How we helped
External audits underlined the limits of the current model used by an insurance and re-insurance provider. Part of a global insurance company, the provider needed to mature its cybersecurity to operate in the current regulatory environment.
AlixPartners was engaged through a competitive RFP to assess specific cyber-maturity needs; evaluate the adherence of existing controls and organization; and propose, design, and socialize a new cybersecurity and risk organization. The provider needed to balance demands from central controls like security operations center (SOC) and identity access management (IAM) systems, and local regulatory requirements across the globe.
The project followed a 3-phase approach:
- Rapid controls maturity assessment: This assessment provided benchmarked, quantitative and qualitative insight using NIST, ISF and ISO27001 frameworks against industry sector and region. We adopted an iterative approach to refine the level of confidence on the gathered data.
- Information security risk evaluation: We followed a well-practiced approach in which we link technology assets to business assets, assess inherent cyber risk, and then combine the controls maturity assessment to derive residual risk to the business. This allows a holistic business-wide approach, to compare the current risk profile with risk appetite.
- Capability gap analysis and solution planning: We bring together control gaps and areas of low maturity alongside risk hot-spots, to provide a prioritized roadmap based on closing gaps and bringing the group within risk appetite.
AlixPartners delivered a cybersecurity controls maturity score, with industry and regional benchmarks, and set the stage for a comprehensive and targeted list of in-flight remediation activities and proposed structural changes over a 12-month period.
We recommended a new internal organization to link cyber risk and enterprise risk. It was also important that the new operating model support better communication between the board and the operational company around risks, impacts, and controls.
Technical actions and better governance allowed the provider to improve local security maturity and bring compliance and regulatory reporting up to speed across geographies.