to the new world. As insurance companies started experimenting with fire insurance coverage, they discovered that it was most cost effective to build their own private fire brigades, to go put out the fire as fast as possible to limit the claims damage that they would pay out. Very logical. Okay, so these private fire brigades was fire incident response. And just like a cyber insurance policy today, where we have cyber incident response as part of the service that’s standing by 24/7 When a client is breached, or activates the insurance policy. Similarly, these fire insurance companies had these fire incident responders on standby. over a couple of decades, the insurance companies discovered is most cost effective to support one large private fire brigade. And eventually the government of England realized we should nationalize the service for our citizens, and did so and now every developed country in the world enjoys democratized emergency firefighting services, we believe that Black Panther that the same phenomenon is happening 400 years again, later in the digital space, and we’re seeking to get ahead of it to mimic the natural model that we need to provide this type of resiliency service in the digital space to the to the market.
Michael Waitze 7:20
So this is I mean, I love analogies. And this is a killer analogy. There’s so much to unpack dried. So to unpack here. So work with me on this bit by bit. Do we need a seminal event? Right? Do we need the London fire? We’re not asking for it. Nobody wants it. Nobody wanted that fire either, right. But the idea that people can look around and look in the ashes and just say, we can’t have this happen again. We’ve had a lot of different events, whether it was hacking of Mount Gox, or all these other things that you and I actually talked about on the last episode, and that people have heard of where there have been data breaches, what needs to happen for people to look around and say, Okay, this thing’s really burning, or do we not need a seminal event? That’s the first thing and then there are some other things to follow on this ready?
Gene Yu 8:03
I actually, I do believe that, for the entire world to truly wake up to this, there needs to be what I call a cyber 911 type of okay. You know, we talked about analogies, I’m always looking at the physical safety and security world, and what models have been proven out there because I believe they just need to be mimicked in in a similar fashion in the digital world, for cybersecurity. And almost all major emergency services or physical safety and security products and services have emerged from major events. We’re unfortunately as you know, we’re not able to galvanize enough resources support for a theoretical event. I mean, think about that, we can talk about the pandemic and Bill Gates out there. Right, how long is that drum? Yeah,
Michael Waitze 8:48
look, the one thing I cannot forget from our previous conversation was this idea that like the war hasn’t changed. It’s just the surface on which the war is being fought or the battle was being fought has changed, right. So this idea of surfaces and the changing surface is really interesting to me. And I can’t stop thinking about it. Actually, when I talk to other people about risk. I do think about this transfer from the physical world, which he talked about so nicely into the digital world, which we kind of, it’s still developing, right? But if you go back to this London analogy, the insurance companies decided to sort of build out these little local fire response places, right before they then consolidated into one big one. We can skip one of these steps, right? But in the digital world, when you envision this, how do you solve that proximity problem with the idea of like, how do you put a digital firehouse in every neighborhood? You know, metaphorically, right? Because sure, if I if something happens to me, let’s just say you’re in Hong Kong and I need services. I’m in Hong Kong, I need to call you but how do you get it for everybody in the world because the big problem with cyber in a way like a fire right? If my house burns down bad for me, but if my house burns down, it’s connected to your house. Well, then the whole neighborhood goes down, right? So all these little things I Do you get that local firehouse digitally?
Gene Yu 10:03
Yeah, exactly. So So right now, the way that cybersecurity incident response is delivered in what we call the traditional model is just the consulting retainer model that you see lawyers and consultants use. Yeah. And so from that perspective, right, they can only be paid after the work is done. And then the simple, it’s an hourly billing model, right. So this again, the analogy of where firefighting came out of from the insurance industry, is very, very applicable here. Because it’s, we need a upfront recurring revenue stream, in order to finance a larger incident response force that can actually serve like that local firefighter house, across many folk. So similarly, of how we enjoy democratized firefighting services, which again, came from the insurance industry. But when you think about just in its current form, we all pay tax, and a little bit of that tax goes the Katif that the government uses to pay for the unfortunate few that a fire actually breaks out. Okay, we’re all covering down for that for that risk and diversifying out the burden. The same thing essentially is occurring in insurance. And so to answer your question, on the nose, is this is why we’re moving towards combining the solutions of a cybersecurity incident response company with insurance, right? We need that recurring revenue stream upfront to finance a large enough instant response force that can actually be on all in service to mass market at an affordable price as well for all right, particularly SMEs, where we’re focused 50 million US dollars and below in revenue.
