Cyber Insurance Risk Assessment
Identify an organization’s level of cyber risk for insurance underwriting
The Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organization’s risk level based on the C.O.P.E framework (construction, occupancy, protection and exposure).
The Cyber Insurance Risk Assessment is designed for insurance providers, underwriters and organizations preparing to purchase cyber insurance. It is based on Mandiant’s extensive knowledge of advanced threat actors, security breach responses, and evaluations of security program maturity and readiness. The Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organization’s risk level based on their technology, processes and people to facilitate the identification and classification of cyber risk for insurance underwriting. Risk is assessed along the four basic elements of property insurance underwriting: construction, occupancy, protection and exposure (C.O.P.E.) C.O.P.E. has been extended to apply to the assessment of technology-driven risk.
What you get
- Cyber Insurance Risk Assessment report that includes current capabilities, risk levels and strategic recommendations
- Executive presentation
- Threat assessment report
- Identification, classification and analysis of cyber risk in the context of insurance underwriting
- Identification of factors that could cause an insurance company to experience a loss
- Identification of company and industry cyber threats
- Strategic recommendations for security improvement
Get an introduction to our Cyber Insurance Risk Assessment and learn how organizations can better understand their cyber and privacy risks.
Based on hundreds of incident response investigations, this report provides trends, statistics and case studies to illustrate how advanced threat actors have evolved over the past year.
This two-week engagement combines a general organizational risk assessment based on industry, size and geography with cyber risk scoring across the four domains of the C.O.P.E. framework. The derived weighted risk score helps determine the risk posture for each domain and the company as a whole.
Construction: How is the information security program structured? What are the organization’s strengths and opportunities for improvement? Areas reviewed include:
- General technology policies and procedures
- Incident response and crisis management policies and procedures
- Organizational staffing
- Senior management and leadership cyber security awareness
- Audit and compliance practices
Occupancy: How does the organization handle data and asset management processes? Areas reviewed include:
- Classification policies
- Technical controls to manage data
- Encryption usage requirements
- Data retention policies
- Backup and recovery policies
- Standard asset build and control requirements for items such as laptops, serves and mobile devices
Protection: How well is the organization protected from advanced cyber attacks? Areas reviewed include:
- Current and planned technology deployment
- Established and pending processes
- In-house and external personnel
- Functional capabilities, such as threat visibility, operational security, and incident response
Exposure: What is the potential for risk based on the organization’s industry, type of business and geographic bases of operations? Areas reviewed include:
- Processes and policies used by the organization to identify business and information security risks
- System and network maintenance policies
- Processes and policies for security data collection and storage (logging) requirements