Cyber Insurance Risk Assessment
Identify an organization’s level of cyber risk for insurance underwriting
The Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organization’s risk level based on the C.O.P.E framework (construction, occupancy, protection and exposure).

Overview
The Cyber Insurance Risk Assessment is designed for insurance providers, underwriters and organizations preparing to purchase cyber insurance. It is based on Mandiant’s extensive knowledge of advanced threat actors, security breach responses, and evaluations of security program maturity and readiness. The Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organization’s risk level based on their technology, processes and people to facilitate the identification and classification of cyber risk for insurance underwriting. Risk is assessed along the four basic elements of property insurance underwriting: construction, occupancy, protection and exposure (C.O.P.E.) C.O.P.E. has been extended to apply to the assessment of technology-driven risk.
M-Trends
M-Trends is an annual publication from FireEye Mandiant that contains insights based on frontline investigations of the most interesting and impactful cyber attacks of the year.
COPEing with Cyber Insurance Risk Assessment
Learn why cyber insurance policies are growing in popularity and how underwriters evaluate your risk profile.
What you get
- Cyber Insurance Risk Assessment report that includes current capabilities, risk levels and strategic recommendations
- Executive presentation
- Threat assessment report
Benefits
- Identification, classification and analysis of cyber risk in the context of insurance underwriting
- Identification of factors that could cause an insurance company to experience a loss
- Identification of company and industry cyber threats
- Strategic recommendations for security improvement
On-Demand Webinar: COPE-ing with Cyber Risk Exposures
Get an introduction to our Cyber Insurance Risk Assessment and learn how organizations can better understand their cyber and privacy risks.
Our Approach
This two-week engagement combines a general organizational risk assessment based on industry, size and geography with cyber risk scoring across the four domains of the C.O.P.E. framework. The derived weighted risk score helps determine the risk posture for each domain and the company as a whole.

Construction
How is the information security program structured? What are the organization’s strengths and opportunities for improvement? Areas reviewed include:
- General technology policies and procedures
- Incident response and crisis management policies and procedures
- Organizational staffing
- Senior management and leadership cyber security awareness
- Audit and compliance practices

Occupancy
How does the organization handle data and asset management processes? Areas reviewed include:
- Classification policies
- Technical controls to manage data
- Encryption usage requirements
- Data retention policies
- Backup and recovery policies
- Standard asset build and control requirements for items such as laptops, servers and mobile devices

Protection
How well is the organization protected from advanced cyber attacks? Areas reviewed include:
- Current and planned technology deployment
- Established and pending processes
- In-house and external personnel
- Functional capabilities, such as threat visibility, operational security, and incident response

Exposure
What is the potential for risk based on the organization’s industry, type of business and geographic bases of operations? Areas reviewed include:
- Processes and policies used by the organization to identify business and information security risks
- System and network maintenance policies
- Processes and policies for security data collection and storage (logging) requirements
