Rotem Iram has been pioneering what’s next in business insurance. His startup has already raised nearly $100M from top-tier investors like Qumra Capital, Shlomo Kramer, Munich Re Ventures, and Lightspeed Venture Partners.
In this episode, you will learn:
- Specific email and software threats to your business
- Raising back to back Series B and C rounds in a pandemic
- What investors want at each stage of fundraising
For a winning deck, take a look at the pitch deck template created by Silicon Valley legend, Peter Thiel (see it here) that I recently covered. Thiel was the first angel investor in Facebook with a $500K check that turned into more than $1 billion in cash.
The Ultimate Guide To Pitch Decks
Remember to unlock for free the pitch deck template that is being used by founders around the world to raise millions below.
About Rotem Iram:
Rotem Iram is the Founder and CEO of cyber insurance company At-Bay.
With nearly two decades of security and engineering experience, Rotem Iram previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, focusing on cyber intelligence, cyber defense strategy, and incident response.
Rotem Iram began his career as a Captain in Israel’s elite Intelligence Unit 8200, and also served as a consultant for McKinsey & Company. Rotem holds a bachelor’s degree in Computer Engineering from the Hebrew University, as well as an MBA from Harvard Business School.
Connect with Rotem Iram:
* * *
FULL TRANSCRIPTION OF THE INTERVIEW:
Alejandro: Alrighty. Hello everyone, and welcome to the DealMakers show. Today we’re going to be talking a lot about cybersecurity attacks and definitely the journey of building, financing, and scaling a business. So without further ado, let’s welcome our Rotem Iram today. Rotem Iram, welcome to the show.
Rotem Iram: Hi. Thank you for having me.
Alejandro: Born and raised in Israel. How was life growing up in Israel, Rotem?
Rotem Iram: You know, it’s interesting. I’m right at the bridge between Gen X and Millennials, so I had an analog childhood and a digital adolescence, I guess. Growing up in Israel in the ‘80s was still a third-world country in many ways, but when I was 18 or 20, Israel was already a booming high-tech, very digital place. They have a good perspective on that. It was fun and a normal childhood in Israeli terms, for sure.
Alejandro: Israel, at the end of the day, if you were to compare it with the U.S., probably not that big. But why such a small country like that, if you put it in comparison with the U.S., has such an entrepreneurial drive. There are so many entrepreneurs coming out of Israel. Why is that?
Rotem Iram: I think there are definitely things around the ecosystem where the Israeli education is very much entrepreneurial in its spirit, and you can see it everywhere in terms of making your own success and your own luck. I think we have less respect for established systems. For good or bad, it’s not necessarily better for running larger systems or even a government, but I think that people take a lot of ownership and feel like anything is possible. I think the ethos of the country was to build something out of nothing, and it translates into the business environment. But I will also say that the fact that everybody goes into the military means that you build very strong networks very early on, and the military, especially when it comes to cybersecurity, is probably one of the most advanced places that you can be in. So you get to be on the cutting edge of technology, and at the same time, build strong networks with incredible people that were handpicked to be running and building those systems and technologies next to you. So when you come out, you have an edge. Definitely, when it comes to security, you have the team ready, and then very quickly, VCs came over. Israel is the only place outside the U.S. now, with the exception of India and China that all the big firms have had a local presence, LightSpeed and Greylock and Bessemer, and Sequoia all have offices in Israel, and that just continued to put the right fuel into the fire. With the success stories, more people became interested. The American dream is different in Israel. The Israeli dream is to build a company and sell it to the Americans. That’s where I grew up.
Alejandro: That’s amazing. In your case, you definitely follow that direction of building strong networks. You joined the army at 18, and you were there for five years. You alluded to it a couple of times: strong networks. Can you give us more insight into what that is and what that looks like?
Rotem Iram: Yeah. For better or worse, we can talk about whether socially we think that is right for the country. But when I was 18, I was fortunate to be selected to the leadership program in the Israel Intelligence Technology unit. Basically, the military has the ability to pick anyone from the entire country. I ended up with my closest friends, people that I spent the next five years with, sleeping one bed next to another and the same spending 24 hours a day together for five years. They were some of the smartest people I’ve ever met, and they have pushed me more than I could have ever pushed myself, and they went on to do incredible things themselves, whether in technology or in business. It’s an experience that is hard to replicate even in top, private universities here in the U.S. You don’t get the same amount of – it’s not just building a network. It’s building deep friendships in a massive cohort of really exceptional people that you can tap into.
