The State of Arkansas (“State”) was seeking to improve its cyber security posture to protect the sensitive data it holds and mitigate the financial risks of an attack, by utilizing insurance.
Kroll developed a four-stage approach to understand the State’s current security posture and vulnerabilities, with recommended improvements to build resilience. It tapped into its experience with the insurance industry to bring in policy specialists that could advise the State of its options and requirements to be insured. Finally, Kroll’s years of experience in managing thousands of incidents in collaboration with attorneys and insurance providers gave the State the peace of mind that if an incident did occur, response could be fast and seamless, minimizing potential disruption and financial impact.
- Cyber governance and risk
- Incident response and litigation support
- System assessments and testing
- Risk of cyber threats
- Vulnerabilities in IT infrastructure
- Potential security and financial impact of breaches
- Lack of insight into cyber insurance industry
- Understanding of cyber risks in the context of potential vulnerabilities
- A tried and tested cyber posture and response process
- Ongoing threat detection and response
- Customized cyber security insurance policy framework which reduces financial risk
The State needed a full-service partner that could assess the current cyber security provisions in place and identify vulnerabilities, as well as recommend future investment to meet best practice levels of cyber protection.
The State was also looking for a partner that had experience with insurance providers, to achieve security improvements that would make the state more insurable, and therefore, further protected against the financial impact of a cyberattack, should the worst happen.
Kroll took a four-step approach to tackling the State’s requirements. This included an assessment, investigation and evaluation stage, followed by security guidance, advice around underwriting requirements and support for response to future incidents.
Working with the State, Kroll’s approach included:
- A review of the State’s enterprise information security policies and procedures
- A review of security questionnaire responses across all executive State agencies
- Comprehensive onsite assessments of 20 State agencies
- In-person and phone interviews with key stakeholders across State agencies
- Analysis of firewall and network device configurations
- Simulated attacks against network, system and physical security controls
- Social engineering exercises
- Threat monitoring across agency servers and workstations, all against specific threats, such as intellectual property theft, advanced persistent threats, denial of service, ransomware and many other types of threats.
The evaluation process also included assessments against cyber security standards such as the NIST Cybersecurity Framework, state/federal regulations and industry best practices.
Kroll brought in the external expertise of Ridge Global, a risk advisory firm, and Risk Cooperative, a Lloyd’s of London Cyber Coverholder and insurance provider, to provide insight on cyber coverage and premium pricing and to prepare the insurance program parameters, in consideration of the security recommendations the State planned to implement.
Risk Cooperative incorporated Kroll’s recommendations into a customized cyber insurance policy framework which allowed the state to prioritize its assets and ensure it had governance continuity. The policy structure helped the State to reduce the risk of the potential financial burden of a breach. It also ensures that the State is fully prepared to act in the event of an incident and is able to mitigate the financial impact for itself, and in turn, protect the taxpayer dollar.
A Bolstered Security Posture
The State is now better able to mitigate the likelihood of a cyberattack as the security assessment completed by Kroll has provided comprehensive insight into the strengths and weaknesses of its cyber controls and processes.
Better Protected Data
The State has greater assurance that its data is protected to a high standard, helping to reduce the potential impact of a cyber incident.
The State is now more much more able to withstand the impact of a cyberattack, both from a preparedness and financial perspective, thanks to the cyber insurance policy framework which has enabled it to prioritize its assets and ensure governance continuity.
Critical Security Insight
Kroll’s assessments clearly identified strengths and weaknesses in the State’s cyber security program, strengthening its ability to protect confidential information.
Learn more about Kroll’s Cyber Risk services.