Q4 2026 Cyber Risk Report · Acme Family Dentistry

RISKDOWN CYBER

PREPARED FOR

Acme Family Dentistry

EST. 2004 · TAMPA, FL

REPORT ID · RPT-2026-Q4-RD-0042 PERIOD · Q4 2026 GENERATED · 12 JAN 2026

// RISK REDUCTION & CONTINUOUS MONITORING REPORT

// EXECUTIVE SUMMARY

Posture Grade

B+

↑ from B−

Controls Met

12/14

2 partial

Modeled annual loss
ALE — FAIR model

$184K

↓ from $298K

Avg time to detect
MTTD — days

63d

↓ from 241-day baseline

INDUSTRY BENCHMARK CONTEXT

→ Verizon DBIR 2025 (Healthcare, <50 employees): exceeds the reported median posture on MFA, EDR coverage, backup verification, and documented IR plan. Source: 2025 Data Breach Investigations Report, Verizon

→ CIS Controls IG1 implementation: ahead of the published small-business baseline on 11 of 14 safeguards. Industry IG1 median sits near 41% full implementation; this organization is at 86%. Source: CIS Community Defense Model v2.0, Center for Internet Security

→ NetDiligence Cyber Claims Study 2024: vendor risk management is the most common control gap in SMB claims under $500K. This is the lowest-coverage control in this report (74%) and the highest-lift remediation for insurability. Source: NetDiligence 2024 Cyber Claims Study, SMB segment

Security controls

The controls insurance carriers, brokers, and auditors review most closely. Each maps to a CIS Control v8.1 safeguard and the corresponding question on the major carrier applications. Evidence references in Section 03.

Control · CIS mapping · Carrier application reference	Status	Coverage	Evidence
Multi-factor authentication on email, remote access, cloud apps, and admin accounts CIS 6.3, 6.5UW: TRV-14 · COA-22 · ATB-08 · BEA-11 · AXS-09	MET	100%	E-01
Endpoint protection (EDR/MDR) on every laptop, workstation, and server CIS 10.7, 13.7UW: TRV-19 · COA-15 · ATB-12 · BEA-07 · AXS-14	MET	100%	E-02
Backups: encrypted, offsite or immutable, restoration tested in the last 6 months CIS 11.2, 11.3, 11.4, 11.5UW: TRV-22 · COA-31 · ATB-19 · BEA-14 · AXS-18	MET	100%	E-03
Written incident response plan with named roles, tested in the last 12 months CIS 17.1, 17.4, 17.7UW: TRV-28 · COA-34 · ATB-22 · BEA-17 · AXS-21	MET	100%	E-04
Email security — SPF, DKIM, DMARC enforced, plus phishing defense CIS 9.5, 9.6, 9.7UW: TRV-16 · COA-27 · ATB-10 · BEA-13 · AXS-12	MET	100%	E-05
Patches applied to critical systems within documented timeframes CIS 7.3, 7.4UW: TRV-25 · COA-19 · ATB-15 · BEA-19 · AXS-16	MET	94%	E-06
Administrator accounts separate from regular accounts, least privilege enforced CIS 5.4, 6.8UW: TRV-15 · COA-23 · ATB-09 · BEA-12 · AXS-10	MET	100%	E-07
Annual security awareness training plus phishing simulations for all staff CIS 14.1, 14.2UW: TRV-30 · COA-37 · ATB-25 · BEA-21 · AXS-23	MET	96%	E-08
Central log collection for forensic investigation after an incident CIS 8.2, 8.5, 8.11UW: TRV-26 · COA-29 · ATB-17 · BEA-15 · AXS-19	MET	100%	E-09
Vendor security review — SOC 2 reports collected from key vendors CIS 15.1, 15.4UW: TRV-33 · COA-40 · ATB-28 · BEA-23 · AXS-26	PARTIAL	74%	E-10
Network segmentation — sensitive systems isolated from guest and general traffic CIS 12.2, 12.4UW: TRV-21 · COA-25 · ATB-13 · BEA-16 · AXS-15	PARTIAL	68%	E-11
Penetration test conducted in the last 12 months CIS 18.2UW: TRV-31 · COA-38 · ATB-26 · BEA-22 · AXS-24	MET	Aug 2026	E-12
Asset inventory with critical systems identified and ownership assigned CIS 1.1, 1.2UW: TRV-11 · COA-13 · ATB-05 · BEA-08 · AXS-07	MET	100%	E-13
AI tools and agents inventoried, with usage policy in place CIS 2.1, 16.10UW: TRV-39 · COA-44 · ATB-32 · BEA-27 · AXS-30	MET	100%	E-14

UW codes: TRVTravelers · COACoalition · ATBAt-Bay · BEABeazley · AXSAXIS · Reference numbers correspond to the question position on each carrier's current SMB application. Use this report to answer the application directly — every "MET" control has supporting evidence in Section 03.