Alejandro: After you got out of the army, after five years, you decided to go into consulting with McKinsey. At this point, you already had that engineering background with you. In engineering, at the end of the day, it’s all about resolving problems. Consulting is pretty much the same thing, but with a different twist. In your case, how would you say that your experience in the consulting side really shaped up a little bit more the way that you go into problems and with the mindset of breaking them down into smaller problems?
Rotem Iram: I was always fascinated by solving problems. Even from a young age, my dad was an engineer. Even when I was ten years old and telling my dad that I wanted to build an underground secret headquarters, it immediately turned into a conversation about how many trucks would you need to bring in to take out all the dirt? So, you’ve got to calculate the volume, and how much volume per truck, and how much is it going to weigh? How are you going to lift it? I got the McKinsey bootcamp at home from a very early age. I initially applied my problem-solving passions into engineering because I’ve always been passionate about security and about technology, in general. But I found that I was a lot less excited about engineering problems than I was about larger business problems. I was an okay engineer, but I was a much better and more passionate McKinsey consultant because McKinsey was all about coming into a new space if you knew nothing about ramping up quickly and trying to figure out and asking deep questions and using insights to turn businesses around and create new opportunities. It was an incredible opportunity for me because not only working with great people and difficult problems but also the training around structured thinking and structured problem-solving and the basics of how to communicate. It was a great school for that. That passion – I always saw McKinsey as a great school, but then I wanted to apply it back into the world of technology because, at the end of the day, my personality is not the best fit for being in professional services. I would much rather own and run a team or a business than be consulting somebody who does. After business school, I was looking for more entrepreneurial ways for me to take ownership over problems.
Alejandro: Here, you seem that you were happy doing what you were doing at McKinsey, so what prompted you to go to business school?
Rotem Iram: First of all, a lot of times, I hear entrepreneurs say that everything was figured out and everything was planned. That was not necessarily the case for me. I played a lot of basketball growing up, and there’s a term in basketball called offensive awareness, and this is, do you know what is going on and where you are and what are the opportunities? I think that earlier on in my career, I had a low awareness. The path in McKinsey is you’ve got to go to business school if you want to advance. “All right. I’ll do that. What are the best business schools?” So, I applied to those and was fortunate to be accepted at Harvard. Once I was there, they opened up my world view even more. I think the two things that Harvard does really well in the business school is they make you believe that you can do almost anything. They recalibrate your ambition and your confidence, and they open you up to a bunch of opportunities that you just never considered were available. Even though going into business school, I was sure I was going to go back to McKinsey. By the time I left business school, I was sure I was not. I was going to embark on a more entrepreneurial journey.
Alejandro: What do you think was that event that opened your eyes, and you were like, “No, I’m going to go the entrepreneurial route?
Rotem Iram: By the time I was in business school, I felt like I was already a really good analyst. When it came to crunching numbers and running models on an Excel, you can always get a little bit better, but I was already really, really good at it, I felt. And I felt that my next jump as a person and as a business leader would not come by becoming a slightly better analyst. It came from being able to harness storytelling because one of the things I realized is, as you go up in seniority, the ability to tell compelling stories becomes a lot more important than just being able to run an accurate analysis. I felt that McKinsey was not going to be a place where I learned how to do that. McKinsey would be a little bit more of the same. What attracted me as I moved on to the next in my career was what is a place where I would get to be the one trying to sell an idea, sell a story, have a chance to interact with high-level decision-makers who do not necessarily have the time or the patience to go through a detailed analysis? How do you make a lasting impression in two minutes or five minutes? How do you get somebody to believe in you and trust you? That led me to my next opportunity at K2. On the one hand, it was an established startup built by a very credible and established entrepreneur, Jules Kroll, who previously built Kroll and sold it to Marsh for about $4 billion, I think, around 2006. But on the other hand, they were asking me to build something that they didn’t know how to build themselves, which was a cybersecurity practice because this was a new domain of risk for them. They put me in front of their clients at their network to try and sell something completely new that I own. That was, to me, a great experience where I learned a lot and honed skillsets that I previously didn’t have as much focus on.
