Cytactic helps organizations experiencing a cyberattack to manage the crisis ■ It recently raised $16.5 million ■ Shay Simkin of Cytactic’s strategic partner Howden Insurance: “These are not a couple of guys sitting in a garage, eating pizza and attacking. These are organized groups, and one needs to prepare for this.”

Assa Sasson, TheMarker
(Originally published in Hebrew in TheMarker.com, Feb 12, 2025)

Iranian hacker group “Handala” recently tweeted that it successfully broke into the systems of Harel insurance company and stole 154 gigabytes worth of data. It later turned out that the hack was not into the systems of the second largest insurance company in Israel, but to an insurance agency that works with Harel.

“A cyber incident can be a company’s biggest business crisis,” says Dr. Nimrod Kozlovski, founder of cyber company Cytactic, and adds: “I have been called upon many times to such incidents—a hospital whose servers had been encrypted, a tech company whose source code was stolen, an app company whose app was taken over and turned malicious.

“I managed the crisis together with management. Many consultants come to the room: the incident investigator, the technological reviewer, the intelligence person, a hacker negotiator, a lawyer, a communications person to convey messages, a business continuity person. Each consultant has their own perception of work, their own procedures, and suddenly you need all these people simultaneously. This creates chaos that could lead to terrible damage.”

What kind of damage?
Kozlovski: “Making wrong decisions about the messages that the company puts out, about its media messages, about interruption of its business continuity that causes damage, about how it communicates this to its customers. I realized that a platform was missing that would put everything in place.”

“We have a photo of your kids. We’ll come to your home”

This is how Cytactic, which provides a cyber crisis management platform, was established: “The technological platform we built helps organizations prepare for an attack, build and practice their response plans, and be ready when it happens,” explains Kozlovski.

The company raised $16.5 million in its first round, among its investors Evolution Equity Partners, which was joined by Shlomo Kramer, founder of Check Point, and Hyperwise Ventures. Cytactic is now planning a big leap forward after partnering with Howden — the world’s largest insurance broker — who will offer its clients Cytactic’s platform.

The cyber insurance market, currently valued at $15 billion annually worldwide, is growing rapidly, and is estimated to be worth more than $40 billion by the end of the decade. In the Israeli market, estimated at $60-70 million, there is a constant increase in demand for cybersecurity solutions. The increase in cybersecurity insurance premiums comes not only from an increase in the number of attacks, but also due to the rising cost of ransom and the increasing sophistication of the attacks.

What do cyberattacks look like today?
Shay Simkin, Global Head of Cyber at Howden: “Today we see double extortion or triple extortion [i.e., they demand to receive the money in installments, and with each installment they release some of the material that was encrypted by the hackers; -Ed.] We have also seen mob methods, like threats against CEOs – ‘We have a photo of your children going to school. If you don’t pay, we will come to your house.’

“Methods of a criminal organization”

How do you describe these groups, level-wise?
Simkin: “These are sophisticated criminals. They are all graduates of the best universities in the world in their fields, who are currently employed by these groups. These are not a couple of guys sitting in a garage, eating pizza and attacking. These are organized groups, and one needs to prepare for this.

“There is a lot of money in this industry, and the question arises whether it is worth paying and ending the incident. We don’t know, every incident is different. The average ransom has long not been $200,000. Today it is about $1.7 million in Bitcoin, and preferably in Monero [a crypto currency; -Ed.), which could complicate everything.”

“Together with Cytactic, we prepare for an event. In a car insurance policy, for example, you only see the agent on the day of the event. He doesn’t tell you, ‘Let’s prepare for the day of the accident.’ In the case of a cyber incident, we are involved in training and preparing customers for the day of the event.”

What is the nature of cyber attacks? Everyone is mainly familiar with ransomware attacks.
Kozlovski: “A large part of the incidents are not of blackmail, and therefore the incident cannot be concluded with payment. In many incidents, the attacker is from within the organization, or a state actor, like the Russians, and then they don’t care about payment. Sometimes a competitor initiates an attack. There are complex extortion patterns, not only ransom for the encryption of the information, but the attacker extorts for leaking information or for corrupting the information.”

“In a smart home, you can assassinate someone perfectly, without a trace”

Are there any examples of crises you have managed?
Kozlovski: “Imagine a hospital that fears that its records have been altered, and is now treating patients with supposedly incorrect records. The blackmailer asked for payment because he encrypted the information, and then it turned out that there was also a concern about medical information being corrupted. In such a situation, you may not be dealing with an extortion incident, but with an attacker whose motivation is to harm. Then you have to think about whether to halt the medical procedures or change them.”

How significant is your ability to manage an incident with such a platform, compared to a situation where a team of experts arrives and settles in the company?
Simkin: “In many events I’ve managed, I’ve seen chaos and stress. Someone comes in the dead of night and steals the company, and you have no control over it. It’s a crazy panic. We’ll insert order into the processes and procedures. We’ll document everything, because one day it could end up in other places. Everything sits on the platform in an organized manner. We’ve seen that it saves the client money, and it’s good for the insurance company. Preparing in advance gives us the peace of mind that we simply didn’t have at events in the past.”

Where can we encounter cyberattacks that are not in companies?
Kozlovski: “Smart homes, where everything is connected to the Internet. A hacker plays with your gas stove, and when you enter the house, a small spark, say from a toaster or even an electric light, is enough for everything to go up in flames. Here is a perfect assassination without a trace, which looks like a domestic accident.

“Another example: Some Israelis who bought Chinese drones and discovered during the war that their drones were not functioning. The reason for this is that the Chinese company defined Israel as a No Fly Zone. You bought a drone and thought you were in control of it, but in reality it is controlled remotely and can be disabled.”

You are presenting a nightmare scenario here, but how do I know that there won’t be someone at Cytactic who will install a backdoor in my systems during the crisis? When car companies produce secured cars, all employees have a security clearance, and it’s a separate line from the production of regular cars.
Kozlovski: “We have a Highly Secured Zone where access is limited to a small team of authorized people. The programmers undergo assessments, and the software also undergoes complex processes. There is a separation between our software and the customer’s information.”

Simkin: “That bothered me, so we made sure there was a separation. At Cytactic, you can’t see my customer’s environment. Only the insurance company and the attacked company can.”

What is the business model? Where is the money?
Simkin: “We provide the customer the basic layer of the platform, which is enough for companies. At the basic level, the customer onboards the platform, chooses their response team, and if they don’t have one, we help them pick one. All relevant phone numbers are stored in several places, so that they are always accessible. And if they want additional upgrades, they pay.”