Insurance Risk Control


FAQ

Quantar FAQ's

Quantar provides audit and consultancy services in the domains of GDPR implementation within an organization and also the external auditing of a data privacy program that is intended to meet the GDPR requirements.

This is necessary for both a new GDPR project ahead of the May 2018 but also post-implementation due to the ongoing needs for compliance. Examples here are where systems, processes or methodologies change, or where suppliers are either changed or they change their operating practices for their own purposes.

We also provide ISO/IEC 27001 external auditing services. In the case of an ISO certification, there will be ongoing audit and oversight visits, both leading up to certification and also observation visits during each 3-year term of the certification period. However, in the case of GDPR, the use of ISO 27001 as a form of proving compliance with the requirements of GDPR may require an external view of the ISO 27001 implementation to ensure that this is the case.

In some instances, ISO 27001 Appendix A stipulations can actually trigger GDPR breaches in an anomaly of what the intention is in using ISO 27001 for compliance purposes. An example is where logging of individuals to ensure data security within Appendix A actually creates personally identifiable data, which then comes under the remit of GDPR.

Only someone who is well-versed and certified in both GDPR and in ISO 27001 auditing would in many cases be capable of identifying potential issues and be able to resolve them for both ISO 27001 and GDPR compliance.

We work with your organization to implement the necessary hardware and software systems that facilitate the cyber threat valuation. Since each client will have different systems, processes and infrastructure, there is no one-size-fits-all system that can derive individual cyber risk valuations.

For the above reason, once we have the technology installed at a client’s location, we then work with them to configure the systems to suit the requirements of that particular organization. This will be dependent upon such parameters as the risk appetite of the organization (for risk, the options are to accept; reject; manage – the latter including transferring risk via insurance); the available resources and information; the intention of the exercise in terms of what will a client do with that risk valuation data.

Our technology enables clients to undertake “what-if” scenario changes to enable them to model changes to systems, processes and categories to see the financial impact of such changes. For example, changing the routing of a business process to a system may result in the expected loss from cyber threats to an acceptable level. In other cases, it facilitates a prioritization of capital to the most valuable process the organizations operates.

The proprietary and patented technology that Quantar has developed enables insurers and re-insurers to be in a position to offer the correct levels of coverage against breaches, at the correct price. Larger organizations can utilize the data for self-insurance (via captive and sidecar transfers). We are also able to assist organizations in determining which options are best suited to their needs.

It would depend upon the actual service being provided. In terms of auditing, this can take several forms, dependent upon the size and scale of the organization being audited – is it multi-location for example.

Following standard auditing methods, for ISO 27001 external auditing, this would take place both at the client’s premises, with access to all areas and personnel, and also quite possibly, offsite where documentation review is required in detail and where the volume of information requires a structured, in-house team review.

For GDPR implementation and compliance, this is undertaken in much the same manner, except that due to the need to ensure regulatory compliance in order to avoid penalties, this may be executed in a more detailed form and would not necessarily be based upon sampling in the way that ISO auditing is undertaken.

For cyber threat valuation services, this requires both technical/I.T. personnel to be available to work with us, but also key personnel who are able to deliver the relevant information for configuration of the systems. This might include, for example, risk managers, process owners and business continuity managers.

Where suitable data is not available, our technology enables an organization to commence with as much information as they have available and add to the granularity of the cyber threat valuation as that information becomes available. This can occur where there are multiple locations with differences in data availability, which is managed through importing the system data from any number of locations into a central one for a consolidated cyber threat valuation calculation (if individual location values are required, this can also be achieved).

There are varying lead times according to the services required, the size of the organization, the scope of the audit and the end objectives desired by each client. Normally, we would evaluate the aforementioned and then be in a position to give a lead time for our services.

As one can imagine, with the GDPR compliance deadline being a relatively short time in the future (May 2018), most interest is currently in the implementation of a data privacy framework and ensuring that it complies with the forthcoming regulation in order to avoid the heavy penalties that can be imposed.

We would view a mapping of ISO 27001 to GDPR to be advisable, but it is understandable that the primary focus will be on simply putting into place the processes and requisite documentation as the initial phase of an implementation, with the add-on activities of ISO mapping and risk transfer (requiring cyber valuation) coming at a later stage once the main thrust of the program has been launched.