Alejandro: I think that’s a very interesting point that you bring up because working with someone like Jules that had done it before, and now, he was doing it again, I’m sure that being able to work with him and see the way that he’s analyzing things, the way that he’s looking at building and scaling, I’m sure that also shaped up a little bit more your mindset toward that direction that it seems you had already decided in Harvard, which was to build your own. How was that experience with Jules? What were your biggest takeaways and your biggest lessons from working with him?
Rotem Iram: First of all, Jules and Jeremy, founders of K2, were amazing to work with. They taught me a lot about building a value-driven organization and the value of relationships. I think that it was a trial by fire because they put me in front of, very early on – I was still pretty young in my career, but I got the chance to be the one presenting to and talking to very senior CEOs of Fortune 50 companies or people with significant influence. I had to be able to carry a conversation and get the other party excited about what we were doing. I played a meaningful role in the investment that AIG had in our company that was around cyber insurance, which I knew nothing about at the time. But AIG was starting to look more seriously into cyber insurance, and the premise was that through a partnership and an investment in K2, we would be able to better select and price risk in cyber insurance. That was a really interesting experience that got me to realize that there’s a huge opportunity here and then led to me going on my own journey with At-Bay.
Alejandro: Let’s talk about that. At what point does the idea of At-Bay come knocking to you, and you make the decision to bring it to life. What was that process like?
Rotem Iram: Initially, as early as 2014, I sent Roman, one of my co-founders, an email. Roman and I met at McKinsey, and we both went to Harvard Business School together. He was doing his own thing in London, working for a fintech company. I wrote him an email in 2014 and said, “I think there’s something in this cyber insurance thing.” But we were both too busy with our own jobs to do anything about it. It’s not until I left K2; I didn’t know exactly what I wanted to do, but I was pretty convinced. I thought cyber insurance would be an interesting opportunity, but I was looking at a few other opportunities. I had an investor from a large VC firm approach me. She said, “Look. I think cyber insurance is a real thing, and I think you could be a really good CEO.” She pushed the first domino, and we built a team together, and we went on to start the company. Even though I always felt an entrepreneurial path would be something I’d be good at, I wasn’t necessarily actively pursuing it. There are people who are entrepreneurial in spirit and would seek an opportunity until they find one. McKinsey is the farthest away from a startup, as you can imagine. I can’t say that it was always in my stars. I think what had happened was I found myself in a unique position where I was early to identify a big problem and was credible at doing it and got the push and the support of others who believed that we could do it. Then we got started. I don’t think I’m your typical entrepreneur story. For folks who are not deep into technology, it’s not common to identify a really big opportunity where you are very credible to solve it early on. But once I realized that was the case. Very early on, investors were giving us credible term sheets. We had almost nothing. We had a 15-page deck and had done no work besides some research, and we’re already getting some really good term sheets. I was like, “All right. This is actually real, and this opportunity may not come again,” so I jumped on it and haven’t looked back since.
Alejandro: What’s the business model of At-Bay so that the people listening really understand it?
Rotem Iram: At-Bay is a cyber insurance company. We provide insurance to companies against damages from a cyber attack or any disruption to their computer system. It’s already an established line of insurance. It’s new and growing, but when we started, there were close to a billion dollars in premiums already in this space. But what I found is that the traditional insurance company is at odds with this type of risk. Cyber risk is incredibly dynamic where the insurance company typically looks at risks that are very static, meaning you can leverage what you learn about the risk last year to project how it’s going to perform next year. The classic example is, California is more likely to have an earthquake next year than New York because the underlying reason for an earthquake is pretty static. It’s where faults in tectonic plates are, and those don’t move around much and definitely not often. It’s likely to think that California will continue to have more earthquakes than New York. The same thing goes with young drivers are worse than more experienced drivers, and it has to do with a bunch of factors, including their experience and probably the temperament of younger people. That is probably now going to change next year. But cyber changes all the time. It really doesn’t matter how the risk did last year. We started At-Bay with two core hypotheses around cyber risk. 1) You can learn a lot by scanning and running a technical analysis on the security of a company, which is something insurance companies just didn’t know how to do. What we do at At-Bay is we conduct a penetration test, which is like taking the vantage point of an attacker and trying to identify holes in the systems of our insurance that are so easy to find, even a mediocre attacker would be able to take advantage of it. To put it in other words, it’s lucky this company hasn’t been breached yet. We stay away from those risks or help companies solve them before we provide them insurance. 2) The second, more important principle around At-Bay is active risk management. It means that even if a company is really good and has good security when you provide it with insurance. Insurance is a year-long contract, and a lot of things can happen in cybersecurity in a year. Oftentimes, it is not the fault of the company. You’re running, let’s say, Apache struts servers, and those are great until there’s a critical vulnerability in their current version, and attackers are going to exploit it. If something like this happens in the middle of a policy period, and it happens all the time, we identify which companies in our portfolio have now huge vulnerabilities, and we help them fix those before an attacker exploits those vulnerabilities. That was the thesis of At-Bay. We believe that combining a technical analysis and a pro-active risk-management approach allows us to dramatically lower the risk of our portfolio so that we can offer better products, better coverage with lower prices, and to do that well, you need to get an insurance company. That’s what we set out to build.
