Sign in
Sign up
  • Home
  • Blog
  • Guides
  • Why Cisco’s Kenna EOL Signals a Shift for Cyber Insurance
Illustration of a cracked tombstone reading “Here Lies RBVM – December 2025,” set against a blue background with cybersecurity icons such as CVEs, warning symbols, and keys.
  • Guides, News

Why Cisco’s Kenna EOL Signals a Shift for Cyber Insurance

Underwriters should be moving away from RBVM and close to new Exposure Management techniques.
3 min read
All Posts

Why Cisco’s Kenna EOL Signals a Shift for Cyber Insurance

  • Guides, News
3 min read
Illustration of a cracked tombstone reading “Here Lies RBVM – December 2025,” set against a blue background with cybersecurity icons such as CVEs, warning symbols, and keys.

This month, Cisco announced the End of Life (EOL) for its flagship vulnerability management product, Kenna (officially known as Cisco Vulnerability Management).

At first glance, this might appear to be a routine product sunset. In reality, it marks a fundamental shift in how cyber risk is assessed, measured, and insured.

For insurance brokers, underwriters, and claims handlers, the retirement of a pioneer like Kenna is a signal that the industry is moving beyond Risk-Based Vulnerability Management (RBVM) toward a more holistic framework: Exposure Management.

What was RBVM and Why Did it Matter?

RBVM (Risk-Based Vulnerability Management) was designed to solve a specific problem: “vulnerability fatigue.” Organizations were overwhelmed by endless lists of software flaws.

The philosophy behind RBVM was that not every software vulnerability represents the same level of risk. Instead of patching everything, companies used tools like Kenna to prioritize fixes based on:

  • Threat intelligence and exploit availability.

  • Asset criticality.

  • Real-world context.

While RBVM was a massive step forward, it was built on a premise that is no longer entirely true: that an organization’s primary cyber risk sits within software vulnerabilities.

The Limits of the CVE: Why Software Flaws No Longer Define Risk

A CVE (Common Vulnerabilities and Exposures) is a standardized ID for a known software flaw. For years, CVEs were the primary entry point for attackers, making them the “North Star” for cyber insurance underwriting.

However, in modern, cloud-first environments, major incidents are increasingly bypassing software flaws entirely. Instead, they stem from:

  • Compromised identities and credential theft.
  • Excessive or “shadow” permissions.
  • Cloud misconfigurations.
  • Exposed API keys and “secrets” in code.

These are security vulnerabilities, but they are not software vulnerabilities. Because they do not have a CVE ID, traditional RBVM programs often fail to capture them.

From “Which CVE?” to “Which Attack Path?”

In today’s landscape, the question for an underwriter or broker is no longer “Which CVE is the most severe?” It must be: “Which combination of conditions creates a viable attack path with business impact?”

The Attack Path Comparison: Consider a medium-severity CVE on an isolated virtual machine. In an RBVM model, this is low priority. However, if that same machine is internet-facing and has “Identity and Access Management” (IAM) permissions to a sensitive database, it represents a critical exposure.

RBVM sees a single data point; Exposure Management sees the entire map an attacker would use to cause a claim-level event.

Comparison of RBVM Risk Formula vs Exposure Management Risk Formula. RBVM measures theoretical risk through vulnerabilities and likelihood, while Exposure Management measures actual exposure through attack paths and business impact
The paradigm shift: While RBVM (Risk-Based Vulnerability Management) focuses on the severity of a software flaw, Exposure Management evaluates the actual path an attacker takes and the resulting business impact – a critical distinction for modern cyber underwriting.

 

The Evolution of Cyber Risk

For years, the “cheese” in cybersecurity – the goal for defenders – was managing the CVE. RBVM helped organizations reach that cheese faster. But as infrastructure moved to the cloud, the cheese moved too. It now lives in the connections between systems and the permissions granted to users.

The Cisco Kenna EOL highlights that simply running toward where the cheese used to be is no longer a viable security strategy.

What This Means for Cyber Insurance Professionals

As the market shifts from vulnerability management to exposure management, insurance professionals must adapt their technical assessments:

1. For Cyber Insurance Brokers

It is no longer enough to ask a client how they score and patch software. To properly advocate for a client’s risk profile, you must ask how they manage non-CVE exposures, such as Identity and Access Management (IAM) and attack path modeling.

2. For Underwriters

Legacy scanning tools that only look for open ports and CVEs are becoming “noisy” but less predictive. Two applicants with the same RBVM maturity can have vastly different risk profiles based on their cloud configuration and “blast radius” controls.

3. For Claims Handlers

Understanding the shift to exposure management helps in post-incident analysis. Many modern claims do not originate from an unpatched server, but from a “cascading” event where a minor configuration error allowed an attacker to move laterally through an entire network.

Stay Ahead of the Cyber Risk Curve

The transition from Kenna and traditional RBVM to modern exposure management is just the beginning of a broader evolution in cyber risk. Understanding these shifts is critical for providing expert advice and maintaining a profitable book of business.

Want more insights into how evolving technology impacts cyber insurance policies?

Sign up for the Cyber Insurance Academy Newsletter to receive monthly updates on EOL announcements, emerging threats, and the latest in cyber underwriting trends.

 

 

Unlock more world-class knowledge and expertise.

Upgrade your membership to enjoy unlimited access to premium content.

Upgrade Membership

Already have an account?

Sign in
Download Now

About Cyber Insurance Academy

The Cyber Insurance Academy was cultivated by the leading minds in cybersecurity and insurance, with a mission to help cyber insurance professionals stay ahead of the curve. We aim to address the industry’s educational gap and technical challenges, while fostering a vibrant community of like-minded professionals.

 

Our first-of-its-kind online campus blends a Gold-Standard CII-CPD accredited course, expert-led certification courses, industry-leading events, a top-tier content library, and a supportive, diverse and professional network that equips you with the confidence and expertise to lead in cyber insurance and make an impact.

You may also like

All posts

Want cyber insurance updates sent straight to your inbox?

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .

Join Our Newsletter

Get the latest cyber insurance insights in your inbox

Skip to content
Cyber Insurance Academy
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.