Riskaware by Riskassure Solves a Unique Problem
By Dan K. Anderson vCISO and On-Call Roving Reporter, Cyber Defense Magazine
In preparing for this article, I met with Larry Faragalli, Keith Huckaby, and Duane Tursi, Founders of Riskassure. They have created a unique product to address a significant deficiency in the Cyber Insurance Underwriting space. Why it resonated with me personally is that I’ve had to answer many Cyber Insurers’ questionnaires, which have gone from a dozen questions to more than 250 questions in the last 5 years.
The lack of standardization on the questions, what evidence is collected, etc., can be difficult for CISO’s and their teams, not to mention the inherent fear that a question answered incorrectly may invalidate the Cyber Insurance or make it not able to be used when needed.
Here is what I learned from the Founders of Riskassure:
Our Solution is Two-fold: one for businesses, one for cyber insurance carriers. We try to help them work collaboratively:
The central issue is that no business can tell you how much cyber information risk they have, what its value is, or where it lives.
With this lack of visibility, it is impossible to make informed decisions about how much cyber insurance you need, leaving most businesses profoundly underinsured and vulnerable to business-ending cyber events.
The fundamental problem with today’s cybersecurity insurance offerings, is that neither insurance companies nor their business customers have accurate data about sensitive information risk to make or buy truly relevant products.
This problem is the result of a deep data deficiency on behalf of cyber insurance carriers.
Unlike other lines of business, carrier cyber security practices have little tangible knowledge about their customer’s data footprint, history, information risk value and rely heavily on customer attestation throughout the underwriting process. At the same time, it’s difficult for cyber insurers to understand demand when the buyers themselves are still trying to figure out both their exposure and their buying appetites.
Furthermore, creating differentiated products that customers actually want remains elusive.
Simply put: Do you know how much sensitive information you have and how much it would cost if it were found outside your custody? Riskassure does.
Several years ago, we identified a significant data deficiency in the cyber insurance underwriting space. We believe that businesses and insurance companies need to understand the amount or value of the data they want to insure or protect. With today’s standard practices and available tools, at best, they are guessing the appropriate amount of insurance coverage they need. This uncertainty has resulted in many businesses needing help to obtain cyber insurance or in being drastically under- or over-insured.
RiskAssure’s work has identified a substantial amount of “off-balance sheet” liability that businesses maintain in the form of sensitive information value, should their data be breached and found outside their custody by regulators.
To address this issue, we developed RiskAware, which can be installed for free, or with a nominal annual per-device cost for our most frequent and robust reporting features. All subscription types can be mixed and matched to cover your specific needs and budget. Our solution, designed with simplicity and affordability in mind, helps you scan every machine it is installed on, identifying every instance of PII and PHI and calculating the precise finable value of that data down to the penny. Depending on the subscription level, our software can perform scans every six months, weekly, or in real-time, giving business leaders control over their data valuation and protection level. We’re balancing scanning frequency, which increases computational cost, against budget, making our solution extraordinarily accessible and affordable to every business size. This granular resolution down to the device level gives insurance underwriters the ability to deliver unique and innovative insurance products like key-device, department-level or even variable cyber policies rather than today’s ‘all-or-nothing’ offerings.
RiskAware also identifies duplicates of sensitive information (files) and local repositories of cloud files, and provides precise file path locations that enables users to find and delete data that is less frequently used. It includes capabilities for detecting anomalous activity, such as significant movements of sensitive data on and off a monitored device, and alerts users to potential issues. Fully secure and end-to-end encrypted, our solution does not duplicate data or create additional potential breach liability, ensuring that data transmission is completely protected.
Dan: What is the nature of the problem you solve? What should we be worried about?
In today’s digital landscape, cybersecurity fears are at an all-time high, with the frequency and sophistication of cyberattacks continually rising. RiskAware directly addresses these concerns, providing robust analysis and a much-needed peace of mind. The total cost of cybercrime globally reached $8 trillion in 2023 — and is predicted to hit $10.5 trillion by 2025, per the 2023 Ipsos Poll. Furthermore, the global average cost of a single data breach is at $4.45M, according to IBM. These attacks not only cause immediate financial damage but also inflict long-term reputational harm.
Our solution not only empowers carrier underwriters up-front during a discovery and underwriting process, but also empowers business leaders on an ongoing basis by offering continuous monitoring and real-time updates on the volume and value of a company’s sensitive data. This proactive approach ensures that they are always prepared and protected, putting them in control of their sensitive information while driving user-based cyber hygiene behavior. Businesses can manage their data footprint to an intentionally decided upon amount of value (baseline) and empower the team to manage to that value.
