2
How can you better prepare and respond to cyber risks?
ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas of cyber and privacy exposures that are relevant to your business. Loss Mitigation Services can help your organization reduce the likelihood and impact of a cyber or data privacy incident, including early detection and remediation of cyber exposures. These services were developed based on ACE’s claims experience, in-house cyber security expertise and strategic partnerships with industry-leading cyber security firms. Loss Mitigation Services are part of ACE’s three-prong approach to a comprehensive cyber risk management program – with incident response and risk transfer completing the program.
Since many companies struggle with organizing cyber risk exposures, ACE structured Loss Mitigation Services into three mitigation strategies to help you choose the right services for your organization:
CORE
The Fundamentals of Securing and Protecting Your Networks And Information
• Information Governance: Know where and what data to protect • Cyber Readiness: Compare your company against security standards • Incident Response: Evaluate your incident response plan and capabilities
TACTICAL
More Targeted Services to Address Your Specific Industry or Risk Profile
• Business Impact Calculation: Determine how much outages actually cost • PCI Compliance Assessment: Comply with credit card security requirements • HIPAA Compliance Assessment: Comply with U.S. healthcare regulations
CULTURAL
Services that Impact the Enterprise – Creating a Cyber and Data Privacy Awareness Culture
• Security Awareness: Elevate employee awareness for protecting information • Cyber Threat Blueprint: Gain new insight on current cyber threats
• Security Performance: Ongoing security ratings of your company
How can you take advantage of Loss Mitigation Services?
It all starts with the ACE Cyber Experience (www.acecyberrisk.com), where policyholders have access to white papers, webinars, articles and other information to better understand the changing cyber and data privacy threat environment. Policyholders can take loss mitigation to the next level through independent assessments and security solutions delivered by leading industry experts. Further, to make these services available to policyholders of all sizes, industries and program maturity, Loss Mitigation Services have been structured to be scalable to fit your needs:
Complimentary Self-Assessments
This level of service was developed for risk managers that are interested in learning the basics of cyber risk management for any industry segment, smaller organizations, and those organizations that are just getting started in assessing their cyber risk posture.
Fixed Rate of Service
For those organizations seeking an independent assessment to better identify their cyber and privacy related exposures, ACE has worked with each independent vendor to structure a flat $3,000 loss mitigation service.
Comprehensive Solution
Services can be scaled to meet the specific requirements of organizations requiring additional mitigation services. These custom solutions are built upon in-depth analysis and are available for all industries.
4
Core Loss Mitigation Services
Core services are designed to address the fundamentals of securing and protecting your information. Organizations of all sizes, industries and geograpies will benefit from these services.
Information Governance
Know where and what data to protect
What is it?
A consultative service to help identify the privacy and protection considerations related to your organization’s information, which guides how it should be managed from creation to deletion.
Who needs it?
All companies handle sensitive data to varying degrees, ranging from social security numbers to trade secrets and company confidential information. This offering is tailored to what your company does and your relative risk profile.
How does this improve my risk?
The resulting report will provide a high-level summary of your information governance risks and opportunities, accompanied by prioritized recommendations to reduce your risk and protect your brand.
Who provides this service?
Huron Consulting Group: www.huronconsultinggroup.com
Cyber Readiness
Compare your company against security standards
What is it?
A 360 degree enterprise view of your organization’s cyber security posture based upon how your company compares against cyber security standards in your industry.
Who needs it?
All companies can benefit from this service. It is beneficial for companies to benchmark themselves against the latest security standards.
How does this improve my risk?
The resulting assessment report shows possible risk areas (weak spots) and ways to align closer to standards for protecting information. Individual suggestions and/or recommendations for improvement will be offered in cases where specific potential/ confirmed gaps are identified.
Who provides this service?
NetDiligence: www.netdiligence.com
Incident Response
Evaluate your incident response plan and capabilities
What is it?
An expert review of your Incident Response Plan, accompanied by recommendations on how to improve the plan and your ability to respond quickly to minimize the impact of an incident.
Who needs it?
All companies benefit from this service. Data shows that the ability to respond quickly can significantly reduce the overall financial and reputational impact if an incident occurs.
How does this improve my risk?
It is more effective to identify and address gaps in incident response processes before an actual incident occurs. Proper response can minimize the impact an incident has on your business operations and sensitive data.
Who provides this service?