Michael Waitze 11:39
So how does that work? Right, so let’s say I sign up. Let’s say we work together. I’m presuming it’s with pentamatic. So it’s some other affiliated companies with what you’re writing and underwriting insurance. So I, I get protection. But what about for the people that aren’t necessarily covered yet, right? Because if the analogy works, right, somehow, I may not have fire insurance, but the fire people still come to my house to put out the fire kind of thing, right? Once they know what happens. Now, for sure, before it happens, I can pay for the insurance. And in this case, I can pay for protection beforehand, right? So that there’s a constant surveillance of my property per se, digital or otherwise. And you’re just building a ring around it. And it’s the same thing. Look, we did this with our house, when we built it, we put a sign up here that said, we’ve got security. So good luck trying to get in. And it was really more of a deterrent. I mean, it worked like a charm. But at some point, it’s a huge deterrent, like, why am I going to try to break into this thing when the house next door has no lock kind of thing? Right? So how does all this work logistically?
Gene Yu 12:41
So what we did was, thank you for that. The the insight that we had as well is that you don’t need fire insurance for firefighters to show up. Right, right. So there’s some solution up existing in the physical world, that is already financing, the 1000s of firefighters that most of us enjoy in a country or a large city. So what we did was at Black Panda, which is not an insurance entity, we packaged together a new product that we call incident response one or IR one, which functions in structure looking like a cyber insurance policy, but only has the incident response service. Go ahead, so meaning, so roughly with our we face our channel partner, we face the market at a very affordable price less than 1000 US dollars a year, okay. And we’ll be on standby for full cybersecurity incident response case 24/7 For you, okay, which is usually in the cost of 40 to 50,000 US dollars when we get called out of the blue for now, if we’re able to distribute these in volume, essentially, that’s like all these SMEs paying tax to the government to go into the kitty for the unfortunate view that one of them actually suffer a cyber attack. And now they have a fixed cost in their operating budget, less than 1000 bucks a year that they can count on a top tier Incident Response cyber incident response from like black panda to show up immediately upon the breach and then put out the fire and then do the arson investigation. Right.
Michael Waitze 14:11
Yeah, I mean, again, so many questions here. How can it be so inexpensive, right? Because you said if we have to go in afterwards, it’s way more expensive. And there may be a lot more to do because there may be more damage, right? So I get it, but how can it be so inexpensive? Because I’m sitting here thinking shouldn’t I do this kind of thing? Anyway, go ahead.
Gene Yu 14:30
Yeah, sure. So that’s that’s exactly what the insurance game is right? Is that essentially the premiums come down to a very affordable price, but you need to have high volume of these. And also we need to manage, somehow manage or very, very accurately predict the activation rate. Okay? That’s what everybody’s chasing also in the cyber insurance game is what is the actual activation rate or the risk of cyber attack based off of XYZ data XYZ conditions and writing L, what is so critical for cybersecurity and this is part of our SaaS platform, the IR one portal, which we term as incident response as a service provides a perimeter risk. And for example, to show you at no cost, what are your open ports, that would allow an attacker to come straight through and own your or own your network. That doesn’t mean that you’re fully protected, it’s just that we’ve reduced one of the most obvious low level type of attacks that could come in for an SME, and thus lower our activation rate. Right. So cheap price point. One is that from a volume prospective, just like insurance, and we’re going to accumulate enough of these clients, we do have plenty in the in the reserves as dry powder, so to speak, to respond ideally to less than maxing out the amount of the amount of revenue we took in upfront, right, it’s the insurance game, we get paid up front, and they do everything we can to mitigate the risk, to try to keep as much of it as we can, right. And so in this way, we look at this as again, just mimicking the insurance, the insurance model, the firefighting model of tax revenue, to provide this service, and mass distribution, so much of our resources go into the technology development of the SAS platform to help mitigate risk on the client, as well as collecting the cyber risk data to help us ensure that our activation rate is appropriate, right? If you sign
Michael Waitze 16:27
up 1000 people to use the service when you get 1000 sources of data for what could potentially go wrong. If you get a million people to do the IRA one, well, then you get a million sources of data, it’s not pieces of data to weigh more than that. So then you can get a way much better understanding about where the risks are in the market at scale. And I can see it being broken down by city by country by you know, by timezone, whatever it is, you can then better build tools to protect against the types of things but also to what’s the right word, advise people, if you’re going to set this type of thing up, make sure you don’t do this or that you do do this kind of thing, because that’s what everybody does. Are you doing that as well?
