Resilience’s Hariprasad: Insurtech’s new tools put insureds on “proactive footing”
Resilience’s CEO V8 Hariprasad has said that the cyber insurtech’s launch of a pair of new tools – offering breach and attack simulations and the ability to build a cyber risk profile – innovates by proactively mitigating risk rather than simply monitoring it.
Hariprasad made those comments in an interview with Cyber Risk Insurer alongside Resilience’s chief data and analytics officer Ann Irvine.
The breach and attack simulation (BAS) allows clients to simulate threat actor behaviour safely on their own networks, while the cyber risk profile builder brings clients more clarity on their internal systems, people, processes, and products to establish a full view of their risk.
The tools Resilience is rolling out stand in contrast to managed detection and response (MDR) services which are reactive in nature and catch threat actors once they have already breached an environmen. In contrast, Resilience’s BAS in particular is aimed at stopping client vulnerabilities.
“We’re giving clients the ability to run the actual malware of actual capabilities in their networks, just as a test,” the Resilience CEO explained.
“It's safe, it's innocuous, but it's a safe way for them to test their defences before the bad guys get to them,” he added.
Risk Profile Builder gives real-time insights into clients’ risk profiles
In addition, Resilience’s cyber risk profile builder allows the insurtech to get to know clients’ internal security processes “at a very intimate level” Hariprasad said.
“We're trying to move with our clients beyond just an annual insurance application,” said Irvine, the chief data and analytics officer, as she acknowledged applications and renewals only provide an assessment at a single point in time, while Resilience is aiming to develop a real-time picture.
If an insured invests in a new security control, the risk profile builder provides a format to keep Resilience updated about how that insured’s risk profile has evolved.
“So we’re moving from a single point in time [or] annual insurance mindset [and] risk assessment to something closer to real time and continuous,” Irvine explained, adding that the profile builder goes beyond the questionnaire included in submissions.
“That also gives us the opportunity to ask better questions, get better data, [and] get more and more in-depth, nuanced, and, frankly, just [a more] meaningful understanding of their risks,” Irvine said, which benefits both Resilience and its customers.
Geared toward large account clients with human involvement
Irvine said that continuous scanning and looking for internet exposed devices and vulnerabilities that many insurtechs have touted are “table stakes”, but that the tools being rolled out by Resilience are especially geared for large account clients as they entail more human intervention.
“We’re working in the upper market and have a ‘human in the loop’ approach to working with customers. We're not all in on 100 percent automation,” she said.
“And we believe that that's the right approach. Because we're working with complex organisations that have complex networks and environments,” Irvine commented, describing the importance of having engaged customers who really understand their risk.
Hariprasad said what differentiates Resilience from other insurtechs in terms of vulnerability notifications is that other insurtechs pride themselves on sending volumes of notifications.
In contrast, Hariprasad argues that Resilience knows its clients best, and ensures it only sends vulnerability notifications that are relevant.
“We take pride in the quality of alerts we send, how material they are to actual financial impact, and separately, how appropriate they are to the clients,” Hariprasad commented.
“So the risk profile folder and the engagement that Anna's talking about at a complex level allows us to really hone in on the few alerts that truly will drive impact for our clients in the complex, upper mid-market space,” he added
“A lot of the feedback we've heard from brokers as well as clients is, they really appreciate the lack of signal overload. And more importantly, when they do get signals from us, they really are material,” Hariprasad continued.
“So I think a big part of the Resilience capability is engaging with our clients, getting to know them, embracing complexity, and then drawing out the simplistic items they need to focus on for designs,” Hariprasad remarked.
Resilience tools have proven to cut down on claims costs
The Resilience CEO said specifically the cyber risk profile builder is intended to be a “digital Sherpa guide” to companies to monitor the financial risks that really matter as he noted the complex and dynamic nature of cyber risk.
“We've been able to boil it down to the key items that we and our clients need to focus on together to stay ahead of the bad guys. So I think simplicity… is crucial throughout the lifecycle of their policy,” Hariprasad commented.
He said the fact that 96 percent of Resilience clients who leveraged its tools did not make a claim in 2023 illustrates the tools’ efficacy, while he also pointed to the fact that 85 percent of Resilience clients who were ransomware victims avoid paying ransoms, versus 71 percent for the broader market.
“We're very specific: this is about preventing. We want to engage and understand complexity, and then get [clients] ready for an attack, not trying to stop or defend the attack,” he said, saying other security devices can stop or defend attacks.
“This is the tremendous value of selling insurance policies – that we have this kind of visibility,” Irvine remarked.
“One of our core tenets is to cut through the noise in the security industry, and really help customers focus on doing preventative work that actually has an impact downstream,” she added.
Irvine said Resilience is focused on “genuine integration” between security expertise and financial expertise about how attacks actually come to pass and the impact that they have, while Hariprasad said his company aims to avoid “security theater”.
“We're not trying to do insurance and security,” Hariprasad commented.
“We're trying to translate financial risk [or] cyber risk into financial terms, which he said is very different “from blocking every little thing or whack-a-mole, every little thing that comes up”.
“This is, ‘Let's prioritise and strategically align our clients to stay ahead of the bad guys’,” he concluded.