Enterprise Cyber Risk

InnoSec’s enterprise offering is the most robust cyber risk product on the market. We address all aspects of cyber risk management by quantifying cyber risk and automating all cyber security activities. Our STORM product is available on premise or as SaaS.

InnoSec is the only fully-automated cyber risk management application. Take the CISO challenge below and add up the manual hours spent on all these tasks and then call us quickly! Our technology integrates with





and provides

· Cyber risk and control mature models

· Template based best practice frameworks and workflows

· Advanced quantitate risk analytics

· Industry specific loss data

Into a unified suite built for business oriented CEOs, Executives, Boards, CROs and CISOs.

How do we set up STORM?

· Load your business processes, systems and data assets

· Use our threat and control catalogs

· Model your risk scenarios using our drag and drop risk engine (no hard coding!)

· Integrate in real time security data from the SIEM, vulnerability scans or audits

· Generate risk reports (discover concentrations of risk, track loss exposure over time, and proactively manage your organization’s risk)

How Does a CISO use STORM?

· Prioritize vulnerability work

· Budget based on risk

· Assign remediators to tasks and projects

· Communicate with compliance, audit and regulatory

· Report to the board on strategy, effectiveness, and budget

· Reduce the amount of time spent with auditors by 90%

· Manage incidents


Resources that provide you automated tools to manage GDPR compliance and perform privacy impact and risk assessments required for compliance.

GDPR Compliance – Privacy Impact Assessment (PIA) and Risk Assessment

Article 5 states that personal data must be processed securely to ensure its integrity & confidentiality. Article 35 states that privacy risks including potential impacts must be assessed, particularly where new technologies/systems/arrangements are being considered, or otherwise where risks may be significant. The toughest component of GDPR is the demonstrating this information at the system level. In order to accomplish this InnoSec’s STORM provides:

· Identification of systems with privacy data and system location – Scope of the assessments

· Demonstration that organizations have implemented, utilize and maintain appropriate technical and organizational security measures for personal infomation, addressing the information risks

· Ability to demonstrate the integrity and confidentiality of each system is within appropriate thresholds.

· Ability to budget for each GDPR article and aggregate into a consolidated budget.


Our GDPR PIA provides a set of evidence based dashboards that demonstrates the effectiveness of privacy security controls and the risk associated to these systems.


By implementing the GDPR Solution your organization, you will receive the following benefits:

· “Plan, manage and implement your GDPR program”

– GDPR Gap Analysis

– Determine compliance of each article

– Associate findings to your GDPR project

– Define tasks to become compliant

– Assign tasks to teams or individuals

– Estimate capital and operational expenditures for each article and aggregate into a single GDPR budget

· “Perform a PIA”

– Scope the systems for the PIA

– Determine confidentiality and integrity of each system that processes privacy data

– Set thresholds based upon tolerances

– Provide a report for the DPA

· Perform a risk assessment for systems that process GDPR data

– Scope the systems for the Risk Assessment

– Measure the inherent and residual risk of each system that processes privacy data- Set thresholds based upon tolerances- Remediate any finding or vulnerability- Budget for any work associated with remediation

– Provide as a report for the DPA

Cyber Due Diligence and Pre- and Post- M&A


Cyber security is one of the greatest risks faced by many organizations. Yet, cyber risk is not typically considered in M&A due diligence. This results in:

· Incomplete understanding of risk

· Over-valuation of assets

· New risk for the buyer and investor

You must understand if the asset is already compromised in terms of intellectual property, trade secrets and business strategies before the transaction. InnoSec’s M&A module allows you to scope M&A assets for possible harmonization, migration or retirement by aligning the security plan with the M&A program milestones and portfolio decisions. Each application is classified based on inherent risk providing a full picture of your M&A targets. Applications chosen for migration are then assessed for vulnerabilities and residual risk is measured for each asset resulting in the full picture of M&A risk.

Cyber Insurance

  • Determine how much cyber insurance you need to sell to the SMB
  • Provides actuarial tables based on risk
  • Risk Accumulation metrics for cloud compromise and data exfiltration
  • Good Cyber Steward Discounts

The Risk Pricing Challenge – Underwriters continue to struggle in attempts to assemble the actuarial tables needed to structure and price cyber policies with any sort of confidence. The current practice is to fill out a manual questionnaire based on a specific security guideline. The questionnaire and the ability to verify the answers to those questions if not linked to the actual cyber risk of the business assets and provides extremely limited metrics into actual residual risk of a company.

The result is “a fragmented and volatile business”—for underwriters, as well as for companies in the market to buy cyber insurance, according to a recent report from the SANS Institute cyber security think tank and training institution.

There is a lack of risk data typically available to actuaries to price policies and manage insurance companies risk – Society of Actuaries

The ever-growing demand for cyber insurance offers a huge commercial opportunity for insurers, reinsurers and brokers. This opportunity requires a fresh look at risk evaluation, risk pricing and risk transfer structures and capabilities to put cyber insurance on sustainable footing. Cyber insurance carriers and brokers have had no objective cyber risk data that demonstrates the business risk. This precludes them from taking advantage of the enormous small-medium business market. Objective internal cyber risk data allows insurance stakeholders to determine the right amount of cyber insurance to sell, determine the optimal pricing, minimize their own risk across the portfolio and become competitive.  Without this data, they will remain baffled. Cyber insurance will soon become a client expectation and insurers that are unwilling to embrace it risk losing out on other business opportunities if cyber products don’t form part of their offering.

Cyber Risk Management should be part of the Enterprise Risk Management (ERM) of every company – Society of Actuaries

E&Y believes that insurance companies should maintain the triad of confidentiality, integrity and availability of information systems and data. To improve in these areas of information security, they need to: develop and implement a long-term, enterprise-wide security program that addresses processes, controls, organization and governance, as well as reporting, metrics, privacy and data protection, establish a framework of continuous improvement in analytics and reporting, people, processes, and technology and design and execute solutions to measure, monitor and report on the effectiveness of the security program.

Companies must monitor, assess, and respond to information security risks – Society of Actuaries