Loss-pattern coverage

The three claim categories that drive most cyber insurance losses. Same controls as Section 01, grouped by which loss pattern they defend against — the view carriers use to price. Claim frequencies sourced from NetDiligence Cyber Claims Study 2024 and Coalition 2024 Cyber Claims Report, SMB segment.

Ransomware A−

Encryption + extortion attacks. ~37% of SMB cyber claims.

EDR / MDR coverage100%

Immutable / offsite backups100%

Backup restore tested < 6moYES

Patch SLA on critical systems94%

Network segmentation68%

IR plan + tabletop testedYES

Business Email Compromise A

Account takeover, invoice fraud. ~28% of SMB cyber claims.

MFA on email (all accounts)100%

SPF / DKIM / DMARC enforced100%

Phishing simulation cadenceQUARTERLY

Training completion96%

Admin / privileged separationYES

Conditional access / IP allowYES

Wire / Funds Transfer Fraud B

Payment redirection, vendor impersonation. ~14% of SMB cyber claims.

Out-of-band payment verifyPOLICY

Vendor change controlsPARTIAL

Dual-approval over thresholdYES

BEC-specific training moduleYES

Vendor SOC 2 evidence74%

Domain typo / lookalike mon.GAP

Changes detected (last 90 days)

Continuous monitoring catches when a control slips between formal reviews. Every change is dated, sourced, and tracked to resolution.

28 DEC

One account found without MFA enforcement. A service account was excluded from the policy. Resolved 2 days later by removing the exclusion. Source: identity provider audit log

12 DEC

Backup restore test passed. Patient management system restored to test environment in 11 minutes. Result logged.

04 NOV

New AI vendor added. AI scribe vendor declared in stack inventory. Business Associate Agreement pending — flagged for Q1 follow-up.

21 OCT

Phishing simulation results. Click rate dropped from 24% to 11%. No credentials entered. Targeted retraining assigned to top 3 clickers.

RISKDOWN CYBER

PREPARED FOR

Acme Family Dentistry

EST. 2004 · TAMPA, FL

Evidence index

Every control on page 1 has a corresponding artifact below — the proof behind the claim. Documents available on request.

E-01 · Identity provider audit log — MFA enforcement scope, all 22 accounts, dated 12 Jan 2026
E-02 · EDR deployment manifest — 38 of 38 endpoints covered, Huntress agent health report
E-03 · Backup verification reports — Q4 restoration test on patient mgmt system, 11-min recovery
E-04 · IR Plan v2.3 signed by owner 04 Nov 2026 + Q4 tabletop AAR (ransomware scenario)
E-05 · Email security config export — SPF, DKIM, DMARC in enforce mode
E-06 · Patch management ticket export — 94% of critical patches within 30 days
E-07 · Privileged access review log — separate admin tier, MFA, no shared credentials
E-08 · Training completion roster — 21 of 22 employees + 4 phishing simulations Q4
E-09 · Centralized log retention configuration — 90-day hot, 1-year cold, SIEM ingestion confirmed
E-10 · Vendor risk register — 14 of 19 vendors with SOC 2 evidence; 5 pending Q1 2026
E-11 · Network diagram — guest WiFi isolated, server VLAN segmented from workstation VLAN
E-12 · Penetration test report — completed Aug 2026, 4 findings, all remediated in 30 days
E-13 · Asset inventory — 38 assets, 6 crown jewels tagged with owners
E-14 · AI risk assessment + agent inventory — 2 declared bots, governance policy active

Incident history (12 months)

Reportable events and exercises in the trailing 12 months.

Q4 2026

0 reportable incidents. 4 phishing simulations (24% → 11% click rate). 1 tabletop drill (ransomware, AAR available).

Q3 2026

1 contained event. Foreign-IP login attempt blocked by MFA. No data exposure. Documented in AAR.

Q2 2026

0 reportable incidents. Penetration test completed Aug 2026 — 4 findings, all remediated within 30 days.

Q1 2026

1 reportable event. Lost device (laptop); remote wipe within 90 minutes, no exfiltration detected. Carrier notified per policy.

About this report. Risk quantification (ALE, MTTD) is produced using the FAIR (Factor Analysis of Information Risk) methodology, an international standard maintained by The Open Group. Modeled figures are illustrative estimates calibrated to industry benchmarks and your active program data; they are not predictions of actual losses. CIS Controls v8.1 mapping follows the framework published by the Center for Internet Security. Industry benchmark context, claim frequency figures, and loss-pattern attributions reference publicly available reports: Verizon Data Breach Investigations Report (2025), IBM Cost of a Data Breach Report (2025), NetDiligence Cyber Claims Study (2024), Coalition Cyber Claims Report (2024), and CIS Community Defense Model v2.0. Carrier application reference codes (TRV / COA / ATB / BEA / AXS) map to the current SMB application questions for Travelers, Coalition, At-Bay, Beazley, and AXIS respectively; verify against the most recent application version at submission. This report does not constitute legal, insurance, or financial advice. Coverage decisions and breach matters remain with your broker, carrier, and counsel.