Resilience is Pioneering a New Approach to Managing Cyber Risk

Dr. Ann Irvine 

Great. Thank you. Great to be here. Yeah. So I’ll just give you a brief overview of what we’re doing at resilience. So resilience, we are providing our customers with really a comprehensive risk management solution that includes insurance as well as additional products and services that help our customers better manage their cyber risk comprehensively. 

Dr. Ann Irvine 

We believe really strongly that insurance and the transfer of cyber risk to an insurance. 

Dr. Ann Irvine 

Carrier is a big part of managing any risk to include cyber risk, but there you know there are a few ways you can invest your dollars when you’re when you’re thinking about managing your cyber risk. You can buy insurance. You can also invest in cyber controls to reduce your exposure to risk. We work with companies to help them understand how they can. They can strike that balance. 

Dr. Ann Irvine 

Where their investment dollars should go, whether that’s investing in particular controls, investing in their security team or investing more in insurance. But we provide a comprehensive solution. 

Dr. Ann Irvine 

And to customers to help them make those decisions, those trade-offs and and offer the insurance coverage itself directly. 

Hessie Jones 

OK, so I’m gonna throw a couple of things at you because I. 

Hessie Jones 

Hessie Jones 

Was doing a little bit of research on the number of breaches that have happened in the last couple of years. So between 2022 and 23, there was a 20% increase in data breaches. 

Hessie Jones 

Publicly reported data compromises rose 70% year over year. The average cost of a breach was about four and a half million dollars, and globally, the number of victims actually doubled year over year. So from your perspective, you are probably aware of some of these stats. It’s probably the. 

Hessie Jones 

The reason why companies like yours exist, what are you seeing on your end when it comes to these kinds of risks? 

Dr. Ann Irvine 

Yeah, so data breaches were sort of, you know, the major headline data breaches that happened maybe 10 years ago really took the cyber insurance market to the next level because they cost organizations so much money and data breaches continue to be a risk to organizations. I think some of these statistics honestly are driven by increased amounts of disclosure. 

Dr. Ann Irvine 

Of data breaches, you know it’s no longer the case that there is an enormous amount of reputational harm when a data breach occurs in an organization because they’re more common and we’re sort of used to them as consumers. And there’s more regulation and more sort of guidelines around what’s disclosed and when and to and to whom. So some of those numbers are going up because of regulation. 

Dr. Ann Irvine 

And actually the reduced reputational risk, you know, as data breaches have become, I don’t know, almost steady state and sort of understood as a risk. Ransomware attacks have really skyrocketed in the last few years and that that tends to be the the sort of biggest unknown when we work with organizations in terms of you know, am I going to suffer from a ransomware attack? 

Dr. Ann Irvine 

How is it going to happen? How much is it going to cost? How am I going to deal with it? That’s that’s a bit a bit more of an unknown space for our customers than you know, the data breaches, which are relatively well regulated. 

Dr. Ann Irvine 

And understood. 

Hessie Jones 

So let’s talk a little bit about what your new approach is and why and why it’s different than what we’ve seen before. 

Dr. Ann Irvine 

Yeah. So to to sort of distinguish ourselves, well, we distinguish ourselves from both the traditional insurance carriers as well as others in the sort of technology space that are that are attempting to address the cyber risk management. 

Dr. Ann Irvine 

Problem that our customers have in contrast to incumbent insurers, we’re moving really quickly. Threats are evolving, threat actors are using new techniques to launch ransomware attacks and to sort of negotiate with customers to try to incentivize them to pay ransoms after the attack. These things are constantly evolving their new threat. 

Dr. Ann Irvine 

Doctors, their approaches, you know, are changing very rapidly and we’re responding to those changes really in. 

Dr. Ann Irvine 

Very, very real time in a way that traditional insurance incumbents just can’t move so quickly. So when we’re working with customers through a claim, I mean, we very quickly understand how did this attack happen and how is it handled and how can we spread that information and and create a sort of positive feedback loop of information sharing and use those learnings. 

