Shelley Ma is a cyber forensics expert and incident response lead at Coalition. She plays a key role in supporting policyholders facing various cyber challenges and collaborates closely with the company’s in-house claims team.
Ma strategises responses to cyber incidents, ranging from everyday business email compromises to more complex issues like ransomware events, network compromises, website hacks, and insider threats.
She says: “I’ve seen it all. As a team lead, I focus on managing the technical and analytical aspects—it’s a bit like wearing multiple hats. I’m part problem solver, part tech enthusiast, and part support system. As my boss often puts it, I’m also part therapist. Our goal is to help the client recover and remediate the incident while investigating what happened and assessing any potential risk to the client’s data. Quite often, I’m involved in ransom negotiations. It’s a challenging but highly rewarding role.”
However, her current role differs dramatically from her earlier career choices. Insurtech Insights caught up with her to find out more.
You had a very unusual job before entering into the cyber forensics space, working as a human anatomy demonstrator as part of your pre-med degree. Can you tell us about it?
My career has definitely taken a few interesting turns. I’m originally from Cape Town and went to school there, eventually finding myself at the University of Cape Town. Initially, I was on a pre-med track, working towards a medical degree. But first, that path requires you to take care of a bachelor’s of science degree. In South Africa, our medical degree is a solid six years, but by my third year, I was getting that itch to dive into the workforce. I was very sick of studying, so I couldn’t imagine doing it for another three years. And that’s when I decided to switch gears and pursue a career in forensic science, which was quite a bit shorter. I always kind of had this fascination with forensic investigations, and it made a lot of sense to me.
I ended up doing my fourth year in a medical honours programme, and as part of that programme, I majored in human anatomy, getting up close and personal with human cadavers. It was a bit of a shock at first, but I discovered I had a knack for it. I genuinely enjoyed anatomy and found it fascinating to look inside a body instead of just seeing it in a textbook. It was very interesting for me, and as luck would have it, there was a student role in the anatomy department called a “demonstrator.” So basically, you’re like a teacher’s assistant, coaching and working with first and second-year medical students in the fine art of dissection. I signed up for it, got the green light, and found myself really enjoying the role. It was a unique and quite valuable experience.I did it for one year, and in that one year of human dissection, I dissected 85 bodies, which was quite a lot. But I also quickly realised that I actually couldn’t do this for the rest of my life.
So you moved from human forensics to digital forensics, essentially. Is that because you have an investigative mindset?
Yes, definitely. I think I always had a curious mindset. I grew up watching CSI, Law and Order, and TV shows like that, and I just remember being absolutely captivated by the investigative process. I don’t think I have that morbid curiosity or an interest in gore and guts like many folks in forensics tend to be drawn towards.
For me, it’s more about curiosity, investigation, sleuthing, uncovering, and really figuring out what somebody did, how they tried to cover their tracks, and how they obtained their desired results. The “gotcha” moment of catching someone is super exciting for me. It’s easily translatable from human forensic biology, real-world crime, to digital forensics because psychology is psychology. Cybercrime or crime is still crime. When we’re looking into the mindset and trajectory of a criminal or someone up to no good, it follows similar patterns. The process of figuring out what they did is super fascinating for me.
What changed your career trajectory specifically toward the digital space?
When I was still in graduate school at the University of Cape Town, I discovered an opportunity to apply for the Fulbright Scholarship, which sponsors recipients to go to the United States for further graduate studies. I applied for it and was very lucky to be a recipient. The plan was for me to go to the United States to study forensic biology as part of a master’s degree. So off I went, enduring orientation for the forensic department at my new university in DC, George Washington University.
I remember sitting in the front row, listening to programme coordinators present on their respective tracks like forensic biology, forensic toxicology, and forensic chemistry. I must admit I completely zoned out, partly due to jet lag, but also because I was starting to get a bit disinterested.Eventually, the last speaker to present was the programme coordinator of the digital forensics and incident response programme.
She talked about high-tech investigations and integrating the forensic process into investigating cyber incidents and cybercrime. I was instantly drawn in because my second love, next to forensics, was technology. I didn’t know until that moment that something existed that married forensics and tech – but I knew I had to be in it.
Right after her presentation, I went to speak to her about changing programmes, and close to completing the master’s programme, I got an internship at a small boutique forensics firm based out of San Francisco. That was my introduction and first exposure to cyber insurance because my company was on the panel for a few insurance carriers, similar to my role here at Coalition Incident Response. We assisted policyholders who experienced a cyber event.
Slowly but surely, I started to attend and speak at insurance conferences and events such as NetDiligence, finding myself more embedded in the industry as time went on, and it’s where I’ve remained ever since.
Looking at the industry from your forensic position, what are the biggest challenges that businesses are facing in terms of securing themselves?
In the realm of cyberspace, businesses grapple with significant challenges to harden their security against threats. Threat actors are becoming increasingly adept at refining their attack methods, continually adapting to bypass detection and evade controls. I’ve seen threat actors just dance around security controls.
