- 10 Minutes to read
- Print
- PDF
Financial Impact Questionnaire
- 10 Minutes to read
- Print
- PDF
What is a financial impact questionnaire?
The financial impact questionnaire is a dedicated assessment that captures the key risk drivers required to estimate the financial impact of risk scenarios.
How to assess the financial impact questionnaire?
To access the financial impact questionnaire:
Step 1: Make sure that the below fields are filled in with values on the Company Profile page in SAFE.
Fields | Requirement | Validation Requirement |
---|---|---|
Industry Sector | The industry is used in various places within the model, especially for the Regulatory section of the Information Privacy module, to determine whether certain fines are likely to be applicable or not. | Required to estimate the financial impact |
Corporate Headquarters (Country) | Like the industry above, geography is most important for the Regulatory section of the Information Privacy module to determine whether certain fines are applicable or not. | Required to estimate the financial impact |
What is your total Annual Revenue? | Annual Revenue is a direct input in determining revenue lost during a ransomware attack. Annual Revenue is also used as a factor in determine certain benchmark cost driver values throughout the model. | Required to estimate the financial impact Should be >0 Cannot be less than any of the following:
|
Number of total employees (full-time and part-time counted separately, not as full-time equivalents, including contractors)? | The number of employees is used to determine the default number of systems needing restoration after a ransomware attack if the number of servers and laptops/desktops is not identified. The default value is 1.2 times the number of employees, assuming 1 system for every employee and an additional 20 percent of systems as servers. | Required to estimate the financial impact Cannot be less than: Number of US employees? Should be >0 Should be less than or equal to the "Number of unique record holders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived?" |
Step 2: Fill in the financial impact questionnaire to the nearest accurate knowledge to produce an estimated financial impact.
Control ID | Question | Questionnaire Impact | Validation Requirements |
---|---|---|---|
55500001 | Do you have data backup that is offsite or is immutable if it is onsite? | Offsite data backup is a backup process or facility that stores backup data or applications external to the organization or core IT environment. Immutable data backup is a way of protecting data that ensures the data is fixed, unchangeable, encrypted, or unable to be modified. | - |
55500002 | Do you have a comprehensive regularly tested Incident Response (IR) plan? | An Incident Response Plan includes incident preparation, incident detection and analysis, and recovery procedures in compliance with industry standards and regulations. | - |
55500003 | Do you have a comprehensive regularly tested Business Continuity Plan (BCP)? | A Business Continuity Plan keeps your business operations running with necessary resources during a cyberattack by determining the minimum resources needed to keep each critical portion of your business operation running. The BCP must be mock tested to evaluate the efficacy of your BCP, implementing any necessary revisions along the way. | - |
55500004 | What percent of sensitive PII is encrypted/tokenized at rest? | Encryption: Data, or plaintext, is encrypted with an encryption algorithm and an encryption key. The process results in ciphertext, which only can be viewed in its original form if it is decrypted with the correct key. Tokenization: a process that involves swapping out sensitive data, such as a customer’s social security or bank account number, with a randomly generated data string called a token. Importantly, tokens don’t have any inherent meaning, nor can they be reverse-engineered to reveal the original data they represent. | Should be percentage between 0 to 100 |
55500005 | Do you have a wire transfer threshold amount that triggers additional validation and authorization? | Is there a monetary threshold for a wire transfer that triggers additional authorization protocols to prevent social engineering leading to fraudulent wire transfers. NOTE - this does not mean a dollar limit to a wire transfer in general. It means, for all wire transfers greater than "x" amount, additional authorization is required before sending the wire. | - |
55500006 | If yes, what is your wire transfer threshold amount? | Is there a monetary threshold for a wire transfer that triggers additional authorization protocols to prevent social engineering leading to fraudulent wire transfers. NOTE - this does not mean a dollar limit to a wire transfer in general. It means, for all wire transfers greater than "x" amount, additional authorization is required before sending the wire. | If "Do you have a wire transfer threshold amount that triggers additional validation and authorization" is yes, this must be >= 1 |
55500007 | Are you regulated by HSS OCR for HIPAA compliance? Y/N (default no unless NAICS 62) | Are you subject to HIPAA compliance? | - |
55500008 | Are you a publicly traded company in the US? Y/N (default no) | Are you regulated by the U.S. Securities and Exchange Commission? | - |
55500009 | Are you regulated by the NYDFS? Y/N (default no unless NAICS 52) | Are you subject to the New York State Department of Financial Services Cybersecurity Regulation Part 500? | - |
55500010 | Are you subject to GDPR in Europe? Y/N (default no unless HQ is a European country) | Any company that processes or stores personal data in Europe for individuals temporarily or permanently residing in Europe could be subject to GDPR. | - |
55500011 | Total number of US residents for whom biometric data is collected and stored? | Increasingly, employees and customers whose biometric data is/was collected and stored without their prior consent are becoming part of class action lawsuits seeking an end to the practice with monetary compensation. | Must be greater than or equal to the sum of: |
Total number of California residents for whom biometric data is collected and stored? | |||
Total number of Illinois residents for whom biometric data is collected and stored? | |||
55500012 | Total number of California residents for whom biometric data is collected and stored? | The California Consumer Privacy Act (CCPA) has particularly onerous biometric laws. | Must be less than or equal to: |
Total number of US residents for whom biometric data is collected and stored? MINUS Total number of Illinois residents for whom biometric data is collected and stored? | |||
55500013 | Total number of Illinois residents for whom biometric data is collected and stored? | Illinois' Biometric Information Privacy Act (BIPA) has led to an especially large number of class action lawsuits. | Must be less than or equal to: |
