Cyber Risk Management Standard

Operational methodology implementing the Cyber Risk Management Policy — scoring, categories, treatment, lifecycle, and review cadence

Cyber Risk Management Standard

Field	Value
Document ID	STD-005
Classification	Internal
Owner	CTO (interim CISO)
Effective Date	April 2026
Review Cycle	Annual

Role note: The CISO role referenced throughout this Standard is currently pending formal appointment. Until then, the CTO acts as interim CISO for all sign-offs, approvals, and accountabilities described here. References to “CISO” should be read as “CISO (or interim CTO)” during the transition.

1. Overview

This Standard operationalises the Cyber Risk Management Policy (POL-006). Where the Policy states what the Organization commits to, this Standard defines how the security team actually does it day-to-day — risk scoring, classification bands, category taxonomy, treatment options, status lifecycle, review cadence, and audit evidence.

The Standard is maintained by the CISO (see role note above) and can be updated without Board re-approval when operational practice changes (e.g. new scoring inputs, new categories). The Policy itself is reviewed annually by the Board.

2. Purpose

To ensure that every cybersecurity risk identified is:

Scored consistently across the organization
Classified into a Level that drives treatment priority
Assigned an Owner and Treatment plan
Tracked through a documented lifecycle
Reviewed on an appropriate cadence
Evidenced for internal and external audit

3. Scope

Applies to every risk tracked in the Wealthy Risk Register. Covers all business functions, systems, vendors, personnel, and physical assets in scope of the Cyber Risk Management Policy.

4. Risk Register

4.1 Location

The live Risk Register is maintained as a Google Sheet owned by security@wealthy.in (so ownership survives individual departures).

Link: RISK REGISTER (Google Sheet) — access restricted; unauthorised visitors see a Google “Request access” page.

4.2 Structure

Each risk row includes:

Field	Description
ID	Stable identifier `<CATEGORY>-<NN>` (e.g. `CYBER-01`). IDs are never reused.
Category	One of the eight categories in §5.
Risk	Description of what could go wrong.
Entity	Insurance / Broking / Both — which regulated entity the risk applies to.
Impact	1-5 scale (§6.1).
Likelihood	1-5 scale (§6.2).
Score	Auto: Impact × Likelihood. Range 1-25.
Level	Auto from Score: Low / Medium / High / Critical (§6.3).
Owner	Role accountable for treatment.
Treatment	Mitigate / Transfer / Accept / Avoid / Monitor (§7).
Controls	Specific controls in place (tooling, process, contractual).
Status	Lifecycle stage (§8).
Review cadence	Weekly / Monthly / Quarterly / Half-yearly / Annual / One-time (§9).
Last reviewed	Date of last CISO review.
Evidence link	URL to audit artefact.

5. Risk Categories

Code	Category	Covers
CYBER	Cyber	Technical security — breach, malware, DDoS, insider
REG	Regulatory	Compliance risk — missed reporting, audit failure
TP	Third-party	Vendor / CSP / sub-processor risk
OPS	Operational	Downtime, data loss, human error
FIN	Financial	Fraud, incorrect billing, liquidity
STRAT	Strategic	Regulatory change, competitor, business model
PEOPLE	People	Key-person loss, training gap, insider threat
PHYS	Physical	Office access, hardware theft, fire/flood

6. Scoring

6.1 Impact scale

Score	Impact	Business meaning
1	Negligible	No material impact, < ₹1L loss
2	Minor	< ₹10L loss, minor customer impact
3	Moderate	₹10L-1Cr loss, some customer data affected, 1-day downtime
4	Major	₹1-10Cr loss, regulator notification, reputational hit
5	Severe	> ₹10Cr loss, licence risk, mass customer impact, media event

6.2 Likelihood scale

Score	Likelihood	Meaning
1	Rare	< 1% chance per year
2	Unlikely	1-10% per year
3	Possible	10-30% per year
4	Likely	30-70% per year
5	Almost certain	> 70% per year, or happens regularly

6.3 Level bands

Score = Impact × Likelihood (range 1-25).