Their attacks evolve, becoming more persistent as they gain insights into defender and behaviour technologies. One of the critical cybersecurity trends revolves around unpatched vulnerabilities. We mentioned this in our Claims Report, but this trend holds true with the vulnerability in MOVEit and the Cl0p ransomware group exploiting thousands of organisations over the last year.
Businesses with unresolved critical vulnerabilities are 33% more likely to experience a cyber insurance claim, highlighting the urgency of addressing and patching vulnerabilities promptly. Additionally, using outdated software compounds the risk; end-of-life software lacks support and updates from developers. The developers and companies that use them stand out as prime targets.
Our findings revealed that Coalition policyholders using end-of-life software were three times more likely to face a cyber claim. Navigating these challenges demands a proactive approach.
From a cyber insurance perspective, what challenges are companies like Coalition facing when they’re looking at clients and, generally, the advance of cyber threat actors?
So I’m not an insurance expert, but my daily work involves navigating organisations through claims and incident response processes. One concerning trend in the cyber insurance landscape is the significant increase in the average dwell time associated with funds transfer frauds or FTF events. This dwell time surged by 75%, jumping from 24 days in 2021 to 42 days in 2022.
This prolonged dwell time poses substantial challenges for insurance providers as it makes recovering lost funds all the more challenging. The potential decline in these recoveries can have profound implications for policyholders. Moreover, this extended dwell time not only complicates the recovery process but also provides threat actors with more time to get away with the crime and retain a larger portion of the stolen funds. A 75% increase within a year, from 24 to 42 days, really underscores the urgency for the industry to find effective strategies to mitigate the impact.
When you say dwell time, can you just explain that a little bit more to me because it’s not a term I’m familiar with.
So dwell time is defined by the moment a threat actor gains access to an environment to when they actually execute the attack and the client or the company discovers it. In cases of ransomware, it’s from the moment a threat actor penetrates the network and gains access to the service and workstations to the moment they execute the ransomware, and the policyholder goes, “Oh crap, all of my files have been encrypted. We’ve got to shut everything down.”
Over time, with funds transfer frauds, it usually involves an email mailbox compromise of some kind. The threat actor comes in, accesses a mailbox, stays stealthy, and remains under the radar. They do a lot of reconnaissance, figuring out the ingress and egress of payments, injecting themselves into social engineering campaigns, and then redirecting funds. It’s not until much later that a policyholder realises funds are not being received or whomever they’re paying is not receiving their funds. That’s when they realise, “Oh, an incident has occurred.” We’re just seeing that dwell time, the time that the threat actor maintains under the radar, increase year after year.
And is that basically because they’re getting better at what they do?
A hundred percent, yes. They’re becoming so much more stealthy, and largely it’s because of what I call the irony of better security. As we’re getting better and more secure, threat actors are figuring out more innovative ways to stay stealthy, stay hidden, and even bypass security controls. They’re getting really good, but there’s also an influx of new technology they’re leveraging. For example, something as simple as generative artificial intelligence platforms like ChatGPT has really spiked in usage recently.
Threat actors, especially those coming from Eastern Europe, where English is not their native language, used to craft phishing emails that companies would train their employees to recognise based on verbiage alone. But, by using something like ChatGPT, threat actors can curate phishing emails and social engineering schemes that match the tone, verbiage, language, and stylistic writing of whomever they’re trying to mimic. It gets significantly harder for an employee to recognise that something’s gone wrong. So yeah, it’s a lot of threat actor sophistication, getting better at dancing around our security solutions, and that adds to this dwell time.
So, what solutions can help solve these problems?
Good question. So, to address cyber challenges effectively, organisations must prioritise upgrading and patching all internet-facing software, a critical step in enhancing their cyber posture. Companies equipped with robust cloud-based and offline backups tend to fare a lot better post-breach, ensuring business continuity. Fast recovery is often led by dedicated backup management teams capable of swiftly restoring normal operations. In instances where backups may not be entirely valid, having a practised incident response plan becomes crucial.
Engaging the right parties promptly is key for effective resolution. I’d say that implementing cyber best practices for hygiene rather than planning for specific attack types is the most efficient way to fight evolving threats. For example, implementing multifactor authentication is a simple yet highly effective measure, so there’s really no excuse not to have it. Another solution that I’ve been encouraging organisations to adopt is the implementation of EDR (Endpoint Detection and Response) tools because they’re like antiviruses on steroids—much more sensitive and intelligent in detecting anomalous activities.
Keeping up with cyber tech on a personal level must be pretty challenging. How do you stay on top of it?
Absolutely. I think this is a blessing and a curse for me because I am somebody who enjoys new things all the time. I have ADHD, so I enjoy that fast-paced evolution of the landscape. Staying abreast of rapid developments in technology is indeed a challenge, but one that I find absolutely crucial, especially in a leadership role where my team relies on up-to-date knowledge. My strategy revolves around a combination of continuous learning, industry engagement, and fostering a culture of knowledge-sharing within the team.