Alejandro: How much capital have you guys raised to date for At-Bay?
Rotem Iram: We raised $91 million in four rounds. The end of 2016 was our seed round. That was about $3.5 million. In 2020, we raised $70 million in B and C rounds that were nine months apart from each other.
Alejandro: That’s interesting because, typically, when you’re raising capital, it’s in-between at least 18 to 24 months, so what happened there?
Rotem Iram: A combination of two things. One was that incredible growth to the business. In the last two years, we’ve grown more than 60x; 10x in 2019; another 6x in 2020, so really strong growth propelled investors to recognize that we were building something special. The other one was, we executed on the Series C a lot earlier than what you would normally do because coming into Q4 on 2020, we still didn’t know who was going to be president of the U.S. Coming November, we still didn’t know if the other shoe was not going to drop when it comes to the economy and the longer-term impacts of COVID. Even though we had $30 million in cash in the bank, we felt that given how much we have grown in just eight months, we can already have significant increase to our valuation, more than 3x valuation in eight months, and bring in an extra $30 million. So we didn’t go for a big Series C because we didn’t feel that we needed it, but an extra $35 million in Q4 helped us make sure that even if 2021 becomes a really bad year from a fundraising perspective, we would be well-capitalized to continue to take advantage of our opportunity.
Alejandro: In your case, there’s something interesting that you did here. When you closed the seed round, you actually asked your investors what were some of their requirements to get through this Series A. This is something that people don’t typically do. They just raise the money, and then they think it’s time to celebrate. In this case, you were really mindful of the fact that raising money is just a stepping stone; it’s not a milestone. So how was that, and what kind of response did you get from them?
Rotem Iram: Especially earlier on, once you hit Series B and Series C, it becomes a much clearer story around KPIs. What does your sale look like? What is the efficiency of some of the metrics around cost of acquisition, lifetime value, showing that you have a scalable go-to-market model? But earlier on, definitely Series Seed and Series A, the actual milestones are a lot murkier. I think that originally when we raised our Series Seed, we were very fortunate to be early in a new segment of fintech, which is in insurtech. We were probably not the first insurance companies: Lemonade, Hippo, and Root are 2015. We were late to 2016, but it’s still early days in insurtech. I think the bar on investing was a lot lower than it is now. For a lot of companies, even for a proper seed round, you sometimes need to already have some customers, and definitely for an A round. But the fact that we were even going after this space was enough to secure seed financing, and I wanted to make sure that I knew what we needed to build because when you pitch for funding, how are you going to spend your money? What’s the plan? The plan is to hit a milestone that you think will take you to the next phase of the company. What I didn’t anticipate is – first, it’s really hard. Even when you ask people, “What do you need?” They don’t give you the right answer. The only real answer is when they either write a check or don’t write a check. It’s the same thing with a sale. When you go and ask a customer, “Would you be interested in buying this?” Sometimes, they might say, “Yeah, because they’re trying to be nice, and they’re trying to be encouraging. But when you actually ask them to take money out of their wallet and pay for something, that’s when you get the real answer. The same thing is with investors in a Series A. We asked our investors, “What do you need to see?” They said, “If you can build the insurance vehicle so that you can actually launch an insurance product, that would be a major milestone and one where you can raise a Series A. That’s what we did. We went on our Series A fundraising, and the first 15 firms, all on Sand Hill Road, all said, “It’s amazing what you’re working on, but we need to see six months of sales before we can say yes or no because we need to see some validation from customers, which in retrospect, kind of makes sense. I probably shouldn’t have been surprised, but at that point in time, we were late into our journey. We didn’t have a ton of cash left on our balance sheet or on our book. That was actually maybe one of the most hair-raising moments for us as a company because of the risk of now going to market with a product that I have no idea how it’s going to perform. If the performance is great, then you get a great Series A, but if the performance is bad, you won’t have the time to fix it and change it because, in insurance, any fixes to the product take 6, 9, 12 months. So that was a scary moment for us. Fortunately for us, we found an investor, Keith Rabois. He was at Khosla at the time. Now, he’s at Founders Fund. Keith was actively searching for a team to build a cyber insurance business. When we came to Keith, he was like, “I’m ready to go. I was looking for a team, and you guys have already made a year-and-a-half of progress.” He led our Series A. But in retrospect, I should not have banked on having somebody that was already primed for what we were doing. Again, that is especially true if you’re going into a space where most investors are not yet familiar with and not yet comfortable with. For a lot of investors, what we did sounded appealing, but to a sponsor and to lead an investment in an insurance company was still very foreign to most of them.
