third-party cyber risk management
Threatonomics

Rewriting the Rules of Cyber Security Risks: Part II

Strengthen your cyber defenses for enhanced digital resilience.

by Erica Leise , Senior Security Solutions Engineer
Published

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security risk means balancing investments to minimize an organization’s material ability to deliver value to its clients.

This new way of thinking about cyber security risk requires organizations to connect their internal operating silos that run security, oversee finance, and manage risk transfer. Working with clients over the years, Resilience has collected these five new rules to share.

Improve Coverage by Combining Risk Insight with a Solid Cyber Hygiene Plan

More visibility into a risk profile often inspires fear of uncovering non-threatening vulnerabilities, which can negatively impact your coverage. At Resilience, our underwriting team uses our advanced security visibility to help your organization qualify for policy improvements. We work with our clients to establish actionable cyber hygiene measures to implement that will improve the security of targeted areas.

A client experienced a public cybersecurity incident. Due to the nature of the industry and the event’s impact, the client’s current insurer could no longer support their risk transfer needs.

Resilience’s security team worked alongside the client’s in-house security and IT teams to provide a vCISO engagement providing security consulting on strategy, vendor management, technical implementation, risk, and compliance. The Resilience security team ultimately helped this organization recover its insurability through targeted improvements in its security infrastructure.

Lack of Cyber History Should Not Limit Your Risk Transfer Opportunities

Organizations that lack cyber history are often perceived as having a history of incidents. Without data to base risk decisions, these organizations are left building their cyber security risk management foundation at a disadvantage, overpaying for limited coverage. At Resilience, we understand that organizations need somewhere to start. Our underwriting team reviews files based on cyber hygiene, not cyber history.

A new client entered high-growth mode and began thinking more about what cyber security risk means to their organization. Our security team realized they had all the right ideas and needed guidance. The client was willing to work closely with the Resilience security operations team to implement an actionable cyber hygiene plan to help them achieve their security goals. The client successfully implemented security controls necessary for reasonable coverage, ransomware protection, and high sub-limits at renewal.

Consider Your Cyber Risk to be as Extensive as Your Vendor’s Attack Surface

When determining risk, external and third-party risk is often overlooked or considered beyond the organization’s control. This mindset is incorrect and inefficient. At Resilience, we have established data and analysis-based strategies to manage third-party risk with the same visibility and control as internal risk.

A client’s engagement with multiple third-party vendors led to a large external attack surface. During their policy, they experienced two cyber incidents through third parties. The client engaged Resilience’s cyber security risk solution to access our security and risk modeling experts to resolve the incidents and improve their coverage through a stronger security posture. Our comprehensive cyber hygiene plan helped them resolve both incidents without impacting their ability to deliver value. By improving their cyber security risk, they could unlock lower retention rates and higher ransomware sub-limits at renewal.

Integrating Insurance and Security to Amplify Their Collective Benefits

When security and insurance operate independently, they focus on separate goals. Insurance aims to keep potential financial losses within your organization and your insurer’s tolerance. Security aims to protect and defend the infrastructure against any potential threat. The collective goal should be building Cyber Resilience, meaning finance and security will share, align, and prioritize strategic objectives for the entire organization.

A client suffered multiple ransomware incidents within 24 months. Although they had made numerous security investments since the incidents, they did not qualify for ransomware coverage. Our security team recommended actions to take on specific critical controls to help the client qualify for ransomware coverage. Our security team helped them reach milestones in their actionable cyber hygiene plan, engaging in meetings with their team to assist them with implementing risk improvement recommendations. Due to the client’s improvements, we could present a competitive quote with the opportunity for improved coverage.

Transforming Cyber Security Failures into Future Success

Cyber incidents can make or break your organization’s ability to secure robust risk transfer options—with traditional cyber insurance models often penalizing organizations for their past. However, Resilience views cyber security through a different lens, recognizing that all organizations deserve a fair chance at securing their digital future regardless of their past.

Our philosophy is simple: We assess cyber risk based on present cyber hygiene rather than past incidents. This approach was evident when we assisted a client grappling with the aftermath of a data breach. The incident had made finding affordable insurance coverage a Herculean task due to past-focused assessments. At Resilience, we knew the path forward involved assessing and enhancing their cyber security posture.

By involving our security team early, we deepened our engagement, leveraged advanced security visibility tools, and revised our assessment of the client’s risk status. This comprehensive understanding and strategic approach allowed us to confidently offer them the insurance coverage they deserved—underscoring our belief that past failures should not dictate future opportunities for cyber resilience.

Ready to revolutionize your cyber security strategy and mitigate future risks with confidence? Request a demo of The Resilience Solution today and take the first step towards true cyber resilience.

About the Author
Erica Leise , Senior Security Solutions Engineer

You might also like

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]