Firstly, I prioritise ongoing education, whether it’s enrolling in relevant courses, participating in webinars, or obtaining certifications. I make a concerted and intentional effort to deepen my understanding of emerging technologies and evolving threats. Not only does this help me stay informed, but it also emphasises the importance of continuous learning to the rest of my team.Secondly, active engagement in industry events and forums is really key. Attending conferences, participating in discussions, and networking with professionals in the field provide valuable insights into the latest trends and best practices, as well as real-world challenges. It’s an opportunity to exchange ideas and learn from others.
I also try to foster a collaborative environment within the team. Encouraging open communication and knowledge-sharing ensures that everyone contributes to our collective understanding. This collaborative approach accelerates our learning curve and cultivates a culture of adaptability and innovation. In essence, my strategy revolves around a dynamic approach of continuous learning, industry interactions, and internal collaboration, helping me keep pace with tech and the ever-changing landscape.
Has ADHD also played a role in your career choice?
It absolutely has. I have to say that one of the drivers that led me out of traditional forensics or physical forensics was the pace of the cases. Working on a case in traditional forensics meant not seeing it to fruition or completion until a year, or even two years later, once the investigation had wrapped up. As a forensic investigator, you don’t really see that conclusion; you don’t witness it hitting the court.
But in cyber or digital forensics, the cases turn around very quickly. We’re talking usually about a week or up to two months in the more complex cases. It’s great to see it from soup to nuts, from beginning to end, and to be part of that process where it’s high pressure and full stress right in the beginning, when a company is having the worst week of their lives, up until when they’re back up and running, recovered, and really grateful for your assistance. I think it’s a really rewarding experience.
Now, just changing tack just a little bit, are there many women entering the cyber forensic space? Are you a bit of a lone wolf, or is it something that’s becoming more popular?
I love this question. Yes, we are starting to see a positive shift with more women entering the cyber forensic space. While it’s true that the field has historically been male-dominated, there’s a growing recognition of the importance of diversity and efforts being made to encourage and welcome more women into the career path. As for my personal experience, I wouldn’t say I’m a lone wolf, but I’ve certainly been part of a minority. However, the landscape is changing, and it’s awesome to witness an increasing number of talented women joining the ranks to attract more women to this field. I really believe that a multifaceted approach is essential.
So, we need to promote awareness of the diverse opportunities within cyber forensics. Many women may not be familiar with the breadth of roles available here, so highlighting the various aspects of the field is important. Mentorship programs can also play a pivotal role. In my own career trajectory, it was very important for me to have been mentored by experienced professionals regardless of gender. We need to see more people mentoring and guiding aspiring women in the field, providing valuable insights and support. It’s essential to create a network where women feel empowered and encouraged to pursue and thrive in cyber forensics.
I think another element that’s important is breaking down the stereotypes and dispelling the myths around the industry. Cyber forensics is not exclusive to a particular gender. In fact, technology, in general, is not exclusive to a particular gender. Showcasing successful women in leadership roles can serve as inspiration. From my own experience, for example, during orientation at that university, all of the folks that went up beforehand in all of the other forensic tracks were all men in lab coats. The only woman to go up and present was the programme coordinator of digital forensics. That was extremely inspiring for me— to see a woman in tech, in a traditionally male-dominated role and traditionally male-dominated industry. And that really spoke to my subconscious.
Also, fostering an inclusive workplace is very, very much key. Creating an environment where diversity is celebrated, everyone feels valued and respected, and everyone contributes equally really attracts and retains talents from all walks of life—including neurodiverse individuals and people on all aspects of the gender spectrum. While the journey towards gender diversity in cyber forensics is ongoing, there is a positive momentum. By collectively addressing awareness, we can continue to encourage more women to explore this exciting and impactful field.
What’s new on the horizon for Coalition?
Currently, our focus includes vigilant monitoring of emerging critical threats. So our innovation centre, called Coalition Security Labs, is actively tracking the latest zero-day critical vulnerability in SysAid, which is quite reminiscent of the MOVEit compromise. We’re definitely on edge. We’ve already notified affected policyholders, and through incident response teams, we’re actively assisting those running the impacted version of SysAid in following the suggested guidance.
What inspires you in insurtech today?
Insurtechs are disrupting and transforming the traditionally stable insurance industry. Integrating advanced analytics, artificial intelligence, and technology is helping insurtechs reshape risk assessments, enhance efficiency, and cultivate innovation. Insuretechs focus on customer centricity, and the new user experiences are redefining how individuals interact with and perceive insurance. It’s about marrying traditional risk management with cutting-edge technology, creating a more responsive, adaptive, and innovative insurance landscape.
Interview by Joanna England
Joanna England is an award-winning journalist and the Editor-in-Chief for Insurtech Insights. She has worked for 25 years in both the consumer and business space, and also spent 15 years in the Middle East, on national newspapers as well as leading events and lifestyle publications. Prior to Insurtech Insights, Joanna was the Editor-in-Chief for Fintech Magazine and Insurtech Digital. She was also listed by MPVR as one of the Top 30 journalist in Fintech and Insurtech in 2023.