Ransomware has become one of the most dreaded forms of cybercrime. Once considered a separate issue from data breaches, the two have now converged. Over the past year, cybercriminals have increasingly used data breaches as extortion, threatening to leak sensitive information unless a ransom is paid. This change in tactics has made it even more critical for businesses to have comprehensive cybersecurity measures in place. By inspiring action and behavior changes, our tool helps mitigate damage if an attack occurs, giving business leaders the confidence to operate without the constant fear of a cyber incident.
By offering targeted device coverage and the ability for cyber insurers to insure specific departments, our innovative approach to surfacing detailed underwriting information for cyber insurance provides a much-needed solution in an uncertain digital-first world. Businesses can no longer afford to view cybersecurity as a secondary concern. With our tool, you can implement a holistic multi-tiered cyber defense strategy that ensures your organization has the appropriate protocols in place.
Dan: What does Gartner say about you? Why?
We have not yet engaged in analyst relationships, yet, but we are open to it.
Dan: Why is your solution better?
The state of today’s cybersecurity policy underwriting involves a series of questions, attestation, and possibly interviews focused on operational processes and procedures. This is an analog approach to a digital problem. RiskAware helps identify sensitive information and quantifies its value.
The RiskAware solution leverages a frictionless implementation approach by end users or silent enterprise deployments, that delivers results in minutes and hours (very short time to value – TTV). Most of the available solutions in the market require weeks and months of implementation with expensive consulting services, complex license models, etc.
Dan: How does your solution fit into a company’s Cyber stack? What does it pair well with?
RiskAssure is a stand-alone solution today. Today’s cybersecurity defense strategy needs to be holistic and tiered. The tools and processes implemented by most businesses are good, and we did not seek to re-implement those, instead, we intentionally filled what we believed to be a gap: employee awareness & cyber hygiene, optimization (reduction) of sensitive information footprint, + a right-sized cyber insurance policy. As you see below, the first two are generally well-implemented, while we believe there remains opportunities for improvement in the latter 3, and RiskAware addresses this perceived gap.
As such, RiskAware pairs well with end user cyber hygiene initiatives, optimizing sensitive information footprints and businesses seeking right-sized cyber policies.
Dan: How are you funded?
We are proudly founder-funded, which has given us the freedom and flexibility to develop our product and achieve significant indications of market traction. As a group of seasoned leaders who run other successful businesses, we’ve been able to approach this venture with patience and thoroughness. This isn’t just another project for us — it’s a passion driven by our genuine belief that we can transform the cyber insurance industry.
As we now contemplate what our capitalization will look like, we’ve been doing our homework to ensure we’re making the best decisions for RiskAssure’s future. We’ve seen the impact we can have and the demand for innovative solutions in the cyber insurance sector. This solid foundation and our commitment to innovation position us well for the next phase of growth, where we can continue to push boundaries and set new standards in the industry. We suspect this will entail a level of partnership with industry, capital, or both.
Dan: What is your 3 year product roadmap?
Currently, we are focused on serving small and medium-sized businesses, but we are increasingly being pulled into the enterprise market. Larger organizations have shown strong interest in RiskAware, especially as they seek more advanced features and better segmentation of devices. This shift validates the versatility and scalability of our product. We recently completed a robust implementation of our subscription model, which now allows businesses to mix and match different tiers to suit their specific needs and budget. This flexibility ensures that our customers can optimize their cybersecurity strategies in the best way for their business.
Looking ahead, our vision is to incorporate enterprise- and carrier-specific features and explore international markets, while maintaining our strong US base. We envision leveraging large language models (LLMs) to underwrite the cyber insurance process once our network has sufficient devices. This advancement will significantly enhance the precision and efficiency of our offerings. We are currently providing an admin view on the enterprise side, but we are considering the benefits of giving every user their own view to drive better and proactive cybersecurity hygiene practices. This end-user perspective could empower employees to take a more active role in maintaining their device security, thereby strengthening the organization’s overall cybersecurity posture. Businesses are only as strong as their weakest link; and that may include their supply chain and customers.
Another critical aspect of our work is addressing cyber insurance carriers’ lack of historical data. We plan to do this by amassing comprehensive information on end-user behavior and cyber hygiene. Our approach involves deploying advanced data collection tools and techniques that respect user privacy and comply with data protection regulations. We aim to influence positive practices and demonstrate our ability to maintain and even improve the security of sensitive information.
Dan: How do you keep your Keyman developers around?
We retain our key developers by creating an environment where they can thrive both professionally and personally. Our team gets to work on innovative and exciting projects that hold their interest and allow them to exercise their creativity. We believe in giving our developers the space to take chances and experiment, which not only keeps them engaged but also fosters a culture of innovation and continuous improvement.
