Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

What is the ROC?

by Emma McGowan , Senior Writer
Published

Breaking down silos to build stronger cyber resilience

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences. 

However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key to managing these threats effectively is not just reaction, but proactive resilience—a strategy that the Resilience Risk Operations Center (ROC) is designed to enable.

What is the ROC?

The best way to think about the ROC is as a fusion center: a centralized hub that brings together all of Resilience’s core competencies into a single collaborative environment. 

“We already have world-class teams across underwriting, claims, actuarial science, cybersecurity, data science, business intelligence, and risk engineering,” Mike McNerney, Resilience SVP of Security, says. “The ROC’s mission is to break down the silos between these teams, enabling them to work together, share intelligence, and uncover synergies where the whole becomes far more valuable than the sum of its parts.”

This ability to connect diverse teams and enable effective intelligence sharing is something Resilience has learned to do firsthand — and it’s a challenge many of its customers face as well.

“The work we’ve done through the ROC to enable effective intelligence sharing across diverse teams really mirrors the work that a lot of our customers are doing,” says Dr. Ann Irvine, Resilience’s Chief Data Scientist. “It’s not easy to have meaningful and productive conversations about cyber threats across security experts and finance teams. In learning to do this ourselves, we are well positioned to give our customers tools to do the same.”

This internal collaboration doesn’t just strengthen Resilience’s own risk management capabilities — it empowers clients to improve communication between their own security, risk, and financial leaders. By modeling and facilitating these cross-functional conversations, the ROC helps customers transform their cyber risk programs into truly business-aligned strategies.

This philosophy is what sets the ROC apart from a more traditional Security Operations Center (SOC). Most people in the industry are familiar with SOCs — they’re typically internally focused and largely reactive, responsible for monitoring systems, triaging alerts, identifying incidents, and responding to threats after they occur.

The ROC, on the other hand, is designed more like an Air Operations Center (AOC) — a concept both McNerney and Resilience CEO Vishaal “V8” Hariprasad are familiar with from their time in the Air Force. In contrast to a SOC, an AOC is externally facing, designed to create effects outside of the organization. In a military context, that means coordinating air, space, and cyber operations to impact the battlefield and adversaries directly. 

“AOCs bring together diverse participants — not just the Air Force, but also experts from the Army, CIA, FBI, and other agencies — each contributing their own expertise to create a coordinated effect,” McNerney says. “The Air Force became so effective at this model that it considers it a weapon system in and of itself.” 

The ROC in action

At first glance, the idea of getting ahead of a cyber threat actor might seem unrealistic — after all, a keystroke happens in milliseconds. How could anyone move faster than that? The answer lies in the feedback loops Resilience has built into the ROC.

Threat actors themselves often rely on feedback loops. Many attacks involve a process of reconnaissance, analysis, and decision-making—from choosing which vulnerabilities to exploit to determining which companies to target. By establishing faster, more informed feedback loops across its insured portfolio, Resilience can intervene earlier in that process, closing vulnerabilities or hardening defenses before adversaries act.

This ability to get ahead of threats is grounded in how the ROC manages risk, which rests on two key pillars:

  • Risk selection: ensuring the underwriting team is identifying and writing the right risks in the first place.
  • Active portfolio protection: continuously working to make Resilience’s insured companies safer after they’re on the books.

Both pillars are preventative, but they come into play at different stages of the insurance lifecycle. Risk selection happens before a policy is written, while active protection focuses on ongoing risk management for companies already in the portfolio.

The value of this two-pronged approach becomes clear when looking at two recent incidents — one involving the popular school app PowerSchool, and the other involving Palo Alto Networks. These incidents offer a clear example of how the ROC supports both risk selection and active portfolio protection, respectively, demonstrating how Resilience helps protect its insureds before, during, and after underwriting.

Risk selection: PowerSchool

PowerSchool—a widely used platform in K-12 schools across the United States—experienced a data breach in December 2024 that exposed personally identifiable information (PII) belonging to thousands of students and their families. 

The breach didn’t originate directly within PowerSchool’s own systems, but through one of their vendors, PowerSource, highlighting the cascading risks that come from third-party dependencies. These kinds of incidents—especially those involving widely used technologies like file transfer tools, VPNs, or other critical IT systems—are largely outside of any individual customer’s control. When one of these platforms is compromised, Resilience customers might be exposed through no fault of their own.

