When every day is threat assessment day

In this Help Net Security interview, Paul J. Mocarski, VP & CISO at Sammons Financial Group, discusses how insurance carriers are adapting their cybersecurity strategies. He explains how ongoing threat assessments, AI-driven automation, and third-party risk management help maintain readiness.

Mocarski also shares how collaboration, integration, and disciplined response are shaping the industry’s defense against next-generation attacks.

When you conduct ongoing threat assessments, what signals or patterns are you paying closest attention to, and how do you separate meaningful indicators from background noise?

Threat assessment is a daily, ongoing discipline for the life insurance and annuity industry. It is not an occasional activity and it is never complete. At Sammons Financial Group, we look first at three primary industry factors: the credibility of the source, the relevance to, and impact on, our environment, and corroboration across many diverse platforms. We consume intelligence from vendors, partners, industry groups, and open sources. We then weigh this insight by track record and validate through independent sources.

Financial services, especially the life insurance and annuity industries, overlaps with our tech stack and any software or vendor we actively use. If there’s a match to our environment or supply chain, we escalate immediately for risk evaluation and response planning. We define triggers to separate signal from noise. This can include evidence of active exploitation, available exploit code, alignment with our asset inventory, or phishing spikes.

High profile events can generate internal concern requiring a response strategy, even when our risk is low. Responding is part of readiness and can alleviate internal concern. Our goal is two-fold: consistency and clarity. We validate sources, map to our environment, apply thresholds, and act with discipline.

What role does automation and AI play in identifying emerging threats or blind spots in your security posture?

We were early adopters of generative AI and today use it where it can add immediate value. This includes summarizing breach and threat reports, extracting indicators and techniques, and aligning findings to our specialized environment. The quality of outcomes is comparable to our traditional approach, and with AI, can now take a fraction of the time and reduce duplicate work.

Our next step is to embed AI into daily triage. We do so through providing curated threat feeds and context on key partners, hardware, software, and software-build data. The end game is to produce a first pass assessment that includes relevance, likely exposure paths, and recommended actions. Automation will handle enrichment and sandboxing while our analysts perform quality control and focus on communication and remediation. We measure success in tangible ways as defined by faster time-to-triage, better signal-to-noise, and more time spent on decisions rather than data wrangling. This is where AI offers the greatest promise.

Given how interconnected the insurance industry is, with underwriters, brokers, and third party data processors, how do you extend your continuous improvement mindset beyond your own perimeter?

Managing third party risk is also an ongoing, living program, it is not a one-time assessment. Many of the events we analyze originate with partners or service providers, so our original vendor risk work has matured and is now anchored in our technology acquisition process. We assess solution risk up front through understanding architecture, data requirements, and integration points.

At Sammons Financial Group, we are building a third party program that risk ranks partners across multiple dimensions, from business criticality to the data we share and where it travels. Applicable state insurance regulations, AI usage restrictions and data handling, and legal and contractual controls (i.e. breach notification SLAs, right-to-audit, and sub-processor transparency) are also weighed. Surprisingly, the objective is not zero risk rather the ability to make informed decisions and document steady, continuous improvement over time.

Looking back, what’s one lesson your team learned the hard way that fundamentally changed how you approach threat assessments now?

Simply put, threat assessments must be done every day. We have been fortunate not to learn it through a major incident, we observe and learn from others’ experiences. Yet the pace of breaches, exploits, and vendor advisories makes ad hoc reviews unacceptable. We moved to a daily cadence with ownership, defined escalation thresholds (i.e. active exploitation, overlap with our stack or vendors, exploitable paths), and standard playbooks for triage and communication. Consistency has improved our readiness and reduced exposure.

If you had to predict the next major evolution in threats against insurance carriers, what would it be, and how are you preparing for it?

The next major evolution in cyber risk is broader than the insurance space. Attackers will use agentic AI to orchestrate end-to-end data cyber-attacks. Cyber attacks will mature yet still include reconnaissance, phishing, initial access, privilege escalation, and exfiltration at machine speed. The real concern is speed. The downside to AI is this speed, allowing an end-to-end data breach or ransomware attack in a fraction of the time of a traditional hacker.

Our response must be equally disciplined and fast. That is why we are focused on three areas:

• The right partners. The future is AI versus AI. We need partners with a credible, ongoing AI strategy. That requires demonstrable detection improvements driven by AI and a roadmap that keeps pace with attacker innovation. We also expect continuous evidence of control performance, not annual snapshots.
• Integrated defenses. Speed requires interoperability. Where possible, our partners’ solutions must integrate. This includes shared telemetry, open APIs, common schemas, and playbooks that pass context and actions across tools. Fragmented controls create delays. Integrated controls shorten detection and response cycles across identity, endpoint, email, network, and cloud.
• Automated response at the edge. A lightning fast attack demands a lightning fast defense. We are expanding automation with human-in-the-loop safeguards that include preapproved playbooks for high confidence scenarios (e.g., isolating endpoints, revoking tokens, suspending risky identities), graduated actions based on risk, and continuous measurement of time-to-detect and time-to-respond. The goal is to reserve human judgment for the exceptions while machines handle the routine at speed.

As with any major risk, this is a business issue as much as a technical one. Proactive planning, clear thresholds, and rehearsed playbooks will determine whether we keep pace with AI-enabled adversaries. No plan will perfectly match the next crisis, but preparation and integration give us the speed and clarity we need when it matters most.