Dr. Ann Irvine 

To to help our the other customers in our portfolio and we are also learning how much how much these cost. So in contrast to others in the sort of technology space that are trying to address this same customer need of understanding how to protect themselves and manage. 

Dr. Ann Irvine 

Cyber risk we are seeing how these attacks happen and how much they cost because we’re working with companies as their insurance provider. So we know how they play out and and and really the dollars and cents that are at stake in a way that puts us in a really good position to talk about things like ROI on different investments into security controls as well as insurance. 

Hessie Jones 

I guess from a defensive perspective, then you’re gonna try to help a lot of these companies be a little bit more proactive identifying them before you know they it’s too late to do anything about them. So from your perspective, we’ve seen the rise of a lot of these. 

Hessie Jones 

Large language models, which have probably been the cause of some of these. You know these kinds of risks that that we’re seeing in the marketplace. 

Hessie Jones 

Can you point to some? I don’t know learnings or statistics from your perspective that have correlated with the rise of LMS. 

Dr. Ann Irvine 

You know the the sort of classic example that everyone points to and I will as well is that phishing attacks will become more personalized, more tailored, much harder to spot. 

Dr. Ann Irvine 

When you receive an e-mail that says, hey, you know, this says, hey, Anne, great job on the collision panel I heard. 

Dr. Ann Irvine 

Talk about XYZ and you know I’d love if you took a look at, you know why click this link to, you know, to connect with me. You know that that information about me being at the Collision conference and speaking on a particular topic is on the web and that’s available for customization of really spear phishing attacks. 

Dr. Ann Irvine 

You know, I I think it’s too early. 

Dr. Ann Irvine 

To to tell you know how how quickly technology users are or not keeping up with these new attacks and to what extent really threat actors are really leveraging these to do this, this custom personalization, I I you know I I think it’s a little a little early to tell. I think the fact is it’s pretty easy to be a cyber criminal. 

Dr. Ann Irvine 

The barrier to entry is pretty low and you know the the attacks that are really meant that that are incentivized by financial gain. You know, the threat actors that are out there attack. 

Dr. Ann Irvine 

As they want to make a quick buck, those attacks are opportunistic. You know, there’s a lot of sort of just sort of spraying sort of going for anyone. The lowest hanging fruit and really custom bespoke personalized. 

Dr. Ann Irvine 

Spear phishing emails are not necessary to have success, so for most types of types of attacks, they’re more sophisticated actors doing other things that that may leverage these technologies at A at a faster tick. But that’s not most of the cyber attacks that are that are out there in the wild. 

Hessie Jones 

So. 

Hessie Jones 

You deal mainly with enterprise clients. OK, so do you have any visibility into? 

Hessie Jones 

What something like this could cost a medium or a smaller sized company because I don’t, I would doubt that they don’t have the wherewithal or the infrastructure to properly defend themselves either. 

Dr. Ann Irvine 

Yeah, that’s a that’s a great point. I think you know my my advice to a smaller, particularly a very small company would be to outsource their security to to companies that that are really experts, not try to. 

Dr. Ann Irvine 

Build things in house and and completely manage their security on their own. It’s really important to get the expertise of of someone that’s that’s really focused on on cybersecurity as a risk because yeah, as you said, they’re they’re just not going to have the resources to to do that on their own. But there are, you know, there are tools and companies and services out there to help. 

Hessie Jones 

OK, so I want to talk about. 

Hessie Jones 

Fighting AI with AI and if it’s even possible to be able to leverage some of the LMS to to fight the speed and scale of what we’re seeing today, can you speak to? 

Hessie Jones 

That a little bit. 

Dr. Ann Irvine 

Yeah, I think that’s a common phrase. I’ve heard around this conference today and I think. 

Dr. Ann Irvine 

I’ve been working in the AI space for for 20 years. I I you know, I’m I’m more. 

