This article was produced in partnership with CFC.
Mia Wallace, of Insurance Business, sat down with Roger Francis, MD of CFC Response, to discuss the future of truly proactive cyber solutions.
Taking cyber solutions out of the realm of the theoretical and into the arena of the practical is at the heart of what Roger Francis (pictured), MD of CFC Response, and his 100-strong in-house global response team do on a day-to-day basis.
Cyber threat analysis is a next-generation cyber service which looks to match the ever-evolving nature of cyber risk through proactive intervention. Touching on what such a solution looks like, Francis highlighted that the word proactive is quite often misattributed, and used to describe tabletop exercise scenarios aimed at creating muscle memory rather than pre-emptive engagement with incoming threats.
“At its core, our cyber threat analysts focus on reducing cyber risk across the CFC portfolio,” he said. “Something quite unique to the cyber line is that we can actually influence the behaviour of the risk throughout the term of the policy. If you consider the incident response side of the house, we deal with over 2,500 global incidents annually. And these have a whole load of root causes and elements which drive those claims.
“What our cyber threat analysts do is create ‘claims intelligence’ where we correlate those risks against claims to see which ones are specific indicators of potential claims, so we can better predict them. Correspondingly, we create tools via which we can proactively scan our entire portfolio to see if any of those vulnerabilities are prevalent. This allows us to reach out to the insured and help them through the remediation process, making them a better risk in the long run as a less likely target for threat actors.”
What sets CFC’s cyber threat analysis offering apart, Francis said, is that the team actively search for precursor malware – the tools a threat actor will deploy before they encrypt an environment. CFC’s scale and global breadth enables it to engage with a broad range of resources from private sector feeds, to government feeds, to the proprietary feeds it has built itself – and to democratise threat intelligence by disseminating this information for the benefit of policyholders everywhere.
“At CFC, we are very technically-minded in terms of our approach,” he said. “And that’s not only driven from how we respond from an incident response perspective in helping organisations actually recover from an incident, but also in terms of how we look to protect our portfolio.”
There are several different stages to how this threat analysis is carried out – including scanning, identifying, building patches and notifying. What a lot of people don’t quite realise, he said, is how difficult disseminating the information amassed can be. Looking across the security industry, there are so many disparate players who each hold critical insights into cyber threats but communicating all that data in an actionable and timely manner is another matter entirely.
“The way we’ve tackled that at CFC is by building our Response mobile app, which gives us a direct link into our insureds and allows us to push out alerts to them immediately,” he said. “A good example is what happened with ProxyShell in August 2021, when we were able to build a scanner within 24 hours which identified several thousand potentially vulnerable systems and several hundred systems that had already been compromised.
“We then leveraged the app to reach out to those organisations so they could go ahead and remediate and resolve them. What started out at the beginning of the week, as thousands of vulnerabilities, we were able to remediate down to the low tens – and there will always be some organisations that you can’t reach. But we vastly changed our risk profile by identifying the threat, building the scanning tool and reaching out to the insureds, helping them remediate and making them better risks in the long run.”
The threat analysts’ work in such moments of crisis is an example of a truly proactive solution in action, and Francis noted that brokers, in particular, have had an “overwhelmingly positive reaction” to the offering. The market has been calling out for a new-age threat intelligence solution that provides actionable insight rather than reams of inaccessible data. There are around 10,000 Common Vulnerability Scores (CVEs) out there, he said, but that doesn’t mean there are 10,000 considerations people should be worried about.
It is by correlating those scores against claims that allows you to identify the vulnerabilities which are being actively exploited as part of a threat actor’s campaign, he said. The idea is not to bombard insureds with doomsday scenarios about hypothetical threats but rather to alert them to specific vulnerabilities that have implications for them and their business.
“When we send them out an alert, it’s to say we found this specific vulnerability on this specific server or domain, here’s a set of recommendations on how to solve it and, if you have any questions, contact us,” he said. “It’s a proper, actionable service. And sometimes we have people asking why they haven’t heard from us, and our response is that it’s a very good thing!
“But I think it’s important to differentiate threat intelligence as part of the security industry, which is something that people try and package and sell, versus what we’re trying to do, which is proactively de-risk our portfolio and taking that offering one step further – by reducing the noise of 10,000 vulnerabilities down to just the handful that we know drive claims, and therefore that we want to focus on.”
It’s a solution that works for the benefit of brokers and insureds alike while safeguarding the stability and longevity of the cyber insurance market. For brokers, who have seen first-hand how CFC’s threat analysis team has prevented ransomware incidents and protected insureds’ systems, he said, threat intelligence has proven itself a real game-changer.
“The feedback from the brokers and the insureds when they realise there’s no ulterior motive to this and it’s just us purely trying to help them avoid what could be one of their worst days is incredible,” he said. “And we work largely in the SME sector where there’s a lot of business owners who have everything wound up in their businesses, and who have enough problems on their plates right now. So, it’s nice for them to know there’s someone else out there, looking over their shoulder and making sure that the worst-case scenario doesn’t happen.”
Roger Francis is a security specialist with over 15 years of experience in protecting organisational assets from threats. He joined CFC in 2019 to head up CFC Response.