third-party cyber risk management
Threatonomics

Rewriting the Rules of Cyber Security Risks: Part II

Strengthen your cyber defenses for enhanced digital resilience.

by Erica Leise , Senior Security Solutions Engineer
Published

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security risk means balancing investments to minimize an organization’s material ability to deliver value to its clients.

This new way of thinking about cyber security risk requires organizations to connect their internal operating silos that run security, oversee finance, and manage risk transfer. Working with clients over the years, Resilience has collected these five new rules to share.

Improve Coverage by Combining Risk Insight with a Solid Cyber Hygiene Plan

More visibility into a risk profile often inspires fear of uncovering non-threatening vulnerabilities, which can negatively impact your coverage. At Resilience, our underwriting team uses our advanced security visibility to help your organization qualify for policy improvements. We work with our clients to establish actionable cyber hygiene measures to implement that will improve the security of targeted areas.

A client experienced a public cybersecurity incident. Due to the nature of the industry and the event’s impact, the client’s current insurer could no longer support their risk transfer needs.

Resilience’s security team worked alongside the client’s in-house security and IT teams to provide a vCISO engagement providing security consulting on strategy, vendor management, technical implementation, risk, and compliance. The Resilience security team ultimately helped this organization recover its insurability through targeted improvements in its security infrastructure.

Lack of Cyber History Should Not Limit Your Risk Transfer Opportunities

Organizations that lack cyber history are often perceived as having a history of incidents. Without data to base risk decisions, these organizations are left building their cyber security risk management foundation at a disadvantage, overpaying for limited coverage. At Resilience, we understand that organizations need somewhere to start. Our underwriting team reviews files based on cyber hygiene, not cyber history.

A new client entered high-growth mode and began thinking more about what cyber security risk means to their organization. Our security team realized they had all the right ideas and needed guidance. The client was willing to work closely with the Resilience security operations team to implement an actionable cyber hygiene plan to help them achieve their security goals. The client successfully implemented security controls necessary for reasonable coverage, ransomware protection, and high sub-limits at renewal.

Consider Your Cyber Risk to be as Extensive as Your Vendor’s Attack Surface

When determining risk, external and third-party risk is often overlooked or considered beyond the organization’s control. This mindset is incorrect and inefficient. At Resilience, we have established data and analysis-based strategies to manage third-party risk with the same visibility and control as internal risk.

A client’s engagement with multiple third-party vendors led to a large external attack surface. During their policy, they experienced two cyber incidents through third parties. The client engaged Resilience’s cyber security risk solution to access our security and risk modeling experts to resolve the incidents and improve their coverage through a stronger security posture. Our comprehensive cyber hygiene plan helped them resolve both incidents without impacting their ability to deliver value. By improving their cyber security risk, they could unlock lower retention rates and higher ransomware sub-limits at renewal.

Integrating Insurance and Security to Amplify Their Collective Benefits

When security and insurance operate independently, they focus on separate goals. Insurance aims to keep potential financial losses within your organization and your insurer’s tolerance. Security aims to protect and defend the infrastructure against any potential threat. The collective goal should be building Cyber Resilience, meaning finance and security will share, align, and prioritize strategic objectives for the entire organization.

A client suffered multiple ransomware incidents within 24 months. Although they had made numerous security investments since the incidents, they did not qualify for ransomware coverage. Our security team recommended actions to take on specific critical controls to help the client qualify for ransomware coverage. Our security team helped them reach milestones in their actionable cyber hygiene plan, engaging in meetings with their team to assist them with implementing risk improvement recommendations. Due to the client’s improvements, we could present a competitive quote with the opportunity for improved coverage.

Transforming Cyber Security Failures into Future Success

Cyber incidents can make or break your organization’s ability to secure robust risk transfer options—with traditional cyber insurance models often penalizing organizations for their past. However, Resilience views cyber security through a different lens, recognizing that all organizations deserve a fair chance at securing their digital future regardless of their past.

Our philosophy is simple: We assess cyber risk based on present cyber hygiene rather than past incidents. This approach was evident when we assisted a client grappling with the aftermath of a data breach. The incident had made finding affordable insurance coverage a Herculean task due to past-focused assessments. At Resilience, we knew the path forward involved assessing and enhancing their cyber security posture.

By involving our security team early, we deepened our engagement, leveraged advanced security visibility tools, and revised our assessment of the client’s risk status. This comprehensive understanding and strategic approach allowed us to confidently offer them the insurance coverage they deserved—underscoring our belief that past failures should not dictate future opportunities for cyber resilience.

Ready to revolutionize your cyber security strategy and mitigate future risks with confidence? Request a demo of The Resilience Solution today and take the first step towards true cyber resilience.

About the Author
Erica Leise , Senior Security Solutions Engineer

You might also like

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]