March 19th 2026, I had the privilege of joining the 'Beyond Threat Intelligence' panel at the SASIG Cybersecurity Innovation in Insurance event at Lloyd’s of London. The setting was fitting—a room full of CISOs at the historic heart of risk management, all grappling with a new reality:

In 2026, resilience is no longer a technical byproduct; it is a strategic mandate.

The discussions pivoted around the many anxieties and challenges Insurance leaders experience.  One thematic question that surfaced a lot was “how do we move from 'knowing about' a threat to surviving it at machine speed?”

From listening intently to speakers and audience questions, here’s a distillation of the four most pressing questions from the room that relate to my area of expertise within Cyber Threat Intelligence, and the practical 'resilience-first' answers we discussed.

These questions are para-phrased, and were not specifically asked during the event itself., which was hosted under strict Chatham House rules.

1. 'How do we fix the Signal-to-Noise problem for the SOC?'

A recurring theme was the exhaustion of the SOC, felt by CTI leaders and CISOs as a feeling their teams could be more streamlined but are burdened under the volume of false positives and slow delivery of intelligence data.  You may experience this if you ever think to yourself: 'We have plenty of data, but we are drowning in alerts that don’t lead to action.'

• The Intelligence Reality: KELA trending data shows that attackers are increasingly 'logging in' rather than 'breaking in.' We tracked 2.86 billion compromised credentials in 2025 alone. If your CTI is just a list of bad IPs, you are missing the identity-based 'intent' that leads to a breach.
• The Practical Pivot: Consolidate more of your threat feeds from Aggregated Intelligence (tactical intelligence) to Validated Exposure Management (operational intelligence).
• Actionable Step: Stop treating every 'possible' threat as an alert. Focus your CTI team on identifying validated external exposure—specifically looking for your employees' credentials or SaaS tokens being sold on IAB (Initial Access Broker) forums before they are used.

Focus your team on maturing their prioritization based on models mapped to real-time threats, risks, exposure, potential blast radius and source.

Example:

Advanced Adversary + Confirmed Intent + Active Infrastructure + Confirmed Communications + Exposed Asset + CVSS + KEV + Asset Owner Risk Rating = Priority Score

2. 'Is our Third-Party Risk just Security Theater?'

We talked extensively about the 'Regulated Web of Trust.' In insurance, where data is constantly shared across brokers, underwriters, and claims adjusters, a single point of failure in the supply chain can be systemic.

• The Shift: Traditional static audits are 'security theater'—they show you how a vendor looked six months ago.
• The 2026 Context: Attackers have moved to 'Upstream Exploitation,' where a single vulnerability in a shared SaaS platform provides a skeleton key to thousands of downstream environments, and Regulatory Compliance is fast evolving to mandate proactive monitoring over reactionary incident response.
• Practical Resilience: Move toward Continuous External Visibility, assess where your suppliers, tools and resources either lack this level of visibility beyond your borders, or inhibit it.
• Actionable Step: Supplement your annual vendor questionnaires with continuous attack surface monitoring of your Nth-party partners. If their external hygiene slips, your resilience posture must adjust automatically (e.g., revoking shared OAuth tokens) without waiting for the next audit cycle.

3. 'How do we survive an Availability Sabotage scenario?'

The conversation at Lloyd’s took a sobering turn toward the shift in ransomware objectives. We aren't just talking about data theft anymore; we are talking about the total halt of the business.

• The Threat: We are projecting a 45% surge in ransomware volume for 2026, with a heavy focus on professional services for adversaries to achieve their objections.

These are evolving from extortion, to disruption and distraction to adapt to differing objectives of sabotaging infrastructure (nation state sponsored goals) or masking the real objectives (data exfiltration).

• The Strategy: Transition your primary success metric from 'Mean Time to Detect' (MTTD) to 'Mean Time to Protect.'
• Practical Resilience: In a machine-speed attack, a human 'kill switch' is too slow.
• Actionable Step: Map your 'Blast Radius.' Determine which critical functions—underwriting, claims processing, and policyholder data—must remain immutable. Build autonomous workflows that can isolate these segments in minutes when a validated adversary communications or ransomware staging infrastructure is detected externally.

Notice I’ve purposely omitted the word ‘ransomware discovery’ - you know when you’ve been impacted, the goal is now to get ahead.

4. 'What does Personal Resilience mean for the modern CISO?'

The most engaging part of the panel touched on a shift in the industry: the move from technical failure to personal CISO liability in the aftermath of an incident.

• The Insight: Resilience isn't just about response and recovery; it’s about the human capability to lead through a crisis. It was clear that experienced CISOs build highly diverse teams and thoroughly understand how to leverage strengths, there was much discussion on how military veterans are a secret ingredient that you may be overlooking today.

We discussed how military thinking ‘Train as you Fight’ approaches and building proactive defense packages such as continuous exposure discovery and advanced pen testing support agile OODA loop (Observe, Orient, Decide, Act)workflows that adapt - these can transform you from cyber manager to leader.

Also, unrelated to CTI but worth noting: since you're an executive, did you know that you can have independent legal representation added to your contract in the event you need to defend yourself?  Get yourself some expert advice on this.

• The Goal: Bridging the gap between the Cyber and the Boardroom.
• Actionable Step: Move resilience into the 'lived experience' of the company. Use gamified tabletop exercises that include the Board and non-technical department heads and members.  Ensure the CEO promotes it personally, and participates in a role outside their current function.

When everyone knows their role in a 'Total Data Loss' scenario, the personal risk to the CISO is mitigated through transparent, shared governance.

Closing Thoughts: The Intelligence-Led Future

As we wrapped up at Lloyd’s, one thing was certain: 2026 will test our durability. We can no longer rely on the 'shell' of our perimeter. True resilience is the humans, the AIs, and the tools working together to establish Ground Truth Intelligence. At KELA, our role is to reveal how attackers are planning and staging their infrastructure outside your network so you can tune your defenses to dodge their bullets - optimal cyber resilience.

KELA provides executive ready, on-demand finished threat intelligence reports as a standard feature of our CTI platform.  Get in touch with our experts to learn what real-time intelligence looks like, and how it can power you to anticipate, act with precision, and avoid your next cyber attack.