Cyber Insurance Security Assessment
A high-level risk assessment for insurance underwriting
BENEFITS
• Identification, classification and analysis of cyber risk
• Identification of factors that could cause an organization to experience a financial loss
• Identification of company and industry cyber threats
• Strategic recommendations for improvement
• Provide insurance underwriters the information needed to evaluate
DELIVERABLES
• Cyber Insurance Risk Assessment Report
– Executive Summary
– Identification of current capabilities and risk levels by domain
– Strategic recommendations for improvement
• Executive presentation
• Threat Assessment Report
DOMAIN DESCRIPTIONS
Construction
Evaluate how the information security program is structured, identifying strengths and areas with opportunity for improvement. Areas reviewed include:
-
General information technology policies and procedures
-
Policies and procedures for incident response, including breach notification and crisis management
-
Staffing
-
Senior management and leadership awareness
-
Audit and compliance practices
Occupancy
Review data and asset management processes, including:
• Classification policies
• Technical controls to manage data
• Encryption usage requirements
• Data retention policies
• Backup and recovery policies
• Standard asset build and control requirements for items such as laptops, serves and mobile devices
Protection
Review how well the organization is protected by technology, processes and people deployed for detection,
analysis, response and containment of advanced cyber attacks. This includes threat visibility, operational security capabilities and incident response capabilities.
Exposure
Determine risk exposure by assessing the threat landscape for the industry, type of business and geographic regions
where the organizations operates.
-
Review effectiveness of established processes and policies for identifying business and information security risk
-
Review system and network maintenance policies to determine adequacy of existing controls
-
Review processes and policies for vulnerability assessment and remediation, logging requirements, log management, end point, cloud and mobile protection and logging, internal and external penetration testing and remediation of identified vulnerabilities
Why CERBICORE
Since 2000 Cerbicore's experience has been at the cutting edge of cyber security and threat intelligence. Our consultants have been on the front lines of some of the world's most prolific breaches and hunts for a long time. We know a lot about both new and old threat actors, as well as how their strategies, techniques, and processes are always changing.
Service Overview
The Security Insurance Risk Assessment (SIRA) uses Cerbicore's knowledge of sophisticated threat actors, experience fixing security holes, and in-depth knowledge of checking the maturity and readiness of security programs. It is meant to give a quick, high-level picture of an organization's risk level based on their technology, processes, and people. This makes it easier for insurance underwriters to find, classify, and analyze cyber risk. When you buy property insurance, the four parts of the C.O.P.E. framework are used to evaluate risk: building, occupancy, protection, and exposure. C.O.P.E. can now be used to evaluate danger that is caused by technology.
Methodology
This two-week engagement combines a general risk level assessment based on the organization’s industry, size and geography with cyber risk scoring across the four C.O.P.E. domains. By overlaying the general risk assessment across the four security domains and multiple subdomains, a weighted risk score is derived to determine the risk posture for each domain and the company as a whole.