Optiv + Specialty Auto Insurance Company = Accelerated Enterprise Risk Management

The Situation – no visibility into data-related risks & unmet compliance requirements


A large, specialty automotive insurance company was swiftly growing through mergers and acquisitions, bringing on new IT risk. Because the insurance industry works with such sensitive customer data, this data must be properly secured and protected. With little IT oversight and a non-operational Enterprise Risk Management (ERM) process, the company’s senior leadership had no visibility into data-related risks or overall security posture. They also had customers throughout the United States and Canada, subjecting them to numerous state and provincial data privacy regulations, as well as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Achieving and maintaining compliance with additional industry security requirements from the Payment Card Industry (PCI) was another top priority.


The Solution – fill the ERM gap through Risk Transformation Service (RTS)


We immediately went to work on the gap in ERM by leveraging Optiv’s Risk Transformation Service (RTS). To accelerate our client’s security maturity, we custom-built an ISO-based, IT security risk management program – which linked risk back to business drivers, justifying security spending while communicating executive-level measurement and risk management. This risk management program covered the full risk lifecycle, including risk source identification, risk analysis, risk prioritization mapping, risk treatment options calculation and metrics reporting.


To aid in our client’s rapid adoption, Optiv’s Risk Consultants tailored supplemental tools and workpapers, and conducted risk training and tabletop exercises with the client. 

Industry Served: Insurance

Our Starting Point

  • Client had limited success rebuilding ERM implementation due to staff transitions
  • During a legal and compliance functional review, IT and InfoSec (Information Security) risks were not included
  • Only one internal auditor dedicated to IT and InfoSec, yet IT dictated the target and scope of audits

Accelerating Forward

  • Leveraged our Risk Transformation Service
  • Performed a Focused Security Strategy Assessment (FSSA)
  • Developed tailored operational processes for risk management and assessments
  • Established dedicated cyber risk management team
  • Conducted a risk tabletop exercise to facilitate client education and adoption

Client Outcomes

  • Raised awareness of cyber risks through executive-level risk measurement and communication
  • Identified focus points for ERM Program through Enterprise Risk Council (ERC) tabletop exercise
  • Provided cyber risk management metrics and reporting
  • Client now working smarter thanks to new documented risk assessments and repeatable processes
  • Successfully transitioned risk management to client operational staff
  • Valuable partnership established and Optiv and client are moving forward with a formal governance, risk and compliance solution and third-party risk management (TPRM) program

How can we help you secure greatness?


Optiv can advise on, deploy and operate end-to-end cybersecurity programs aligned to your business goals. As the cyber advisory and solutions leader, we serve nearly 6,000 companies across every major industry. Our certified experts can help you gain the agility, security, scale and control you need to stay ahead of the competition.