Score	Level	Response
1-4	Low	Accept or monitor
5-9	Medium	Plan treatment within 90 days
10-14	High	Active treatment, CISO tracks weekly
15-25	Critical	Immediate action, escalate to RMC / Board

7. Treatment Options

Treatment	When to use
Mitigate	Add controls to reduce impact or likelihood
Transfer	Shift the risk — insurance, contractual transfer, vendor SLA
Accept	Risk is low enough; document the rationale explicitly
Avoid	Stop the activity that creates the risk
Monitor	Watch without active treatment (used with Accepted risks where conditions change)

Combinations are permitted (e.g. Transfer + Mitigate) when multiple controls apply.

8. Status Lifecycle

Identified → In Treatment → Mitigated → Accepted → Closed

Status	Meaning
Identified	Risk recognised; no treatment plan yet. Owner must propose one.
In Treatment	Actively being mitigated. Controls being implemented. CISO tracks weekly.
Mitigated	Controls in place and verified. Risk reduced to tolerable level.
Accepted	Risk documented; not treating. Requires CISO sign-off with rationale.
Closed	Risk no longer applicable (business changed, tech retired, etc.).

Movement to Accepted or Closed requires CISO sign-off and is captured in the ISRMC minutes for that quarter.

9. Review Cadence

Cadence	Who	What
Weekly	CISO	Critical + High risks in treatment — status update
Monthly	CISO + DevOps	Backup integrity verification and related OPS risks
Quarterly	ISRMC	Full register review, new risks identified, scores re-assessed
Half-yearly	ISRMC + RMC	Domain-level trend analysis, treatment budget allocation
Annual	Board	Top 10 risks, strategic alignment, next-year risk appetite

Trigger-based review (outside cadence)

Add a register entry whenever:

A new incident occurs → check whether the risk was registered
A VAPT / penetration test finds a new issue → add as risk with closure timeline
A new vendor is onboarded → add vendor risk row
A new regulation or advisory is published
A new business product launches
A major architecture change happens
A key person departs

10. Audit Evidence Workflow

Quarterly (ISRMC)

CISO updates the Register before the ISRMC meeting (new risks, status changes, treatment progress).
At the meeting, ISRMC reviews the Register live.
After the meeting, the Register is exported to PDF (landscape, fit-to-width), named risk-register-QX-YYYY.pdf.
The PDF is attached to the ISRMC meeting record, signed off by the CISO.
That record becomes the immutable audit artefact for the quarter.

Annual (Board)

Top 10 risks report is exported as a separate PDF.
Attached to the Board Cyber Review record.
12-month closure plan for any open Critical risks approved by the Board.

On demand

Regulators may request a snapshot at any time. The Register can be exported to PDF on demand; the auditor receives the PDF plus read-only access to the live Sheet.

11. Ownership & Accountability

Role	Responsibility
CISO	Owns the Register; updates weekly; signs off status changes
CTO	Owns OPS + TP risks; provides infra input
DPO	Owns privacy risks under DPDP
Compliance	Owns REG risks; Annexure-III / Annexure-N submissions
DevOps Lead	Owns technical controls; backup verification
HR	Owns PEOPLE risks — training, onboarding
Procurement	Owns TP vendor risks — contracts, reviews
Legal	Owns TP contract risks — NDA, BAA, CSP terms
Board / RMC	Receives Top 10 annually; approves 12-month closure plans

12. Links to Other Policies

Controls cited in the Register reference these policies:

13. Regulatory Mapping

This Standard supports compliance with:

IRDAI Cyber Security Guidelines 2024 — Risk Register requirement
SEBI CSCRF (Aug 2024) — Annexure-E: dynamic risk management, risk scoring, scenario testing
CERT-In Directions 2022 — Risk identification implicit in incident response preparedness
DPDP Act 2023 — Risk-based security safeguards

14. Review

This Standard is reviewed by the CISO at least annually, or whenever operational practice changes materially (new categories, revised scoring, changed workflow). Changes do not require Board approval but must be recorded in ISRMC minutes.