The cyber insurance reckoning: Why AI-powered attacks are breaking coverage (and what comes next) - Related to why, biodegradable, closes, is, patch

Milliseconds to breach: How patch automation closes attackers’ fastest loophole

Procrastinating about patching has killed more networks and damaged more companies than any zero-day exploit or advanced cyberattack.

Complacency kills — and carries a high price. Down-rev (having old patches in place that are “down revision”) or no patching at all is how ransomware gets installed, data breaches occur and companies are fined for being out of compliance. It isn’t a matter of if a enterprise will be breached but when — particularly if they don’t prioritize patch management.

Why so many security teams procrastinate – and pay a high price.

Let’s be honest about how patching is perceived in many security teams and across IT organizations: It’s often delegated to staff members assigned with the department’s most rote, mundane tasks. Why? No one wants to spend their time on something that is often repetitive and at times manually intensive, yet requires complete focus to get done right.

Most security and IT teams tell VentureBeat in confidence that patching is too time-consuming and takes away from more interesting projects. That’s consistent with an Ivanti study that found that the majority (71%) of IT and security professionals think patching is overly complex, cumbersome and time-consuming.

Remote work and decentralized workspaces make patching even more complicated, 57% of security professionals reported. Also consistent with what VentureBeat is hearing from security teams, Ivanti found that 62% of IT and security leaders admit that patch management takes a backseat to other tasks.

The truth is that device inventory and manual approaches to patch management haven’t been keeping up for a while (years). In the meantime, adversaries are busy improving their tradecraft, creating weaponized large language models (LLMs) and attack apps.

Not patching? It’s like taking the lock off your front door.

Crime waves are hitting affluent, gated communities as criminals use remote video cameras for 24/7 surveillance. Leaving a home unlocked without a security system is an open invitation for robbers.

Not patching endpoints is the same. And, let’s be honest: Any task that gets deprioritized and pushed down action item lists will most likely never be entirely completed. Adversaries are improving their tradecrafts all the time by studying common vulnerabilities and exposures (CVEs) and finding lists of companies that have those vulnerabilities — making them even more susceptible targets.

Gartner often weighs in on patching in their research and considers it part of their vulnerability management coverage. Their recent study, Top 5 Elements of Effective Vulnerability Management, emphasizes that “many organizations still mismanage patching exceptions, resulting in missing or ineffective mitigations and increased risk.”.

Mismanagement starts when teams deprioritize patching and consider manual processes “good enough” to complete increasingly complex, challenging and mundane tasks. This is made worse with siloed teams. Such mismanagement creates exploitable gaps. The old mantra “scan, patch, rescan” isn’t scaling when adversaries are using AI and generative AI attacks to scan for endpoints to target at machine speed.

GigaOm’s Radar for Unified Endpoint Management (UEM) analysis further highlights how patching remains a significant challenge, with many vendors struggling to provide consistent application, device driver and firmware patching. The analysis urges organizations to consider how they can improve patch management as part of a broader effort to automate and scale vulnerability management.

Why traditional patch management fails in today’s threat landscape.

Patch management in most organizations begins with scheduled monthly cycles that rely on static Common Vulnerability Scoring System (CVSS) severity scores to help prioritize vulnerabilities. Adversaries are moving faster and creating more complex threats than CVSS scores can keep up with.

As Karl Triebes, Ivanti’s CPO, explained: “Relying solely on severity ratings and a fixed monthly cycle exposes organizations to unaccounted risk. These ratings overlook unique business context, security gaps and evolving threats.” In today’s fast-moving environment, static scores cannot capture an organization’s nuanced risk profile.

Gartner’s framework underscores the need for “advanced prioritization techniques and automated workflows that integrate asset criticality and active threat data to direct limited resources toward vulnerabilities that truly matter.” The GigaOm findings similarly notes that, while most UEM solutions support OS patching, fewer provide “patching for third-party applications, device drivers and firmware,” leaving gaps that adversaries exploit.

Risk-based and continuous patch management: A smarter approach.

Chris Goettl, Ivanti’s VP of product management for endpoint security, explained to VentureBeat: “Risk-based patch prioritization goes beyond CVSS scores by considering active exploitation, threat intelligence and asset criticality.” Taking this more dynamic approach helps organizations anticipate and react to risks in real time, which is far more efficient than using CVSS scores.

Triebes expanded: “Relying solely on severity ratings and a fixed monthly cycle exposes organizations to unaccounted risk. These ratings overlook your unique business context, security gaps and evolving threats.” However, prioritization alone isn’t enough.

Adversaries can quickly weaponize vulnerabilities within hours and have proven that genAI is making them even more efficient than in the past. Ransomware attackers find new ways to weaponize old vulnerabilities. Organizations following monthly or quarterly patching cycles can’t keep up with the pace of new tradecraft.

Gartner warns that relying on manual processes creates “bottlenecks, delays zero-day response and results in lower-priority patches being applied while actively exploited vulnerabilities remain unaddressed.” Organizations must shift to continuous, automated patching to keep pace with adversaries.

