Cyber Risk Self-Assessment Tool - Asia

Welcome to the Marsh Cyber Risk Self-Assessment Tool.

Answering the following 31 questions will help you to evaluate:

how relevant the consequences of a cyber-event would be to your organisation
which financial losses can be covered within new cyber insurance policies
to what degree of complexity are cyber risk scenarios fully recognised and measured by your organisation

The survey will take approximately 10 minutes and it is anonymous. At the end of the survey, you can register, in order to download a free copy of the Cyber Risk Self-Assessment Report.

Based on your answers, your organisation will be mapped in one of the specific risk profile areas of the matrix below.

Terms and conditions

Request for insurance form ▶

Start the survey ▶

Cyber Risk Self-Assessment Tool - Asia

Page 1 of 3

1 - How much personal identifiable information (PII) does your organisation process?

I don't know
More than 1 million
Less than 1 million
Only employee data

2 - How much health-related information does your organisation process?

I don't know
More than one million
Less than one million
No

3 - Does your organisation process credit card details?

I don't know
Yes
No, but a third party handles these on our behalf
No

4 - How many personal banking details does your organisation process?

I don't know
More than 1 million
Less than 1 million
Only employee data

5 - Does your organisation provide online information and communication technology (ICT) services to third parties (for example, hosting, housing, cloud services, and dedicated online services)?

I don't know
Yes, it is our core business
Yes, but it is not our core business
No

6 - Does your organisation sell products or services through e-commerce websites?

I don't know
Yes, it is an important sales channel
Yes, but it is not an important sales channel
No

7 - Have you calculated the financial impact caused by a network/IT interruption to your organisation?

I don't know
Yes, and it is significant/material
Yes, but it is negligible
No

8 - Has the risk of cyber-violation concerning your intellectual property been assessed?

I don't know
Yes, and it is significant/material
Yes, but it is negligible
No

9 - Do you deem that the reputation of your organisation could be damaged by a data breach?

I don't know
Yes, it is a relevant risk
Yes, but with negligible consequences
No

10 - Does your organisation have a complete set of information security policies that is periodically updated and communicated to all employees?

I don't know
Yes, partially
Yes
No

11 - Do you deem that the contractual obligations your organisation have with third-parties could be breached in the event of data breach or IT network outage?

I don't know
Yes, it is a relevant risk
Yes, but with negligible consequences
No

Next ▶

◀ Previous

Cyber Risk Self-Assessment Tool - Asia

Page 2 of 3

12 - Do you deem that a hacker could commit a cyber-fraud affecting your organisation or your customers?

I don't know
Yes, it is a relevant risk
Yes, but with negligible consequences
No

13 - Have you investigated potential cyber risks that may cause material damages to your production factories, warehouses, office sites, other physical assets, people, environment, and neighbours?

I don't know
Yes, it is a relevant risk
Yes, but with negligible consequences
No

14 - Does your organisation rely on third parties for IT services?

I don't know
Yes, we are fully dependant on third parties
Yes, we are partially dependant on third parties
No, or only for telecommunication services

15 - Are you aware of an independent privacy and data protection compliance audit being performed in your organisation in the last 12 months?

I don't know
Yes, we are fully compliant
Yes, we are partially compliant
Not performed

16 - Are you aware of any vulnerability assessment and penetration tests being performed in your organisation in the last 12 months?

I don't know
Yes, results are very positive
Yes, corrective actions have been taken
Not performed

17 - Does your organisation have an information security officer?

I don't know
Yes, full time
Yes, part time or external consultant
No

18 - Does your organisation have an incident and crisis management policy addressing cyber attacks and data breaches?

I don't know
Yes, but limited to IT activities
Yes, it considers also customer support
No

19 - Is your network periodically audited by third parties to assure the proper design and implementation of state-of-the-art security technologies (for example, firewall, antivirus, IDS, IPS, IAM, SIEM)?

I don't know
Yes
Yes, but not regularly
Not performed

20 - Are your IT service providers periodically audited by your organisation to review their security policies (for example, disaster recovery, back-up, network security)?

I don't know
Yes (or not applicable)
Yes, but partially
No

21 - Does your organisation have a disaster recovery plan addressing IT services, based on sound data back-up policies?

I don't know
Yes, we rely on the DR plan of our providers
Yes
No

Next ▶

◀ Previous

Cyber Risk Self-Assessment Tool - Asia

Page 3 of 3

22 - Does your organisation also operate in the USA?

I don't know
Yes, but we don't process US citizens' data
Yes
No

23 - Have you estimated the maximum financial loss that your organisation could suffer in the event of a cyber attack/data breach (total of first-party and third-party losses)?

No
Yes, negligible impact
Yes, less than 10 million Euro
Yes, more than 10 million Euro

24 - Do you ever share PII data with third-party organisations?

I don't know
Yes, also abroad
Yes
No

25 - Are all third-party organisations with whom you share personal data required to indemnify you under contract for their unauthorised disclosure of such personal data?

I don't know
Yes, not fully applied
Yes (or not applicable)
No

26 - Do you provide awareness training for employees on privacy and security, including on issues of legal liability and social engineering?

I don't know
Yes
Yes, partially
No

27 - Are you aware of an information classification policy in your organisation, including the encryption of sensitive data?

I don't know
Yes, sensitive data is encrypted
Yes, but encryption is not fully applied to sensitive data
No, data is not classified

28 - Is your organisation always in physical possession of at least one updated copy of all business data?

I don't know
No, all data areas are processed and stored by providers
Yes, but some data is available only at providers' sites
Yes

29 - Are your websites designed to register user-generated information (for example, email, location, and address)?

I don't know
Yes
Yes, but limited to email and password
No

30 - Is your organisation managing websites, social networks, and mobile apps in compliance with a suitable data protection policy?

I don't know
Yes
Yes, partially
No, we do not have a specific policy

31 - In the last 12 months, have you performed a cyber risk assessment to identify all relevant cyber risks to your business?

I don't know
Yes
Yes, only relevant to IT and Network security
No

◀ Previous