Case Study

In-depth cyber insurance risk assessment for a major US holding company

When:
2023
Where:
US
Services involved:
Cyber

Our cyber consulting team was recently engaged to carry out an in-depth cyber risk assessment for a major US holding company, which provides professional and technical services for over 10 US-based entities across food, sport and entertainment industry verticals.

Due to the relative size and complexity of the company, underwriters required a comprehensive overview of the organisation and its approach to cyber governance, as well insight into the risk and exposure of its critical data stores, supply chain and any potential interdependencies across different areas of the business.

The process

Working with the client over a period of 3 months, we developed a highly detailed understanding of the client from an information security perspective, with a specific focus on how each entity is governed (whether centrally or autonomous) and how the business maintained and secured its various critical systems and service offerings.

Following an initial scoping workshop with the client, a consultant deployed to the US for a week long engagement to collect data and complete a detailed controls assessment with various internal stakeholders.

Previous engagement with underwriters and the insurance market had been limited in scope, meaning the client had minimal opportunity to present and explain its cyber security posture and risk management processes holistically across the business.

It was felt, from a broker perspective, that the client’s risk was likely misunderstood and this had likely contributed to an inflated insurance premium.

The result

Using the information obtained throughout our engagement, we produced a highly detailed cyber risk report which enabled underwriters to better understand the client’s exposure, and provided supporting narrative around specific nuances and control gaps which are traditionally omitted (and therefore often misunderstood) in a traditional underwriting engagement.

The final report, which included a detailed list of recommendations, demonstrated fantastic return on investment by reducing the client’s cyber insurance premium by a significant amount.

Project leads
Nick Robinson
Consultant, Crisis & Security Strategy
View profile

Outcomes

  • A due diligence process which enabled underwriters to themselves get a better view of the cyber security controls in place at the organisation.
  • Visualisations of architecture and infrastructure, and how this connects to revenue, which can be used to stimulate better conversations both within the client and with insurance markets.
  • A highly detailed assessment of the controls in place to mitigate cyber risks at the organisation in comparison to the benchmarks currently being set by insurance markets, which covered around 60 control types across 20 different control themes.
  • A report which was shared with brokers, underwriters, and the information security team to be used as a single source of truth to help identify the organization’s requirements for cyber insurance cover.

Relevant case studies

View more projects we have completed for clients.

Contact us

We’re always keen to talk through problems – even if you don’t end up working with us.

Let us know your problem or situation and one of our consultants will get back to you and arrange a call.

Step one
You let us know what you or your team requires help with.
Step two
One of our consultants will arrange a meeting to find out more.
Step three
We outline how we can help you in a proposal.
Step four
If accepted, we begin providing you or your team with our solution.