Choosing the right patch management solution.

There are many advantages of integrating gen AI and improving long-standing ML algorithms that are at the core of automated patch management systems. All vendors who compete in the market have roadmaps incorporating these technologies.

The GigaOm Radar for Patch Management Solutions analysis highlights the technical strengths and weaknesses of top patch management providers. It compares vendors including Atera, Automox, BMC client management patch powered by Ivanti, Canonical, ConnectWise, Flexera, GFI, ITarian, Jamf, Kaseya, ManageEngine, N-able, NinjaOne, SecPod, SysWard, Syxsense and Tanium.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes — balancing “maturity” versus “innovation” and feature “play” versus “platform play” — while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Gartner advises security teams to “leverage risk-based prioritization and automated workflow tools to reduce time-to-patch,” and every vendor in this market is reflecting that in their roadmaps. A strong patching strategy requires the following:

Strategic deployment and automation: Mapping critical assets and reducing manual errors through AI-driven automation.

Risk-based prioritization: Focusing on actively exploited threats.

Centralized management and continuous monitoring: Consolidating patching efforts and maintaining real-time security visibility.

By aligning patching strategies with these principles, organizations can reduce their teams’ workloads and build stronger cyber resilience.

Automating patch management: Measuring success in real time.

All vendors who compete in this market have attained a baseline level of performance and functionality by streamlining patch validation, testing and deployment. By correlating patch data with real-world exploit activity, vendors are reducing clients’ mean time to remediation (MTTR).

Measuring success is critical. Gartner recommends tracking the following (at a minimum):

Mean-time-to-patch (MTTP): The average time to remediate vulnerabilities.

Patch coverage percentage: The proportion of patched assets relative to vulnerable ones.

Exploit window reduction: The time from vulnerability disclosure to remediation.

Risk reduction impact: The number of actively exploited vulnerabilities patched before incidents occur.

Automate patch management — or fall behind.

Patching isn’t the action item security teams should just get to after other higher-priority tasks are completed. It must be core to keeping a business alive and free of potential threats.

Simply put, patching is at the heart of cyber resilience. Yet, too many organizations deprioritize it, leaving known vulnerabilities wide open for attackers increasingly using AI to strike faster than ever. Static CVSS scores have proven they can’t keep up, and fixed cycles have turned into more of a liability than an asset.

The message is simple: When it comes to patching, complacency is dangerous — it’s time to make it a priority.

But how do we retain control over our bodies when corporations and the medical establishment have access to our most personal information? What happen......

The cyber insurance reckoning: Why AI-powered attacks are breaking coverage (and what comes next)

Today’s cyber attacks can be paralyzing — and extremely costly — for modern enterprises. Armed with AI, hackers are exploiting vulnerabilities faster than ever.

However, standard business insurance products such as general or professional liability policies (errors and omissions, or E&O) typically don’t cover losses or damages as the result of breaches or other cyber-related incidents.

This makes cybersecurity insurance increasingly critical in 2025 and beyond, particularly as AI transforms (and simplifies) hackers’ methodologies. Cybersecurity-specific insurance policies cover a range of remediation cost and recovery efforts to help enterprises limit damage, recover faster and improve their overall cyber hygiene.

But as with any other type of coverage, cyber insurance can be complicated to navigate and full of legalese and loopholes. Let’s go over the basics, why it’s critical, what to look for and what trends to expect this year as AI takes center stage.

Typically, cyber policies offer coverage for first-party (direct losses) and third-party (outside the business) damages. General coverage includes:

Business interruptions: Lost revenue when an attack takes systems offline;

Attack remediation: Incident response, forensic investigations or system repairs;

Customer notification and reputation management: Automated alerts when people’ personally identifiable information (PII) may have been accessed; credit monitoring and breach hotlines; PR work to help repair the brand;

Legal expenses: Litigation as the result of a breach (such as lawsuits filed by individuals or vendors), what’s known as “duty to defend”;

Regulatory action: Investigations that require legal services and potential fines.

In the case of ransomware, it’s crucial to note that, while providers have covered payouts in the past, many are backing off of this practice because hackers are demanding more and regulators are scrutinizing. In some cases, overage of payouts may be “sub-limited,” or subject to a payment cap.

“With the surge of recent ransomware attacks over the past few years, those sub-limits are getting lower and lower, which is why it’s more important than ever to review policy limits carefully,” advises law firm GB&A.

Again, as with any other type of insurance, there are exclusions. For instance, because social engineering attacks such as phishing or smishing involve user manipulation and human error, insurers often will not cover subsequent losses (or they’ll offer to do so at an additional cost). Similarly, insider threats — when employees’ malicious or negligent actions expose a business — typically aren’t covered.

Exploits of a known vulnerability that the corporation knew about but didn’t fix are often out of the coverage zone, too, as are network failures resulting from misconfigurations or other errors (as opposed to an all-out breach).

