Cyber Risk Self-Assessment Tool - Asia

Welcome to the Marsh Cyber Risk Self-Assessment Tool.

Answering the following 31 questions will help you to evaluate:

  • how relevant the consequences of a cyber-event would be to your organisation
  • which financial losses can be covered within new cyber insurance policies
  • to what degree of complexity are cyber risk scenarios fully recognised and measured by your organisation

The survey will take approximately 10 minutes and it is anonymous. At the end of the survey, you can register, in order to download a free copy of the Cyber Risk Self-Assessment Report. 

Based on your answers, your organisation will be mapped in one of the specific risk profile areas of the matrix below.

Terms and conditions

Cyber Risk Self-Assessment Tool - Asia

1 - How much personal identifiable information (PII) does your organisation process?

2 - How much health-related information does your organisation process?

3 - Does your organisation process credit card details?

4 - How many personal banking details does your organisation process?

5 - Does your organisation provide online information and communication technology (ICT) services to third parties (for example, hosting, housing, cloud services, and dedicated online services)?

6 - Does your organisation sell products or services through e-commerce websites?

7 - Have you calculated the financial impact caused by a network/IT interruption to your organisation?

8 - Has the risk of cyber-violation concerning your intellectual property been assessed?

9 - Do you deem that the reputation of your organisation could be damaged by a data breach?

10 - Does your organisation have a complete set of information security policies that is periodically updated and communicated to all employees?

11 - Do you deem that the contractual obligations your organisation have with third-parties could be breached in the event of data breach or IT network outage?

Cyber Risk Self-Assessment Tool - Asia

12 - Do you deem that a hacker could commit a cyber-fraud affecting your organisation or your customers?

13 - Have you investigated potential cyber risks that may cause material damages to your production factories, warehouses, office sites, other physical assets, people, environment, and neighbours?

14 - Does your organisation rely on third parties for IT services?

15 - Are you aware of an independent privacy and data protection compliance audit being performed in your organisation in the last 12 months?

16 - Are you aware of any vulnerability assessment and penetration tests being performed in your organisation in the last 12 months?

17 - Does your organisation have an information security officer?

18 - Does your organisation have an incident and crisis management policy addressing cyber attacks and data breaches?

19 - Is your network periodically audited by third parties to assure the proper design and implementation of state-of-the-art security technologies (for example, firewall, antivirus, IDS, IPS, IAM, SIEM)?

20 - Are your IT service providers periodically audited by your organisation to review their security policies (for example, disaster recovery, back-up, network security)?

21 - Does your organisation have a disaster recovery plan addressing IT services, based on sound data back-up policies?

Cyber Risk Self-Assessment Tool - Asia

22 - Does your organisation also operate in the USA?

23 - Have you estimated the maximum financial loss that your organisation could suffer in the event of a cyber attack/data breach (total of first-party and third-party losses)?

24 - Do you ever share PII data with third-party organisations?

25 - Are all third-party organisations with whom you share personal data required to indemnify you under contract for their unauthorised disclosure of such personal data?

26 - Do you provide awareness training for employees on privacy and security, including on issues of legal liability and social engineering?

27 - Are you aware of an information classification policy in your organisation, including the encryption of sensitive data?

28 - Is your organisation always in physical possession of at least one updated copy of all business data?

29 - Are your websites designed to register user-generated information (for example, email, location, and address)?

30 - Is your organisation managing websites, social networks, and mobile apps in compliance with a suitable data protection policy?

31 - In the last 12 months, have you performed a cyber risk assessment to identify all relevant cyber risks to your business?