Gene Yu 17:08
Correct. So part of our Iowan portal is once the client on boards and registers their token, they have access to all sorts of cybersecurity. instructionals, right. For example, we start out with basic things like Hey, make sure you have complex passwords, turn on your multifactor authentication, you know, in fact, this is exactly how you do it, right. And the reason why we’re telling you this is not because we’re here to upsell you services, yeah, we are in the foxhole with you, we are negatively incentivized to protect you, right. And we don’t want to see you breached because we lose money. And because we have to show up and respond to the breach. So that in that sense, I just wanted to make a comment there is that our advice, usually is very, very well received, because they realize that we’re not incentivized upsell anything we’re trying to actually protect you because we’re aligned to we’re entirely aligned with you. Yeah, I mean, the the more protected they are, the better off you are. Exactly, exactly. And as as we’re collecting this, this information, and they’re helping us understand their security risk environment, exactly what you said, we’re collecting large amounts of data, and seeing the patterns now in the market between markets, industry sectors of what is the actual cyber risk that they’re facing, right, which is a treasure trove of data that’s coming back into our machine learning, data lake house that we’re churning and assessing the risk, and eventually putting a price on it. Right,
Michael Waitze 18:29
right. I’m just you can see my brain working really hard trying to understand what the impact of gathering all this data is, right? In other words, what the value of that data is, at some level, because at some point, as you really understand where the cyber risk is, in the market at scale, the stuff you can do for it’s almost like preventive medicine. Right? The stuff you can do from a preventive standpoint is probably even more important than the stuff you can do post facto. Is that fair?
Gene Yu 18:56
Yes. Absolutely. One of the things that we’ve learned as well, in our research, particularly looking at the cyber insurance and cybersecurity InsurTech industries, yeah, is that the most valuable data to predict cyber attack is not in the predictive analytics, like scanning the perimeter, looking at, you know, theoretical vulnerability gaps and penetration for the penetration tests and red teaming. It’s in the claims data, right? It’s in the, oh, you actually got breached, and you actually suffered an attack? What is the security risk data look like in that scenario? How much did it cost us after the reality? Right? One of my analogies here, too, is we think about trying to solve, trying to reduce the homicide rate in a city. We don’t go look at the lighting outside of the houses and look at the alarm systems. We do forensics on the body. We do crime scene investigation, we got to that data to figure out how the actual murder occurred. And to look at for pattern recognition is there in the investigation and devise Ways to thwart those types of attacks. So the forensics is the most important data. But if you’re not there for every single time that they’re breached, you’re not able to take the forensics data or the eventually the claims data as you in the insurance world, and marry it up with all the other theoretical data. And that’s, that, to me is the big missing piece, again, coming across from the physical space. And just pointing out, this doesn’t look like the other side. And I wonder if there’s some, some, some advantage to be taken here to model that out. So either one fundamentally is allowing us also to acquire a tremendous amount of claims data and to see all the breaches as well, at a very low cost to us because it’s already a sunk cost, right? We already have the incident responders in standby. It’s a service, right? I’m not paying out, we’re not paying out cash in indemnity like an insurance company here. So the risk is tremendously lower. If you believe
Michael Waitze 20:52
really strongly that like a police investigator needs to be there, and the forensic investor investigator needs to be there in the physical world. And just because the surface has changed the digital world, if those people or those skills don’t exist, you may as well just be in the dark and just be guessing why the crime or how the crime occurred. I guess once you explain that to investors, does the light go off? Do you know what I mean? Like go on in their head like, now I kind of get it? And do they also understand because I’m really curious what what these conversations are like with investors, I want to get back to that in a second and how things change when you raise a significant amount of money. But when you explain this to them, that there needs to be this investigation, and that it’s different than the indemnity that is being built into an insurance but that the model is the same, right? So we’re not writing insurance policies. But we’re building a business that looks like the insurance industry, because we take upfront money for then follow on protection. Once you explain that, where people are like, Oh, I get this now. I got it. I got it. That kind of thing. You know what I mean?