“In these scenarios, there is often little that can be done to stop or mitigate the incident once it has occurred, because it involves a third-party software,” says Amanda Bevilacqua, North America Claims Operations Leader and ROC member. “However, the ROC collaborates with our data science teams to develop models that assess the potential exposure and determine the financial impact to Resilience. This is valuable information for capacity partners who want to understand the potential damage in terms of claims payout.” 

When events like this occur, the ROC feeds intelligence back to the underwriters, advising them to ask more targeted questions during the underwriting process. This helps them make more informed risk decisions and, where necessary, consider excluding exceptionally high-risk technologies from coverage altogether.

Ultimately, this gives the underwriters more tools to make better decisions— whether that’s adjusting coverage terms, asking for additional security controls, or in some cases, choosing not to write the risk at all. The more optionalities provided to the underwriting team, the better positioned they are to make smarter, more nuanced decisions that strengthen Resilience’s overall portfolio.

Active portfolio protection: Palo Alto Networks 

Palo Alto Networks issued a warning in April 2024 about threat actors exploiting a zero-day vulnerability in PAN-OS Global Protect VPN and the ROC took immediate action.

Leveraging comprehensive data on customer security environments, the ROC identified customers who were susceptible to the vulnerability but were not even yet aware that there might be an issue. The vulnerability hunting team contacted potentially impacted customers, offering guidance on patching their systems.

As the investigation progressed, the claims team received incident reports from customers who hadn’t been initially identified. Claims then alerted the Threat Intelligence team, prompting a new scan that identified 164 additional impacted clients. The customer team then stepped in, contacting those clients and providing guidance on remediation.

The ROC’s swift actions not only expedited the response, but also empowered stakeholders to make informed decisions. The rapid response and proactive communication mitigated damage and likely prevented significant losses for customers. This incident showcases the ROC’s capacity to act swiftly and effectively, leveraging data and expertise to mitigate threats before they cause significant damage. 

Proactive protection, smarter underwriting–stronger resilience

Cyber risk will never be eliminated, but the ROC proves that it can be managed smarter. Through real-time intelligence sharing, collaborative expertise, and continuous feedback loops, Resilience not only protects its own financial position but also helps its customers become more resilient over time — turning cyber insurance from a reactive safety net into a proactive force for risk reduction.

In an industry often defined by headlines and hindsight, the ROC embodies a different philosophy — one where foresight, collaboration, and action come together to create a safer future for every insured in the portfolio.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]

Ransomware and third-party breaches are driving material cyber losses

Cyber risk isn’t just evolving—it’s accelerating. And for CISOs and CROs, this shift presents a critical challenge: how to make smarter business decisions that strengthen resilience and reduce material losses. As reported in our 2024 Mid-Year Cyber Risk Report, the past year saw a dramatic shift in how businesses experience and respond to cyber threats, […]

Understanding the Digital Operational Resilience Act (DORA)

The financial sector is facing an unprecedented convergence of cyber threats, regulatory pressure, and digital transformation. The European Union’s Digital Operational Resilience Act (DORA), which took full effect on January 17, 2025, is a defining moment for financial institutions. It requires firms to prepare for, withstand, and recover from cyber threats to ensure stability in […]

Protecting your organization from dark web threats

As a Senior Threat Analyst at Resilience, I’ve observed firsthand how the dark web’s evolving landscape poses growing risks to organizations’ data and reputation. Threat actors are increasingly utilizing advanced tools and AI to scale operations and increase attack efficiency, creating unprecedented challenges for business security.  But what does that mean for you? Here are […]

Why the OODA loop matters for cybersecurity

In 2004 as I prepared to board a flight to Tokyo, I strolled through a bookstore in ATL’s international concourse looking for something to occupy my mind during the 14 hour flight. Just as I was about to head to my gate empty-handed, I noticed a book that I had just read a review about […]

What DeepSeek means for cyber risk

The January 20 release of DeepSeek, an open source LLM developed by a Chinese research lab, rocked both the tech world and the financial markets. The product quickly demonstrated what appears to be exponentially better energy, cost efficiency, and similar performance capabilities when compared with American-made AI products like OpenAI. It also highlighted a number […]