Alejandro: That’s very interesting. In this case, especially with what you guys are doing at At-Bay, I’m sure you have seen some crazy stories and crazy attacks. Maybe there’s a story you can share with our audience, and I think it will also be interesting for our audience to hear your recommendation on how they should be focusing their needs around cybersecurity.
Rotem Iram: Yeah. What attracted me about insurance is that I feel that an insurance company has a better shot at figuring out what matters in security than a security company for only one reason. We’re not smarter or know more about security than security companies, but we are the ones who pay again, and again, and again. We are the ones who need to make decisions in underwriting about what matters in security, and if we get it wrong, we will be the ones to die. So, we have the incentive to get it right. We have the capability to collect all the data that is needed, and when we do find something, we have the credibility to actually force credibility and the tools to force customers to comply. When we tell customers that a stern configuration is very risky, and we will not provide them with insurance unless they fix it, they tend to listen to us, which puts us in a really great position to impact and soon enough to standardize security in the mid-market. We’re on a phone call, so I can only imagine that you probably have a smoke alarm system somewhere in your apartment. I think it’s there, probably not because you are extremely passionate about smoke alarm technology or the brand of the specific company, but rather because the insurance company forces you to have one. I think that same dynamic translates into cybersecurity. What we’re seeing by supporting every day is very different than what gets talked about in security circles. In security circles, you talk about things that are exciting, like a Chinese military APT attack or an advanced attack against an organization leveraging sophisticated technology. But what you see on the ground every day are very simple attacks. Let me give you an example of one of the more frustrating types of attacks that we’re seeing all the time. We have a customer. Their name starts with the letters Com, and I don’t want to disclose the company, but it starts with the letters Com. Somebody, an attacker, registered a domain that started with the words Corn, and if you put r and n next to each other, they look very much like an m, and the rest of the name, the name of the company. When you look at it at a glance, it seems like it’s the domain name of the company, but it’s actually instead of an m, there’s a r and an n. They registered this new account, and two hours later, they sent an email to the financial controller of the company masquerading as the CEO saying, “I need you to immediately send $640,000 to this account right here. It’s for one of our biggest vendors. They sent it – $640,000. They lose it, and we have to pay for it. I’ve got to tell you; it’s incredibly frustrating how simple and non-sophisticated that attack was and how devastating it is for a small business and to their insurance company, but more so to a small business when they suffer an attack like that. Email is probably one of the worst technologies that we are using today in terms of how easy it is to manipulate it and how difficult it is to keep it secure. We make some of the most important decisions over email. We send some of the most sensitive information, and we approve wire transfers of millions of dollars, all on email, which is almost the equivalent of putting money in a box and putting it on the side of the street and saying, “Please don’t touch. This is money for my friend,” and hoping nobody touches it. It’s as ridiculous as this. That’s something we put a lot of emphasis on with our insurance in making sure that they have the right configurations around email security and the right security devices. I can tell you that a lot can be done without spending money. Whether you’re using Microsoft Office or Google for your email, there are a lot of configurations that are turned off by default, and if you turned them on, you immediately become much safer from an attack. We help customers realize those opportunities exist and try to help them become safer.