Gene Yu 21:52
Yeah, absolutely. Because I think at the beginning of speaking about the investor conversation, it was easier to come in and just say things like, Hey, we’re the coalition of Asia, right? The $5 billion leader in the space of the cybersecurity InsurTech underwriting world, or mga world, that was an easier understanding for investors to look at Apples to Apples track record and success story for all those companies that have exploded in the US in the last couple of years. One of the reasons why we landed on this model for a Series A is because we’ve bounced off the market, given that the cyber insurance industry here in Asia is still in its nascent stage. Right, right. And so there’s an aspect of there’s no market to sell into. But that didn’t mean that this is a problem that doesn’t need to be solved, right. That’s the that’s the part that let me keep on hanging in here. Because I know that this is, this is inevitable, right. And in fact, it’s not even inevitable. It’s just already here. And we’re just not addressing it. And the markets still waking up to it here in Asia, you realize that in necessity, that while the market for cyberinsurance is very small, it’s I’d estimate. And these are these are just estimates from our engagement in the industry, and estimated to be maybe 100 100 $50 million gross written premiums across Asia, which is, which is just a drop in the bucket to the $10 billion market. It is globally and it is growing as fast, you know, close to 40% a year, I would say. But what’s not small is the $30 billion cybersecurity industry in Asia. Right, right. And it is in place right now where there’s space for specialized cybersecurity incident response companies to come in and provide that service. And so that industry is ready and understands the value of the service. And when you break it down to something as inexpensive I just mentioned, then for investors as well, they see that as a bit of a no brainer. Value Proposition.
Michael Waitze 23:45
Yeah. And to be fair, there are tons of different types of innovation business model innovation is one of them. And if you can, it doesn’t always have to be changing the technology, right? or changing the business model and applying existing technology or just more advanced tech to something is another way to innovate. But the other thing that it does, and again, tell me where I’m wrong, is that as the market for insurance for cyber matures in Southeast Asia or in Asia as a whole, from what you say 150 million of gross written premiums to $10 billion, you’re there waiting to take advantage of that, as well. And you’ve already built the distribution mechanism into the people that are gonna need it the most, and they trust you already, too. So to Jay.
Gene Yu 24:24
Correct. You got it, Michael. So we’ll have all the, in theory, we will have the data, right to actually price correctly, and we can sell that data to the insurance industry. Obviously, we’ll you know, with our partnership with pentamatic underwriting, we’ll be referring over clients, you know, with the actual correct insurance price based off the data we’ve collected, you know, all that right. So you can see as well, it’s a faster way to get out there too, because not only does it does the IRA one address the issue of the cyber insurance market being too small currently, but also, it circumvents the need to fall Low insurance regulation because it’s not an insurance product, and thus is no longer regulated. It doesn’t need licenses and accreditations in every single market here in Asia, our fragmented kind of region here for that, which is a huge, heavy lift in terms of paperwork, and also doesn’t require third party broker to sell. So now now I’m x can access different channels without introducing the friction of a third party broker. But actually, we’re even engaging in the insurance industry, because brokers are interested to package our one and attach it into non cybersecurity insurance products, right to add that layer, cyber resiliency. So it becomes incredibly portable and agile of things that I did not even, we did not even consider when we first thought of this because it was more of a, a strategy initially of trying to provide some type of half step to cyber insurance to show the client, hey, if you buy this iron one, you essentially have half of an insurance product, all you need to do is answer a couple more questions basically. And then we’ll give you a price quote with our partners through kinematics, underwriting, and you can have the whole thing and indemnity. So that was actually our first idea. But now we’re seeing and we can wrap our one around anything right to get to the client, we have hardware, we have hardware channel partners engaging us, because they want to wrap our one around like a firewall, solution or router or something, yeah, or routers, or we’ve engaged with a channel that smelling selling Smart Home IoT products, we can do IoT incident response, you know, as a way to access the client and protect the entire network. So there’s, it’s interesting because one of the aspects I’ve discovered as an outside of insurance is that as extremely necessary, B can do the financial indemnity risk, and all sorts of things that come with insurance. The regular nature of it doesn’t make it difficult sometimes for the models to get the distribution with all the different kinds of stakeholders that have to get involved. And so again, are on is now something that eventually we hope to sell direct, even through our Sass platform after the market once we’ve acquired enough data, to be very comfortable about the pricing, etc. So initially, we’re going through large channels like we’ve signed with my Republic, backed by starhub, we’ve signed SingTel. You know, we’re moving along at a big clip here with a with a lot of demand signal. We’re very excited about having revealed this and it’s something like I said, we stumbled upon a bit, just bouncing off of that necessity from the cyber insurance market.
Michael Waitze 27:34
That is a killer way to end. I’m gonna let you go, we’re gonna have to have you back on again, as you continue to grow and want to hear what the follow ups are. And maybe we need to get Struan Todd back on to talk about the other side of this thing as well, which we’re super happy to do. Gene Yu the CEO of BlackPanda. Really, thanks again for coming back. I look forward to having you back on again.
Gene Yu 27:53
Thank you, Michael. Thanks for having me again.