Dr. Ann Irvine 

More of a sort of natural skeptic, I think in in this this hype cycle where we are. 

Dr. Ann Irvine 

I think that’s fine. You know, there are ways to fight against new technologies with new technologies. I mean, we’ve seen this in the cybersecurity industry in general for a very long time there. There’s always new technology to to to, you know, to to fight the new stuff. I think I would, I do worry about. 

Dr. Ann Irvine 

There’s always going to be a need for a human that really understands what. 

Dr. Ann Irvine 

On to manage the application of technology and this is true on the on the attacker side as well as the defensive side. By the way, I think. 

Dr. Ann Irvine 

You know, in some ways I think about attackers that see new technology as really making it easier for them to launch their first attack and to get into cyber crime and and to make some money. But you know, I I I hope and believe that our law enforcement agencies internationally are are on top of that too, right. And and they will be able to. 

Dr. Ann Irvine 

You know, the less sophisticated the threat actors get, the easier time we will have identifying them and. 

Dr. Ann Irvine 

You know, bringing them bringing justice to them. So on the, on the defensive side though, I mean the same is the same is true. We still need humans at the at keyboards doing the hard work, understanding how the attacks are happening and understanding how to most effectively use technologies to to defend. You know, it’s just it’s not just a matter of turning on a knob and saying OK now AI is fighting AI. 

Dr. Ann Irvine 

Right, there’s, there’s a lot of sophistication that has to go into sort of thinking through what, what does that even mean, you know? 

Hessie Jones 

But but I mean as you say, it’s going to become easier to be to to have this threat attack that can happen in more creative and more frequent ways. 

Hessie Jones 

Will it ever, will we ever get to the point where we could stop it before it hits our servers? You know what I mean? Like, I mean, I’m finding that we’re playing whack a mole. And the minute we identify something we create, we create a system that can stop future attacks of that kind. But then you have new ones that come up on the horizon. 

Hessie Jones 

That nobody even thought about. 

Dr. Ann Irvine 

Yeah, totally. I think at resilience, we have an entire team of security researchers that are really trying to deeply understand again we’re. 

Dr. Ann Irvine 

Not. 

Dr. Ann Irvine 

They’re human. The the attackers on the other side of these incidents are are they’re just people that are sitting in front of a screen somewhere out in the world doing these things and it it is, it is. 

I know. 

Dr. Ann Irvine 

Having fun, making money, buying Lamborghinis, some of them you know, they, but they’re just people and they work a certain way. They think a certain way. A lot of these criminals threat actor groups. 

Dr. Ann Irvine 

Have complex politics. Even, you know, within the. 

Dr. Ann Irvine 

Sort. 

Dr. Ann Irvine 

Of market space, where they they partner, you know their partnerships as a whole business sort of ecosystem the the these threat actor groups are in and so we have to understand what are they doing really deeply to be able to disrupt that. It’s not just about Oh well, we’ve seen an attack from this IP address. 

Dr. Ann Irvine 

So now we’re going to very quickly block all traffic from that IP address. You know that’s sort of a. 

Dr. Ann Irvine 

Security response but but you know again these are people and we need to understand how to disrupt the entire ecosystem that they’re working in. 

Hessie Jones 

And like from an incentive perspective, we’re not talking. Do you remember war? 

Hessie Jones 

Games. 

Hessie Jones 

Years ago, Matthew Broderick and he was just playing a game and then he didn’t realize that he actually, when he was playing the game. 

Hessie Jones 

He actually disrupted a security security console. 

Hessie Jones 

From the Department of Defense or something like that. So he didn’t even realize that what he was doing. But he was doing it for fun, to see if he could do it. And a lot of times, that’s what it is. When you say they’re just people. It could be kids. It could be people who are just trying to challenge themselves and trying to figure out whether or not they could do it. 

Hessie Jones 

And that’s it, right? They don’t want anything out of it, but I think the ones that actually capitalize on that where they ask for Bitcoin, where they ask for. 