For cyber threat valuation, this may be dependent upon the availability of both our client and us in terms of the technicians available for the implementation of some aspects of our networked technology. However, the bulk of implementation falls to the configuration of the systems, which require time at the client location, in conjunction with personnel who are able to provide the necessary information for the systems concerned.

In all cases, we would initially respond to any inquiry regarding our services with an estimation as to costs and time-frame.

We work in two phases for cyber threat valuation services. The first is to implement our back-end technology that requires in-house I.T. personnel to collaborate with our team in the installation and configuration. This is not a major task generally, since our systems sit outside of your organization’s security perimeter.

The front-end technology is implemented in a rapid fashion, with the actual configuration of it taking the most time. This is because each client has a different business, with proprietary business processes, modes of operation, technical infrastructure and business needs. As such, we work hand-in-hand with your organization’s personnel in reaching the point of hand-over for our systems. At that point, the path is clear and the output is simple to understand.

Where additional users are required, this may entail additional training, which we are able to provide on a day rate basis, with no hidden costs. Our systems have been designed for ease of use and simplicity in order to be usable with a minimum of working knowledge of the underlying technology.

In organizations that have a limited resource or data availability, we are able to provide ongoing support in developing the configuration as required, such as increasing the detail and volume of data inputs in order to increase the accuracy of the predicted cyber threat valuation and trend line for enhancing risk management operations.

The GDPR is comprised of the Articles and the Recitals and every one of each needs to be taken into account when developing a GDPR compliance program. Whilst in many cases the Article may be fairly specific as to what needs to be done by an organization, sometimes the Recital may give a different twist on the overall interpretation of the relevant Article. It is these circumstances that the greatest danger lies in complying with both.

With the above in mind, Quantar does not undertake a tick-box exercise in the manner that some certification audits can reasonably be executed. Because of the punitive levels of fines that can be imposed for breaches of the GDPR, we seek to work to meet both the scope and intent of the regulation when undertaking an implementation, as well as in the case of an external audit service.

Although the GDP may seem extremely onerous, by having the regulation drafted in clearly defined sections, it is possible to undertake a review of each, in a check-box manner as a starting point for a GDPR program – a simple gap analysis in other words. There are a number of tools available on the market that may assist companies in undertaking this, including the U.K. Information Commissioner’s website (see in Resources for links).

In answering the question, since there is scope for interpretation by an external party, the truth is that there then exist spaces for misinterpretation of an element of an organization’s GDPR program. There are many ways to reduce this risk, such as using a proven/certified personal data information scheme; using the model contracts provided by the E.U. itself, using ISO 27001 as proof of compliance; aligning with ISO 31000 Risk Management standards.

Our role is to work with our clients in determining the best means by way the GDPR can be both compliant and DEMONSTRABLY so.

We take pride in the fact that we have maintained very long relationships with our clients, regardless of geographic location (we have retained clients in different countries for over 8 years in some instances). Our view is that with rapidly changing environments (technical, regulatory, financial primarily), there will be an ongoing requirement for companies and maintaining a strong working relationship is easier than starting from scratch for all parties.

Our commitment to ongoing customer support gives confidence in our ability to support your organization through changing demands and requirements on an ongoing basis. We also have extensive third party contacts globally who may also be able to assist in areas that are not covered by our services where a client has such needs.

Our stock answer to this question is that we have been in the business of cyber threat valuation since 1999! The fact remains that until the major Sony hack on the 24th November 2014 and subsequent high-visibility hacks in the U.S. such as Yahoo, Target and Home Depot, resulting in a major financial impact upon listed companies, the subject of hacking and of financial impact was low on a Board agenda.

Prior to Sony, the belief was that hacking was for the I.T. security department to deal with. Post Sony, the mindset changed to one of “when we are successfully hacked, how do we risk manage it?” With this change, there has been an evolution of companies seeking to achieve what we already have.

Our background in security, I.T. strategy and risk management, coupled to our proprietary systems means that, even today, there is no other company that has the same service offer that we are able to deliver.

Quantar currently owns 10 patents in the fields of the financial valuation of cyber threats, ranging from the first filing in 2003 to the latest issuing of patent in September 2017. Our depth of knowledge is deep and we have extensive experience in drawing upon the skills of renowned experts in our development of our systems. Many have claimed that they can value the cyber threats of every client on an individual basis; the reality is that we are the ones who can!

Did not find the answers?

In case you have not found the answer you want here, or you have more general inquiries, please feel free to drop us a message and we will contact you as soon as possible.