Coalition's Daniel Woods on the attorney-client privilege tactic shaping every IR investigation
Daniel Woods,, Principal Security Researcher at Coalition, sits at an intersection most security practitioners never access: underwriting data, claims history, and live forensics findings from the same vantage point. In this conversation, he traces how cyber insurance evolved from a 10% loss ratio product in the late 1990s to carriers reportedly hitting 130%+ during the ransomware era, and what that financial pressure forced the market to actually build. He also explains the mechanics behind why lawyers end up directing IR investigations, who that structure protects, and why every practitioner who has ever written a forensic report should understand it before an incident forces the question.
Topics discussed:
- Early cyber insurance economics and how a near-90% profit margin shaped the market
- How California's 2003 breach notification law created the data breach litigation economy
- How the shift from on-site auditors to yes/no questionnaires left insurers blind to whether backups were actually recoverable
- Why RDP as an initial access vector dropped from roughly 80-90% of ransomware claims to around 20%
- Why insurers put lawyers in front of IR investigations and what that means for what gets documented
- The unresolved legal problem with cyber war exclusions along the nation-state/criminal contractor continuum
- Why security practitioners should be in the room during the insurance buying process, not reacting to the vulnerability report afterward
- Why cyber insurance is a broad digital risk product and not just a ransomware backstop
Key Takeaways:
- Get your security team into the insurance buying process before the vulnerability report arrives. Once it lands, you are in reactive mode with your carrier already holding findings.
- Insurers like Coalition built their underwriting model around external perimeter scanning, specifically flagging open RDP, VPNs without MFA, and exposed attack surface before they quote. That scan is happening whether your team engages with it or not. Use it.
- The backup question on an insurance application has moved well past yes or no. Insurers now ask about recovery time, maintenance cadence, and whether backups are actually tested. A tape environment that takes two months to restore is not a recovery capability and carriers know it.
- When a lawyer is directing your IR investigation, what goes into the forensic report is a legal decision, not just a technical one. Daniel's own interview research with lawyers found that technical practitioners routinely undermine the privilege structure by writing explicit characterizations of organizational failure, things like "flagrant culture of noncompliance," that lawyers cannot shield and litigants can use. Know what you are writing before an incident forces you to find out why it matters.
- Standalone cyber policies and property policies respond very differently to nation-state incidents. Cyber insurers paid out on Sony under standalone cyber. The war exclusion fights over NotPetya happened in property insurance courts. If your coverage mix includes both, those are not equivalent protections.
- The attribution problem cuts both ways. Nation-state actors contracting ransomware groups, or using financially motivated TTPs alongside espionage operations, make war exclusion clauses nearly impossible to apply cleanly. Know where your policy language actually draws that line.
- Cyber insurance covers more than breach response. Impersonation, deepfake fraud, and privacy violation liability are all coverable under the right policy structure. Most buyers do not realize that until they file a claim.
Listen to more episodes: