Living in a World of Constant Threat Assessment

Insurance companies are fundamentally reshaping their cybersecurity approaches to counter increasingly sophisticated digital dangers. In a recent discussion, Paul J. Mocarski, Vice President and Chief Information Security Officer at Sammons Financial Group, detailed how carriers are leveraging persistent threat evaluation, artificial intelligence for automation, and rigorous third-party risk oversight to sustain a state of operational readiness. He emphasized that collaboration, system integration, and a methodical response protocol are now central to defending against next-generation cyber assaults.

When asked about the specific signals monitored during continuous threat assessments, Mocarski described it as a daily, ingrained practice. His team prioritizes three core elements: the trustworthiness of the intelligence source, its potential effect on their specific operational landscape, and confirmation from a variety of separate platforms. They gather data from vendors, industry partners, and open channels, then evaluate this information based on historical accuracy and independent verification. For the life insurance and annuity sector, any threat that intersects with their technology infrastructure or supply chain gets fast-tracked for immediate risk analysis and action planning. They use specific triggers to filter out insignificant data, such as proof of active attacks, the availability of exploit code, direct alignment with their asset inventory, or sudden increases in phishing activity. Even for high-profile incidents that pose minimal direct risk, they often enact a response plan to maintain preparedness and address internal concerns, always striving for consistency and clear communication.

Regarding the function of automation and AI, Mocarski noted his organization was a proactive adopter of generative AI. They currently apply it to areas offering quick benefits, such as condensing lengthy threat reports, pulling out key indicators and attack methods, and connecting these discoveries to their unique environment. The results are on par with traditional methods but are achieved much faster and with less repetitive effort. The upcoming phase involves weaving AI into daily triage operations. This means feeding the system tailored threat intelligence along with contextual data on essential partners, hardware, and software. The objective is to generate an initial assessment that outlines relevance, probable attack vectors, and suggested next steps. Automation will manage data enrichment and sandbox testing, freeing analysts to concentrate on quality checks, communication, and remediation. Success is measured by concrete metrics like reduced triage time, a better signal-to-noise ratio, and more time dedicated to strategic decisions instead of data processing.

Considering the deeply interconnected nature of the insurance ecosystem, involving underwriters, brokers, and external data handlers, Mocarski explained how a continuous improvement philosophy extends beyond their own digital borders. Third-party risk management is treated as a dynamic, ongoing program, not a single checkpoint. Because many security incidents begin with partners or service providers, their vendor risk protocols have evolved and are now embedded within the technology procurement lifecycle. They evaluate potential risks early by scrutinizing solution architecture, data needs, and integration methods. At Sammons Financial, they are developing a program that scores partners across several criteria, including business importance, the nature of shared data, and its geographic journey. They also factor in insurance regulations, AI usage policies, data handling rules, and contractual obligations like breach notification agreements and audit rights. The aim is not to eliminate all risk, but to enable well-informed decisions and demonstrate consistent, documented progress over time.

Reflecting on a pivotal lesson, Mocarski stated that the non-negotiable practice is conducting threat assessments daily. While his team learned this from observing the misfortunes of others rather than a direct catastrophe, the relentless tempo of breaches, exploits, and vendor alerts made periodic reviews insufficient. They instituted a daily rhythm with clear ownership, established escalation criteria, and standardized playbooks for triage and internal communication. This consistent discipline has significantly boosted their readiness and minimized vulnerabilities.

Looking ahead, Mocarski predicts the next significant threat evolution will transcend the insurance industry. Adversaries will employ agentic AI to conduct comprehensive, automated cyber-attacks from start to finish. While the stages of an attack will remain familiar, the alarming differentiator will be the velocity, potentially compressing a full-scale data breach or ransomware event into a dramatically shorter timeframe. To prepare for this, his strategy concentrates on three critical areas:

1. Selecting the right partners. The future conflict will be AI against AI. They seek partners with a substantive, evolving AI strategy, proven enhancements in AI-driven detection, and a development roadmap that matches the pace of attacker innovation. They demand ongoing proof of control effectiveness, moving beyond yearly assessments.
2. Proactive planning and unambiguous action thresholds. Clear, pre-defined criteria for action are essential to respond at the required speed.
3. Well-rehearsed response plans. Regular practice and simulation ensure the team can execute with speed and clarity during a real crisis.

Mocarski concluded that this challenge is as much a business issue as a technical one. Proactive planning, unambiguous action thresholds, and well-rehearsed response plans will dictate their ability to compete with AI-empowered opponents. While no strategy can perfectly anticipate every crisis, thorough preparation and deep integration provide the essential speed and clarity needed when it counts.

(Source: HelpNet Security)