Total number of US residents for whom biometric data is collected and stored? MINUS Total number of California residents for whom biometric data is collected and stored? | |||
55500014 | Number of US employees? | Number of US employees is used to estimate number of potential class action litigation members who could have been victim to fraudulent tax return claims. It is also used to determine a minimum number of sensitive PII recordholders that could be compromised as a result of Data Compromise that generates actual and possible costs. | Should be >=0 |
Should be <= "Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived?" | |||
Should be <= "Number of unique US recordholders for whom sensitive PII is stored/archived?" | |||
Should be <= "Number of unique US recordholders for whom tax preparation data is stored/archived?" | |||
Cannot be greater than: Number of total employees (full-time and part-time counted separately not as full-time equivalents, include contractors)? | |||
55500015 | Approximate number of PCI transactions processed annually? | This is used to estimate PCI DSS costs if PCI records are compromised. | Must be >=0 |
Must be >=55500017 | |||
55500016 | Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived? | Sensitive PII includes: PCI (payment card information); PHI (Protected Health Information); financial account information; government-issued tax preparation documents; and, government-issued ID information. This type of data can be used for identity theft schemes and its theft or exposure can generate significant recordholder support, litigation and regulatory costs for the company breached. | Required to run ICM v2.0 |
Cannot be less than: | |||
Number of total employees (full-time and part-time counted separately not as full-time equivalents, include contractors)? | |||
Number of US employees? | |||
Number of unique recordholders for whom PCI data is stored/archived? | |||
Must be greater than or equal to the sum of: | |||
Number of unique US recordholders for whom sensitive PII is stored/archived? | |||
Number of unique Canadian recordholders for whom sensitive PII is stored/archived? | |||
Number of unique Australian recordholders for whom sensitive PII is stored/archived? | |||
55500017 | Number of unique recordholders for whom PCI data is stored/archived? | Used to estimate the percent of PCI recordholders who could be compromised in a data breach - additional PCI DSS costs are associated with the breach of PCI records. | Cannot be greater than: |
Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived? | |||
Must be > 0 | |||
55500018 | Number of unique US recordholders for whom sensitive PII is stored/archived? | The US is one of the few countries that have class action litigation for data breaches. | Must be less than or equal to: Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived? MINUS Number of unique Canadian recordholders for whom sensitive PII is stored/archived? MINUS Number of unique Australian recordholders for whom sensitive PII is stored/archived? |
Must be greater than or equal to: Number of US employees. | |||
Should be >= "Number of unique US recordholders for whom tax preparation data is stored/archived?" | |||
Should be <= "Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived?" | |||
Should be >= 0 | |||
55500019 | Number of unique US recordholders for whom tax preparation data is stored/archived? | There is an additional class action settlement claim type for tax preparation data pertaining to fraudulent income tax refund filings. | Cannot be greater than:Number of unique US recordholders for whom sensitive PII is stored/archived? |
Must be greater than or equal to: Number of US employees. | |||
Should be >= 0 | |||
55500020 | Number of unique Canadian recordholders for whom sensitive PII is stored/archived? | Canada has class action litigation for data breaches similar to that of the US. | Must be less than or equal to: Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived? MINUS Number of unique US recordholders for whom sensitive PII is stored/archived? MINUS Number of unique Australian recordholders for whom sensitive PII is stored/archived |
Should be >= 0 | |||
Should be <= "Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived?" | |||
55500021 | Number of unique Australian recordholders for whom sensitive PII is stored/archived? | Australia has class action litigation for data breaches similar to that of the US. | Must be less than or equal to: Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived? MINUS Number of unique US recordholders for whom sensitive PII is stored/archived? MINUS Number of unique Canadian recordholders for whom sensitive PII is stored/archived?Must be greater than or |
Should be >= 0 | |||
Should be <= "Number of unique recordholders (customers as well as current and former employees and their dependents) for whom sensitive PII is stored/archived?" | |||
55500022 | Percent of sensitive PII recordholders who require a legal breach notification by postal service? | Some regulations require that recordholders of applicable compromised PII require breach notification by postal service if they have not previously opted in for email notification. The cost is significantly higher (generally more than USD$1 per recordholder. | Should be percentage between 0 to 100 |
55500023 | What percent of total Annual Revenue comes from Deferred Revenue (eg subscriptions, contracted product usage, etc.)? | Deferred revenue in this case means revenue whose receipt is deferred to a future date but is not permanently lost in the case of a business interruption. | Should be percentage between 0 to 100 |
55500024 | What is your total Annual Pre-tax Net Profit / Loss - EBITDA? (for cyber insurance only) | Cyber insurance coverage for business interruption is based on net profits lost and certain operating expenses incurred rather than the all encompassing revenue number. EBITDA best defines net profits in this case. | Must be equal to or less than: What is your total Annual Revenue? |
Should be >= "What is your total Annual Pre-tax Net Profit / Loss - EBITDA - is from contingent revenue? (dependent on third party provider IT services)" | |||
55500025 | What is your total Annual Pre-tax Net Profit / Loss - EBITDA - is from contingent revenue? (dependent on third party provider IT services) | Contingent net profits (EBITDA) in this case refers to that portion of total net profits that are dependent on IT services provided by third party vendors (eg, web or cloud hosting) that would cause you to stop generating revenues until the service was restored. This type of business interruption occurs when you are the victim of a Supply Chain Attack that only affected the network of your vendor but didn't touch your network. | Must be equal to or less than: |
“What is your total Annual Pre-tax Net Profit / Loss - EBITDA? (for cyber insurance only)” | |||
"What is your total Annual Revenue? |