Plaidnox InfoSec
PLX-2025-013 . Confidential
Risk AssessmentISO 2700518 Risks Identified

Risk Assessment Report
[REDACTED]

Comprehensive information security risk assessment for [REDACTED] conducted against ISO 27005 methodology. Identifies 18 risks across 4 business units with treatment recommendations. Engagement ref. ENG-2025-0534.

Report IDPLX-2025-013
Assessment DateMar 10 . Mar 21, 2025
Risk MethodologyISO 27005 / NIST RMF
Lead AssessorPlaidnox InfoSec
01 . Overview

Risk Assessment Summary

Plaidnox InfoSec conducted an information security risk assessment for [REDACTED] across four primary business units: Claims Processing, Underwriting, Customer Portal, and IT Operations. The assessment applied ISO 27005 risk methodology with threat-model-driven scenario identification.

Eighteen risks were identified and evaluated. 4 risks are rated Intolerable (immediate treatment required), 8 are ALARP (As Low As Reasonably Practicable . treatment recommended), and 6 are Tolerable with monitoring. The intolerable risks all involve customer PII data handling and represent regulatory exposure under GDPR and FCA ICT risk guidance.


02 . Risk Register

Identified risks summary

4
Intolerable
8
ALARP
6
Tolerable
18
Total Risks
Risk IDRisk StatementLikelihoodImpactRating
R-001Unauthorised access to customer PII via compromised CRM credentialsHighCriticalIntolerable
R-002Ransomware targeting claims processing database . no offline backupMediumCriticalIntolerable
R-003Third-party data processor breach exposing underwriting dataMediumHighIntolerable
R-004Insider threat . privileged IT staff exfiltrating policyholder dataLowCriticalIntolerable
R-005Customer portal DDoS disrupting claims self-serviceMediumMediumALARP
R-006Phishing campaign harvesting broker portal credentialsHighMediumALARP
R-007API integration partner sends unencrypted PII in transitMediumHighALARP
R-008Cloud misconfiguration exposes actuarial modelling dataLowHighALARP
?Full risk register including R-009 through R-018 with detailed threat scenarios, vulnerability analysis, and asset valuations is provided in the supplementary risk register workbook.

03 . Risk Treatment Plan

Treatment strategy for Intolerable risks

?R-001 through R-004 require immediate treatment decisions by the Risk Committee. Treatment must be documented, accepted by the Data Protection Officer, and reviewed at the next quarterly board risk session.
RiskTreatment StrategyKey ControlsTarget Rating
R-001ReduceEnforce MFA on CRM; implement PAM for admin accounts; quarterly access reviewALARP
R-002Reduce + TransferImplement offline immutable backup; cyber insurance review; test restore quarterlyALARP
R-003ReduceIssue security addendum to processor contracts; annual security assessment of top 5 processorsALARP
R-004Reduce + DetectDeploy UEBA on privileged accounts; DLP monitoring on data egress; background check refreshALARP

Conclusion
Four intolerable risks require board-level treatment decisions and immediate mitigation
The risk landscape for [REDACTED] is dominated by data protection and supply chain risks driven by the volume of sensitive PII processed across claims and underwriting functions. The four intolerable risks must be brought to at least ALARP status within 60 days. Plaidnox recommends scheduling a risk treatment progress review at the 30-day mark to ensure treatment actions are on track.
Plaidnox InfoSec . PLX-2025-013
Confidential . Authorised Distribution Only