Tactical Loss Mitigation Services
Tactical Loss Mitigation Services are more targeted than Core Loss Mitigation Services. These services are designed to address your specific risk profile. For example, these services are focused on industries with specific data privacy and regulatory responsibilities, such as retail, healthcare, and financial services.
Business Impact Calculation
Determine how much outages actually cost
What is it?
Model the probability of a business interruption caused by a cyber-attack to determine the estimated financial cost to your business.
Who needs it?
Companies with a significant online presence and/or online processes, such as retailers, payment processors, and cloud service providers.
How does this improve my risk?
Determining the potential causes, effects and remedies, of business interruption events will help you sustain needed business functions and maintain your customer base.
Who provides this service?
Navigant: www.navigant.com
PCI Compliance Assessment
Comply with credit card security requirements
What is it?
A baseline assessment of your company’s alignment with the compliance requirements of the Payment Card Industry Data Security Standard (PCI-DSS).
Who needs it?
Any business that accepts credit card payments from the major card brands.
How does this improve my risk?
The report will identify major compliance gaps with PCI-DSS and what steps you need to take to obtain or maintain compliance with this standard.
Who provides this service?
McGladrey: www.mcgladrey.com
HIPAA Compliance Assessment
Comply with U.S. healthcare regulations
Cultural Loss Mitigation Services
Implement cultural services designed to create a cyber-aware workforce both within your organization and with your third party vendors.
Security Awareness
Elevate employee awareness for protecting information
What is it?
A simulated email attack (i.e., phishing) is sent to a target subset of employees to see which employees click on the link. Online training is then provided for those who fail the simulation.
Who needs it?
All companies can benefit from this service. It is critical to ensure that a company’s workforce can identify and respond accordingly to the most common types of cyber-attacks.
How does this improve my risk?
Individual behaviors are changed due to the interactive and engaging learning experience so employees are better prepared if a real phishing attack should occur.
Who provides this service?
Wombat Security: www.wombatsecurity.com
Cyber Threat Blueprint
Gain new insight on current cyber threats
What is it?
A customized technical seminar, personal meeting and assessment report for information security and technology professionals within your company based on the latest threat intelligence.
Who needs it?
Information security and technology specialists can leverage the assessment report to engage with industry leaders on specific threats related to their company.
How does this improve my risk?
The seminar and report on threat intelligence will help information security and technology specialists develop better defense strategies against threat actors.
Who provides this service?
FireEye: www.fireeye.com
Security Ratings for Data-Driven Risk Management
Evaluate the security performance of any company
What is it?
Security ratings that provide continuous cyber security performance measurements of your company and up to three of your peer and/or third party vendors. Data is gathered from publicly accessible sources and no information is needed from the rated companies.
Who needs it?
All companies can benefit from this service. Having access to quantitative, objective metrics indicating how well the businesses of most interest to them are defending themselves against cyber threats and attacks can be beneficial to any company.
How does this improve my risk?
A continuous monitoring solution for you and your vendors allows you to identify potential security issues throughout the duration of the relationship. It also provides insights to inform you of risks before entering into agreements and sharing your information.
Who provides this service?
BitSight Technologies: www.bitsighttech.com
Vendor Management
Validate your contracts and address privacy and information security exposures
What is it?
Independent legal analysis and report of up to three agreements on how well they address basic privacy policy and information security exposures.
Who needs it?
All companies, but especially those dealing with outside vendors for technology services (e.g. cloud applications, web hosting, and external IT services).
How does this improve my risk?
Having an ongoing monitoring solution for you and your vendors allows you to identify potential security issues before entering into agreements and sharing your information.
Who provides this service?
less severe. We also assume no responsibility to implement any resulting recommendations. Any loss mitigation inspection, assessment or audit purchased by a policyholder, and any report or recommendation resulting therefrom, will not constitute an undertaking at the behest of or for the benefit of ACE. All services may not be available in all jurisdictions.
Product highlights are summaries only. Please see the actual policy for terms and conditions. Products may not be available in all locations, and remain subject to ACE Group’s underwriting criteria.
ACE USA is the U.S.-based retail operating division of ACE Group. ACE Group is a global leader in insurance and reinsurance, serving a diverse group of clients. Headed by ACE Limited (NYSE: ACE), a component of the S&P 500 stock index, ACE Group conducts its business on a worldwide basis, with operating subsidiaries in 54 countries. Additional information can be found at www.acegroup.com/us.