It’s critical to note that some insurers won’t even consider offering a quote unless a firm has strong security measures in place — such as zero-trust capabilities, multifactor authentication (MFA) controls, endpoint detection, detailed risk assessments and incident response plans and regular security awareness training.

To help reduce cyber insurance premiums, experts advise security leaders to proactively communicate steps the organization has taken to reduce cyber risk and adopt industry-standard frameworks like NIST or ISO 27001.

“Some insurers even offer discounts or reduced premiums for companies that can demonstrate compliance with such frameworks,” security firm Portnox points out. In the case of risk assessments, “insurers often see this as an opportunity to lower premiums, especially when the assessments are conducted by third-party vendors.”.

As with any insurance contract, review policy limits carefully, GB&A advises. Policies should contain broad definitions of extortion and of threats by attackers to:

Alter, damage or destroy data, software, hardware or programs;

Perform distributed denial of service (DDoS) attacks;

Phish or otherwise spam clients and clients;

Transmit malicious code to third parties through an enterprise’s network or website.

Policies should also include definitions of specific computer systems covered (hardware, software, firmware, operating systems, virtual systems and machines, wireless devices, and anything else associated with a network); lost income covered (operating expenses during restoration or costs to hire forensic accountants or other consultants); and data restoration covered (costs to recreate damaged or lost data).

Further, GB&A emphasizes that policies should explicitly outline coverage around extortion expenses — such as the type of digital currency or property surrendered, investigation costs and losses incurred when attempting to make payments.

“Policyholders that find themselves victims of ransomware should be extremely careful in making any payments before consulting their brokers and respective insurers,” the firm advises.

What we saw in cyber insurance in 2024 — and what we might expect in 2025.

Business email compromise (BEC), funds transfer fraud (FTF) and ransomware were the top-reported indicates in 2024. And claim amounts varied widely, from $1,000 to more than $500 million, the result of attackers stealing or breaching anywhere from 1 million to 140 million records.

Looking to the year ahead, underwriters predict an increase in premiums, . The firm points out that the most consistent coverage area requiring negotiation in 2024 was the collection of personal information without proper consent — and this will likely continue to be a highly contested area in 2025.

Also, expect continued and expanded coverage for CISOs as the result of new Securities and Exchange Commission (SEC) scrutiny — especially in light of the agency’s landmark charging of SolarWinds’ security head after the company’s notorious late-2020 hack. As Woodruff Sawyer pointed out, coverage for CISO liability can be found in cyber policies and directors and officers (D&O) policies. Some carriers are also offering standalone coverage to cover CISOs’ personal liability.

Further, carriers are requiring their clients to have a robust third-party risk management program in place. This should include requirements for vendors to purchase cyber or technology errors and omissions (E&O) insurance and provide evidence of cybersecurity certifications.

Woodruff Sawyer underscores: “The CrowdStrike [outage] in July 2024 was the latest in a notable string of incidents targeting technology companies to get access to or disrupt their customer networks. Cyber insurance carriers are looking for clients to have a robust third-party risk management program.”.

“The convenience fee helps cover the costs associated with processing credit or debit card payments,” showcased Google Pay on its FAQ page.

This company is trying to make a biodegradable alternative to spandex

“True circularity has to start with raw materials,” says Peña. “We talk about circularity across many industries, but for textiles, we must address what we’re using at the source.”.

Engineered from recombinant DNA, SELPs are copycat proteins inspired by silk and elastin that can be customized for qualities like tensile strength, dye affinity, and elasticity. Silk’s amino acid sequences—like glycine-alanine and glycine-serine—give fibers strength, while elastin’s molecular structure adds stretchiness. Combine these molecules like Lego blocks, and voilà!—at least theoretically, you have the ideal flexible fiber.

An early-stage startup, Good Fibes creates its elastics with proteins from E. coli, a common bacterium. The process involves transforming the proteins into a gel-like material, which can then be made into fibers through wet-spinning. These fibers are then processed into nonwoven textiles or threads and yarns to make woven fabrics.

Scaling, however, remains a challenge: To produce a single swatch of test fabric, Blake says, she needs at least one kilogram (approximately two pounds) of microbial material. The fibers must also be stretchy, durable, and resistant to moisture in all the right proportions. “We’re still solving these issues using various chemical additions,” she says. For that reason, she’s also experimenting with plant-based proteins like wheat gluten, which she says is available in larger quantities than bacteria.

Timothy McGee, a biomaterials expert at the research lab Speculative Technologies, says manufacturing is the biggest hurdle for biotextile startups. “Many labs and startups around the world successfully create recombinant proteins with amazing qualities, but they often struggle to turn those proteins into usable fibers,” he says.

The last time that Charlie Cox’s Matt Murdock and Vincent D’Onofrio’s Wilson Fisk faced off against each other was in Daredevil season 3 in 2018. It’s......

The stock in the last one year has given a return of over 21%.

Zaggle on Tuesday revealed that it’s partnering with Google through its Indian distrib......