We also support hybrid and flexible work models, empowering our team to balance their professional and personal lives effectively. We’ve implemented a four-day workweek, which has been a significant factor in maintaining high morale and productivity. Our company culture emphasizes work-life balance, collaboration, and mutual respect, making it an attractive place for our devs to grow and stay committed.
Dan: Tell me about a customer who implemented your solution and what metrics show they are happy with the solution.
Customer A:
Small business in the medical space was in the market to add a cyber insurance policy to further bolster their security posture. They solicited quotes from a variety of carriers and chose not to purchase due to the cost of premiums. Six months after the quotes, they learned about RiskAware and decided to deploy it on their devices. Equipped with new information about their environment and the old quotes, they reengaged the carriers and selected and purchased a policy with the same coverage for 39% lower premium! The carriers factored the new information they had, and saw that the customer reduced their information footprint (before/after) since deploying RiskAware.
Customer B:
One of RiskAware’s major success stories involves an insurance carrier with thousands of agents. This carrier faced significant challenges due to the diverse levels of IT sophistication among its non-exclusive agents, who also sell other types of insurance. This variation in IT capabilities led to frequent breaches, approximately one per month, causing considerable concern for the carrier regarding its brand reputation and the security of its sensitive information.
Before implementing RiskAware, the carrier needed help determining how much of its sensitive data was exposed in environments beyond its control. It also needed a robust system to monitor and manage these risks effectively. Our solution provided them with the required comprehensive oversight, significantly enhancing the organization’s ability to track and protect its data across all agents and brokers.
The results have been outstanding. With our tool in place, the carrier has seen a dramatic reduction in the amount of sensitive information carried among their brokers. They now have real-time insights into the security status of their sensitive information, which has helped mitigate the risk of exposure and strengthen their overall cybersecurity posture. This newfound visibility has protected their brand reputation and provided peace of mind, knowing that their data is secure. The carrier’s satisfaction is evident in their continued use of our solution and the positive feedback we receive.
Additional Background Info
Where we are currently:
Our company recently emerged from stealth mode after a few years of intensive research, development, and beta testing. Our solution is now installed on several thousand machines. We successfully completed a seven-figure paid pilot with a large carrier network, assisting them in determining the appropriate amount of cyber insurance to mandate for their brokers and agents. Additionally, we are an endorsed and advertised member benefit for more than 30,000 members of a prominent Michigan-based professional organization.
We are actively engaged in discussions with various insurance and reinsurance companies to integrate our tool with existing cyber policies and to develop innovative new cyber insurance products, similar to a blood test for life insurance policies or the Progressive safe driver program for auto insurance. These new products include cyber plans for “key devices”, department-level policies and even policies that flex seasonally to meet changing needs. Furthermore, we are in discussions with government officials regarding the deployment of our solution to state-owned machines, ensuring comprehensive cybersecurity measures across public sector devices.
Recently, we declined a generous offer from a capital group. Despite the attractive terms, we felt that the group misunderstood our platform and would not have been good stewards of our vision and mission. We remain committed to finding partners who align with our goals and values, ensuring that our innovative solutions continue to advance and protect the industry effectively.
“A couple technology experts met with an insurance specialist who pinpointed a significant problem within a certain domain that had been overlooked. It turned out to be a much larger issue than initially realized. We collaborated and discovered an opportunity to streamline and automate a complex problem and workflow using technology.” – Keith Huckaby, Co-founder & Partner
In conclusion, Riskaware by Riskassure solves a unique problem and there is nobody else that I’ve been able to find addressing this space. Its, timely, innovative, and needed. Hats off to the Riskassure Team!
About the Author
Dan K. Anderson
Winner Top Global CISO of the year 2023
Dan currently serves as a vCISO and On-Call Roving reporter for CyberDefense Magazine. BSEE, MS Computer Science, MBA Entrepreneurial focus, CISA, CRISC, CBCLA, C|EH, PCIP, and ITIL v3.
Dan’s work includes consulting premier teaching hospitals such as Stanford Medical Center, Harvard’s Boston Children’s Hospital, University of Utah Hospital, and large Integrated Delivery Networks such as Sutter Health, Catholic Healthcare West, Kaiser Permanente, Veteran’s Health Administration, Intermountain Healthcare and Banner Health.
Dan has served in positions as President, CEO, CIO, CISO, CTO, and Director, is currently CEO and Co-Founder of Mark V Security, and Cyber Advisor Board member for Graphite Health.
Dan is a USA Hockey level 5 Master Coach. Current volunteering by building the future of Cyber Security professionals through University Board work, the local hacking scene, and mentoring students, co-workers, and CISO’s.
Dan lives in Littleton, Colorado and Salt Lake City, Utah and can be reach through linkedin.com/in/dankanderson
Source: www.cyberdefensemagazine.com