2. The Cyber Defence Capability Assessment Tool (CDCAT®
) is an effective, comprehensive way for
organisations to assess their existing cyber defences, identify any vulnerability(s) in their defences
and what mitigations can be applied. Considering the frequency of attacks on organisations’
sensitive cyber assets – CDCAT® is an essential tool in combatting the threats posed by any
number of cyber-criminals and criminal organisations.
CDCAT® was developed by the Defence Science and Technology Laboratory (Dstl), a trading fund
of the MOD. Dstl provides impartial scientific and technological advice to the UK Armed Forces and
British Government.
Kyngswoode Services Limited was awarded, by APMG International, the rights to provide
a CDCAT® derived service to the London insurance sector and associated international
organisations.
Kyngswoode Services use the data from CDCAT®
assessments to create a view of the insurable
risk an underwriter should consider before accepting the cover. This report allows the underwriter
to consider the cyber risk fully without seeing all the underlying evidence that a client may prefer to
keep confidential due to the sensitive nature of the data.
A military grade cyber
defence assessment
3. Why was CDCAT® Introduced?
Cyber-criminals continuously evolve and adapt their methods
of bypassing the traditionally rigid cyber-security controls
organisations have in place. For organisations to stay safe they
need to be similarly adaptive – this is where CDCAT®
comes in.
While it is highly advantageous for organisations to implement
standards such as ISO/IEC 27001, or employ tools like
penetration testing – these only constitute one part of an effective
cyber security strategy.
CDCAT® is designed so that full sets of best practice controls are
incorporated, 145 controls in total - including ISO/IEC 27001:2013,
the US’ NIST Cyber Security Framework, UK’s 10 steps to Cyber
Security and Cyber Essentials. The result is a truly comprehensive
cyber-security assessment tool, enveloping the standard lifecycle of
assess, deter, protect, detect and respond – mapped against the ITIL
lifecycle of Service Strategy, Service Design, Service Transition and
Service Operation.
What is CDCAT®
Insurance Services?
CDCAT®
Insurance Services utilises CDCAT®
to support insurance
underwriters and brokers using fact based certified assessments
to confirm their client’s cyber defence capabilities. This will enable
brokers to seek better premiums and underwritten conditions
for their clients as well as allow underwriters to use fact based
evidence to assess cyber risks.
The resulting output includes:
■ Overall rating of cyber risk management capability as measured
against agreed risk appetite
■ Maturity scores between zero to five for each control assessed
■ Vulnerability status for each control assessed
■ Red, Amber, Green (RAG) status relative to risk appetite
■ RAG status relative to best practice
■ Benchmark rating against an organisation’s own sector / cross-
industry sectors, as well as geographic comparisons
■ Estimated average annual risk cost
What benefits can CDCAT®
offer the
insurance industry?
Brokers
To give the best service to their clients, brokers need to
understand the risks they are working with. Cyber Security is no
different to any other risk yet the industry continues to cautiously
write specific cyber risk cover and Directors and Officers cover
on little known fact based assessments and without a truly
independent and impartial certification of the cyber defence
capability of their client. CDCAT®
Insurance Services will allow
a broker to achieve better underwriting and exclusions for
their clients by demonstrating their clients’ true cyber defence
capability.
Underwriters
Complex and or commercial risks are always supported by
some type of certification to validate the status of the risk such
as aviation, marine and heavy lifting. Yet the most unknown risk,
which is cyber and data breach, is assessed without any truly
independent, objective and certified status of a moment in time
assessment. CDCAT®
can provide a quick review of any clients’
defences, at any time.
Third Party Services
As an organisations cyber defence capability is measurable using
CDCAT®
it is easy to reassess capability at any point in time.
Therefore CDCAT®
can be used to support Claims Management,
Legal and Cyber Consulting Services who are engaged to provide
remedial services for clients. In each case, a current point in time
assessment could assist the outcome of each service being offered.
■ Unique decision support system which allows a company to
proactively tackle its cyber security needs through business
risk appetite analysis.
■ Provides simple steps to improve cyber defence capabilities.
■ Supports continuous security improvements for organisations
and supply chains - as threats, consequences and risk
appetites change.
■ Provides cyber professionals with the tools to build effective
business cases for vital updates. Worst case scenario modelling
outlines the potential cost to an organisation of not implementing
the recommended change and suffering a breach. This is
measured against the costs of enacting the change.
■ Provides organisations with a way to report back to key
stakeholders that they are addressing sector based
vulnerabilities.
■ Calculates overall business preparedness scores.
■ Cost savings can be driven through adopting an efficient risk
management approach utilising the recommendations.
CDCAT®
benefits:
Contact: Andrew McQuade
E: Andrew.mcquade@kyngswoode.com
T: +44 (0) 7956 640322
www.apmg-cyber.com/cdcat-insurance
www.kyngswoode.com
CDCAT® is the registered trademark of The Secretary of State for Defence and is subject to Crown Copyright and Crown Database Rights. APMG International is the principal licensee of CDCAT®, ap-
pointed to further develop and commercially exploit the tool.