Hessie Jones 

Stuff in exchange. That’s where we’re starting to see that. 

Hessie Jones 

You know more of a threat because now there’s an incentive to get things right. Are you? Are you actually seeing that level of threat at the enterprise level, even at the insurance level? 

Dr. Ann Irvine 

Oh, absolutely. I mean the the, the sophisticated threat actors that that do have financial motives that are. 

Dr. Ann Irvine 

You know, demanding ransom payments in exchange for decryption keys to let businesses get back to business, I mean. 

Dr. Ann Irvine 

You know, a recent top of mind example, the two casinos in Las Vegas, MGM and Caesar’s both suffered ransomware attacks last September or so maybe and disrupted casino operations. They lost a lot of money. You know those were. 

Dr. Ann Irvine 

Actually, the speculation is that those were young. 

Dr. Ann Irvine 

Male Americans that were just trying to make a quick buck that were that were behind those attacks and you know, I I I believe deeply resilience was was founded by veterans of the US. 

Dr. Ann Irvine 

Military that believe really deeply, that again, this is a human problem and we’ve got to, we’ve got to punish these humans. I mean this is major criminal activity and and the sort of public private partnerships involved in taking down these threat actors. We’re excited to be a part of as. 

Hessie Jones 

Well, so one last question, where do you think the the landscape is going? So we’re moving into an era where. 

Hessie Jones 

If some of these things are going to become a lot easier to create and to be able to develop manipulations at far greater speed and scale. 

Hessie Jones 

Where do you think the industry needs to go and and at what point does it need to shift to more proactive stance as opposed to defensive? 

Dr. Ann Irvine 

Yeah, I do predict that the cybersecurity industry is going to be disrupted pretty severely because I think we’re going to start to see through some of the noise. There’s a lot of if you go to the big cyber security conferences, RSA and these things, they’re, you know, there are a lot of vendors. It’s a very crowded sort of markets marketplace and there is a lot of smoke and mirrors. 

Dr. Ann Irvine 

And a lot of it’s just very hard to tell what’s actually having. 

Dr. Ann Irvine 

Impact and what’s not and what tools do I actually need? What’s helpful and what’s not? I think that is going to start to change as we start to think about cybersecurity more as a risk and we start to put more data and more dollars and cents sort of around some of these analysis. So that’s that’s that’s one trend that I that I that I I predict will change. 

Hessie Jones 

I mean it’s in line with. 

Hessie Jones 

You know, the emergence of data privacy and the laws that are becoming a lot more stringent because. 

Hessie Jones 

Cyber security and data privacy go hand in hand. You can’t really have one without the other, and that’s that’s my belief as well. And so as we become a lot more sophisticated in automation and all these technologies, data will not. I don’t think it’s it’s it will cease to exist. 

Hessie Jones 

Was something that people don’t want the demand for it will continue to happen, right? 

Hessie Jones 

So any last words? 

Dr. Ann Irvine 

Last words I do. 

Dr. Ann Irvine 

Uh. 

Dr. Ann Irvine 

I I worry a bit in both in cybersecurity and more generally about. 

Dr. Ann Irvine 

AI and LLMC’s taking over, taking over jobs. I mean, there will be automation and we’re going to need to upskill individuals both for their sake, but also for the sake of us solving some of these really hard problems. So, you know, it’s just sort of a a challenge to all of us to to figure out how. 

Dr. Ann Irvine 

Do that you know cyber security for sure. We we need people and we need smart, thoughtful people. Again, these are all people problems. These are human, human driven risks and human driven responses. And we need really smart, motivated people behind the good guys side of the keyboard to to help help stop these attacks. 

Hessie Jones 

Thank you so much Anne, for for joining me today and for educating us on on everything that you’re doing and what we need to do to actually move this conversation forward. 

Hessie Jones 

For humanity, right for humanity. OK, so for everyone out there. Thank you very much. This is day one of collision hessie Jones. We’re at tech uncensored and we’ll be back for the rest of the week. Take care.