Alejandro: That’s interesting. In this case, Rotem, imagine that the vision of At-Bay is fully realized one day. What is that day when you wake up look like?
Rotem Iram: I think every part of every business is becoming driven and dependent on technology. Technology becomes the biggest risk to the business. I think At-Bay is building the core competency of understanding the relationship between technology and risk to the business, which will allow us to become the next generation of commercial insurance, which I think today is within cyber insurance, but I think that at some point, every piece of the risk to a business has a meaningful technology element in it, and At-Bay would be in a great position to become a more competitive and more insightful partner, to be honest. Then, leveraging our knowledge and our understanding to help standardize and answer some of the most important questions in cybersecurity. One of them is, what should I be using? How much should I be paying? Which type of technology makes sense for my business? What are the risk tradeoffs that I’m making by choosing configuration A or configuration B? But also, and maybe even more importantly, is providing accountability and feedback to the software vendors themselves who are essentially creating software that is full of holes and have, today, no reason to fix it. This is a much bigger topic that I’m not sure we can get into today, but at the end of the day, you, as a company, are purchasing or licensing software from vendors, and because of either mistakes or lack of attention, that software is full of holes that attackers can exploit, and the software vendors have absolutely no liability on the outcome of how attackers exploit those holes. It’s the equivalent of you walking into your car and realizing while you’re driving that the brake system isn’t working, only to find out that the software company that built the brakes issued on their blog post a note that says that they now have a critical vulnerability and you need to download a patch yourself and fix it. They’re not going to recall the car. They’re not going to make sure you know about it. There’s no regulator to force them to do anything about it. You just need to read their blog. But instead of having one manufacturer for your car, you have a car with 500 different parts from 500 different manufactures. Now, you have a small business, and now, if you want to drive a car, you need to have a full-time person staying up-to-date with all these issues. I think that’s not the right balance for where we are as an ecosystem and one that I see only the insurance companies being able to help fix because we can tell a customer, “If you want to use this software company, that’s great. But just so you know, they are notorious for having issues, and therefore, your premium is going to be higher.” Now, that software company needs to decide if they want to be known as the company that doubles your insurance premium.
Alejandro: That’s amazing. The last question that I want to ask you, and this is the question that I ask all the guests that come on the show, is if I put you in a time machine, and you have the opportunity to have a chat with your younger self, with that younger Rotem that is thinking about making the jump from K2 to launching your own business, what would be that one piece of business advice that you would give to yourself before launching the company, and why, based on what you know now?
Rotem Iram: I think my most important lesson was that there’s nothing more important than understanding the customer and validating that this thing can be sold. I came from a very intellectual background around problem-solving. You think you have a better understanding of what needs to be done, and then you create what you think is a better solution. But if it cannot be sold in the field; if your customer doesn’t appreciate it, then you’ve not created value. Value is only created when somebody’s willing to pay for it. And not understanding who’s your customer and not designing for your customer is useless. I think that early on at At-Bay, we were not quick enough to either learn ourselves or, honestly, if I gave myself advice, it would be: bring in somebody who knows the customer really well as early as possible or do it yourself. But you have to know who the customer is because our initial product, even though the concept was great and has been validated since then, the application of it was just wrong for the distribution channel and the decision-maker, and I think the realization that it has to be something you can sell is one that didn’t come naturally to me in the beginning and probably has been the most important lesson for me.
Alejandro: Very profound. For the people that are listening, Rotem, what is the best way for them to reach out and say hi?
Rotem Iram: I’m on Twitter: @rotemiram or through our website: at-bay.com/ and at LinkedIn.
Alejandro: Rotem, thank you so much for being on the DealMakers show today.
Rotem Iram: Thank you for having me. I appreciate it.
* * *
If you like the show, make sure that you hit that subscribe button. If you can leave a review as well, that would be fantastic. And if you got any value either from this episode or from the show itself, share it with a friend. Perhaps they will also appreciate it. Also, remember, if you need any help, whether it is with your fundraising efforts or with selling your business, you can reach me at [email protected].