Product Family


It comes as no surprise that cyberattacks are a top concern among many organizations. Within the last ten years alone, cyber risks have become the fifth most likely global risk, ranking just below “massive data fraud and theft.”

It is a risk that many organizations believe will get worse – 82% of organizations believe cyber attacks will lead to theft of money and data, and 80% believe there will be disruption of operations. Moreover, cyber attacks do not discriminate when it comes to which organizations to target – 43% of all cyber breaches in 2019 involved small businesses.

To thwart cyber attacks, companies need to assess their own level of cyber risks. Despite the availability of numerous risk assessment frameworks and standards, a failure to implement a cyber assessment plagues far too many organizations. Whether it’s a perception that such assessments are too difficult or a misunderstanding of how much cyber exposure the organization has, companies often opt to implement common security controls in reaction to news of cyber attack or breach.

The result: many businesses are exposed to potential cyber attacks because of a pieced-together security plan that does not address specific exposures. Still, standards can, and should, serve as a solid jumping-off point. By using a standard as a guideline for building a customized approach, companies can begin to build a cyber risk assessment framework that is unique to their organizations.

Assessment: the prep
To manage your company’s cyber risk, you must first determine what your risks are, how an assessment will be applied to mitigate those risks, and which risks are primary. That way, you can conduct a risk assessment that fits within your organization’s needs.

Before any assessment, your company should define the following criteria:

  • Purpose: Why are you conducting a cyber risk assessment? What are you hoping to protect by doing so? For example, is the purpose to protect reputation, comply with regulatory requirements, comply with contractual obligations, pass an audit for SOC, ISO 27001, or other purposes?
  • Scope: What are you including in your assessment? What will be excluded? How are the results to be utilized? In order to build an effective assessment, your company should align the scope with the budget and the intended use of the results.
  • Roles and responsibilities: Build your accountability team before beginning your assessment. Ideally, companies would assign the risk assessment process to one person to ensure that accountability is enforced. As regulators are holding more organizations accountable for cyber breaches, senior management should lead the risk assessment process.
  • The assessment: four steps 
    Once your organization has developed the purpose, scope, and accountability for the cyber risk assessment framework, you can then conduct your targeted assessment. While each organization’s process will vary, there are four actions that define nearly all cyber risk assessment models.

    1. Identify risks
    Start with understanding what risks your organization faces. To uncover risks, look in the following areas:

    • Assets: what needs to be protected? Consider data, reputation, people, proprietary information, customers.
    • Threats: what could negatively impact the confidentiality, integrity or availability of those assets?
    • Vulnerabilities: what security weaknesses exist that can be exploited?

    Once these areas are identified, your company can then analyze the risks.

    2. Assessing risks
    Assessing risks to determine the likelihood of occurrence involves understanding:

    • The probability and frequency of it occurring
    • The attractiveness of the asset or targeted company
    • The presence and capabilities of the threat actors
    • The level of security protecting these assets
    • The number of people inside the organization who have access to these assets
    • The amount of training employees received on proper cybersecurity protocols

Many businesses are exposed to potential cyber attacks because of a pieced-together security plan that does not address specific exposures.

When assessing risks, your company should be looking at the overall impact that an exposure to any one of the vulnerable assets could have on the business. The three main areas of impact include:

  • Financial: The costs associated with a cyberattack can be devastating. For example, in 2017, the Petya virus attack targeting numerous businesses and institutions across the globe had massive impact. FedEx reported the financial impact of their breach to be an estimated $300 million.
    Assess the costs of business interruption, stolen or compromised data, recovery and investigation, and any associated costs. What is the worst-case scenario should a cyber attack target any one of your assets?
  • Reputational: A major breach can have long-term impact on a company’s reputation. In mid-December 2013, retailer Target was hit with a breach in which consumer data was stolen. By the end of 2013 – just two short weeks – Targets sales had fallen by 46% in comparison to year-on-year totals. It took the retailer nearly two years to recover from the financial impact and the loss of consumer trust.
  • Legal/Regulatory: Another cost to consider – regulatory fines and actions. Data protection laws are placing more of the responsibility onto the shoulders of organizations that should be protecting consumer data. For example, a July 2019 breach of British Airways website cost the company £183 million when cyber thieves diverted customers from the company’s website to a fraudulent one that then collect the personal information of 500,000 people

3. Mitigating risks
Knowing the risks and their potential impact on your organization makes it easier to establish mitigation around these areas. There are many ways to mitigate risk exposures and processes to determine which method will be best for each particular risk.

The ways your company can mitigate risks include:

  • Prevention: adopting ways to reduce the likelihood of the risk occurring
  • Detection: employing systems that can alert your company to any possible cyber incident quickly in order to help reduce the impact of any attack
  • Recovery: implementing a backup process in which data is stored offline or away from the main servers so that recovery can occur quickly and damage can be minimized

Mitigation does not require large investments in technology. While some investment may be required, your company can strengthen its cybersecurity through stronger governance, such as training, policies and procedures oversight, and an ongoing effort to keep employees focused on cybersecurity. With a full commitment by senior management to make cybersecurity a high priority and regular part of the business model, your company can reduce significantly the exposure to cyberattack.

4. Addressing residual risk
Risks cannot be fully mitigated. However, your company can determine which risks pose the largest threat to your organization. Likewise, you should be deciding what level of risk exposure the company is willing to or able to tolerate

Yet some risks that are not able to be absorbed by the company may still pose significant threats. For those risks, your company has options. They include:

  • Avoidance: Simply stop the activities that are causing the risks. If there are no mitigation steps to take or the steps do not reduce the costs to an acceptable level, or if the costs are too high for the company to accept, avoiding the risk is the best response.
  • Acceptance: Even risks that are more than a company can handle financially or reputationally can be accepted. Typically, companies accept these risks when the costs of mitigating them outweigh the financial impact of the risk occurring.
  • Transference/Insurance: Mitigating risks using insurance products effectively transfers a large part of the risk off the shoulders of the company. As cyberattacks increase in frequency and severity, cyber insurance becomes an attractive, affordable way to lessen the impact of a major cyber event. Some insurers will also provide a team of cyber experts who will respond and help your company investigate, remediate, and get back to business quickly.

You may find that more than one of these options apply to the same risk. For example, protecting against ransomware could start with upgraded technology and cybersecurity software, but also include cyber insurance. Any remaining cyber risk may be something your company is willing to accept.

Putting it together
Once you complete your cyber assessment, it needs to be communicated to the decision makers in your organization, and then distributed among your employee population. By establishing the protections you have identified in your assessment, your company can begin to reduce the exposures and strengthen cybersecurity from both an IT and a human perspective.

Also, risk assessments should be occurring regularly. Whenever your company adopts a new technology, new software, or makes changes to automation, data collection, or storage, there should be a full assessment to identify any new cyber exposures that may be inherent in those changes.

Cyber risk assessments can provide your organization with a full view of its vulnerabilities, and help you determine the best mitigation strategies for your most critical exposures. 

While cyber attack preventions are not foolproof, they can save your company from considerable financial impact should a breach occur. Knowing what to protect and where your most critical vulnerabilities are is the first step to reducing your exposures and improving cyber operations.

To learn more about this subject, check out the S-RM and AXA XL Cyber team’s whitepaper.

About the authors
Kate Walas is Head of Cyber, Tech & MPL Operations for AXA XL, North America. She can be reached at Aaron Aanenson is Director of Cyber Security for S-RM. He can be reached at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.