third-party cyber risk management
Threatonomics

Rewriting the Rules of Cyber Security Risks: Part II

Strengthen your cyber defenses for enhanced digital resilience.

by Erica Leise , Senior Security Solutions Engineer
Published

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security risk means balancing investments to minimize an organization’s material ability to deliver value to its clients.

This new way of thinking about cyber security risk requires organizations to connect their internal operating silos that run security, oversee finance, and manage risk transfer. Working with clients over the years, Resilience has collected these five new rules to share.

Improve Coverage by Combining Risk Insight with a Solid Cyber Hygiene Plan

More visibility into a risk profile often inspires fear of uncovering non-threatening vulnerabilities, which can negatively impact your coverage. At Resilience, our underwriting team uses our advanced security visibility to help your organization qualify for policy improvements. We work with our clients to establish actionable cyber hygiene measures to implement that will improve the security of targeted areas.

A client experienced a public cybersecurity incident. Due to the nature of the industry and the event’s impact, the client’s current insurer could no longer support their risk transfer needs.

Resilience’s security team worked alongside the client’s in-house security and IT teams to provide a vCISO engagement providing security consulting on strategy, vendor management, technical implementation, risk, and compliance. The Resilience security team ultimately helped this organization recover its insurability through targeted improvements in its security infrastructure.

Lack of Cyber History Should Not Limit Your Risk Transfer Opportunities

Organizations that lack cyber history are often perceived as having a history of incidents. Without data to base risk decisions, these organizations are left building their cyber security risk management foundation at a disadvantage, overpaying for limited coverage. At Resilience, we understand that organizations need somewhere to start. Our underwriting team reviews files based on cyber hygiene, not cyber history.

A new client entered high-growth mode and began thinking more about what cyber security risk means to their organization. Our security team realized they had all the right ideas and needed guidance. The client was willing to work closely with the Resilience security operations team to implement an actionable cyber hygiene plan to help them achieve their security goals. The client successfully implemented security controls necessary for reasonable coverage, ransomware protection, and high sub-limits at renewal.

Consider Your Cyber Risk to be as Extensive as Your Vendor’s Attack Surface

When determining risk, external and third-party risk is often overlooked or considered beyond the organization’s control. This mindset is incorrect and inefficient. At Resilience, we have established data and analysis-based strategies to manage third-party risk with the same visibility and control as internal risk.

A client’s engagement with multiple third-party vendors led to a large external attack surface. During their policy, they experienced two cyber incidents through third parties. The client engaged Resilience’s cyber security risk solution to access our security and risk modeling experts to resolve the incidents and improve their coverage through a stronger security posture. Our comprehensive cyber hygiene plan helped them resolve both incidents without impacting their ability to deliver value. By improving their cyber security risk, they could unlock lower retention rates and higher ransomware sub-limits at renewal.

Integrating Insurance and Security to Amplify Their Collective Benefits

When security and insurance operate independently, they focus on separate goals. Insurance aims to keep potential financial losses within your organization and your insurer’s tolerance. Security aims to protect and defend the infrastructure against any potential threat. The collective goal should be building Cyber Resilience, meaning finance and security will share, align, and prioritize strategic objectives for the entire organization.

A client suffered multiple ransomware incidents within 24 months. Although they had made numerous security investments since the incidents, they did not qualify for ransomware coverage. Our security team recommended actions to take on specific critical controls to help the client qualify for ransomware coverage. Our security team helped them reach milestones in their actionable cyber hygiene plan, engaging in meetings with their team to assist them with implementing risk improvement recommendations. Due to the client’s improvements, we could present a competitive quote with the opportunity for improved coverage.

Transforming Cyber Security Failures into Future Success

Cyber incidents can make or break your organization’s ability to secure robust risk transfer options—with traditional cyber insurance models often penalizing organizations for their past. However, Resilience views cyber security through a different lens, recognizing that all organizations deserve a fair chance at securing their digital future regardless of their past.

Our philosophy is simple: We assess cyber risk based on present cyber hygiene rather than past incidents. This approach was evident when we assisted a client grappling with the aftermath of a data breach. The incident had made finding affordable insurance coverage a Herculean task due to past-focused assessments. At Resilience, we knew the path forward involved assessing and enhancing their cyber security posture.

By involving our security team early, we deepened our engagement, leveraged advanced security visibility tools, and revised our assessment of the client’s risk status. This comprehensive understanding and strategic approach allowed us to confidently offer them the insurance coverage they deserved—underscoring our belief that past failures should not dictate future opportunities for cyber resilience.

Ready to revolutionize your cyber security strategy and mitigate future risks with confidence? Request a demo of The Resilience Solution today and take the first step towards true cyber resilience.

You might also like

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]