Find out how Cyber Risk Insights has helped some of our clients
KPMG CRI was used to help a global insurance company define their cyber security strategy and identify priority controls for investment based on robust cost-benefit analysis
Client profile
Locations
Global, headquartered in UK
Industry
Insurance
Gross written premium
£35B+
Employee headcount
2,000
Customers
4,500+
Client challenges
Difficulty in defining a cyber security strategy that was threat-led
The client needed a defensible strategy that aligned to the risks they face and that could give the Board comfort that they were focusing their investment in the most appropriate way
There was a culture of ‘everything, everywhere’ in the security organisation that would often lead to high spending when not necessary – especially as they did not know which capabilities were contributing the most to their risk reduction
Benefits / outcomes
Client has a comprehensive understanding of how differing cyber controls contribute to different degrees to reducing different scenario likelihoods
Client has identified their priority controls related to the most high risk cyber risk scenarios
Client has refreshed their cyber strategy and prioritised their cyber transformation portfolio
KPMG CRI was used to help one of the largest European banks with more than 20 million customers quantify cyber risk exposure and identify priority investments based on best bang-for-buck risk reduction
Europe
Banking
Revenue
£1.3B
30,000
B2C Customers
20M
Limited understanding of posture across cyber security layers of defence
Limited ability to justify cyber investments based on cost-benefit analysis
Difficulties with prioritising significant volumes of cyber change activity
In-consistent definitions of cyber risk scenarios and business impacts
Incomplete data collection procedures for incidents
Embedded approach to quantitative cyber risk assessment, including enhanced data gathering procedures
Ability to quantify likelihood and impact of various cyber risk scenarios
Ability to prioritise investments and change programme based on quantifying contribution to cyber risk scenario risk reduction
Defensible risk and control measurements given the use of evidence-based metrics
KPMG CRI was used to help a Critical National Infrastructure organisation develop a cyber risk reporting framework to help better measure and communicate cyber risk exposure to their Board and regulators
UK
Energy
£18B
8M
Existing risk quantification model was overly complex and did not assess cyber risk of systems supporting critical national infrastructure (CNI)
Modelling approach was poorly documented and in-consistent which reduced regulatory confidence in their understanding of their position against risk appetite
Model outputs did not provide cyber risk scenario driven view which resulted in difficulty communicating outputs with Board level and did not enable decision making
Refreshed cyber risk reporting, moving the client from maturity-led to threat-led
Refreshed quantitative assessment approach improving robustness and defensibility of cyber risk reporting and position against appetite
Enabled more informed investment decisions and how scheduled improvements would reduce cyber scenario risk over time
Ability to quantify risk exposure to commodity attacks that may impact key Operational Technology (OT) infrastructure. This was an important outcome for the Board and regulator
KPMG CRI was used to help a global logistics company improve their understanding of their cyber threat landscape, the current state of their cyber security and anti-fraud controls, and prioritise remedial activity
Logistics
£180M
2,200
~1,000 a year
A cyber security incident exposed weaknesses within cyber security and anti-fraud controls
Lack of confidence in the understanding of current risk posture and state of cyber and anti-fraud controls
Lack of a threat-led approach to cyber risk identification and investment / remediation prioritisation
Quantitative understanding of cyber risk exposure against key cyber threat scenarios
Board and upper management have absolute clarity on current cyber risk exposure against appetite and the impact of remediation plans
Prioritised investments in cyber and anti-fraud controls based on those which have highest contribution to cyber risk reduction
15 priority one and 19 priority two controls identified for remediation
KPMG CRI was used to help a UK retail company define, prioritise and obtain Board approval and confidence in a threat-led cyber security remediation roadmap
Retail
£1,600M
10,000
13M
Conflicting reports and views on cyber maturity levels reduced the Board’s confidence in cyber security management
Cyber security remediation roadmap was not threat-led resulting in poor allocation of resources
Commitment to ‘align with ISO27001’ drove an unachievable ‘everything, everywhere’ mindset
Prioritised investments in cyber controls based on those which have highest contribution to cyber risk reduction
20% of ISO27001 controls were de-scoped based on threat-modelling activity, saving significant resources
Approach enabled remaining 80% of ISO27001 controls to be prioritised based on best bang-for-buck cyber risk reduction
A Board approved cyber security remediation roadmap and renewed confidence in cyber security management