The Standard in Credit Control
for Cyber Risk Assessment
EICG conducts independent IT security assessments on behalf of banks and insurers, providing a structured, evidence-based view of an organisation's cyber risk posture.
European Institute for Cyber Governance (EICG) Deep-Tech IT and Consultancy Department
Quantum Basel Hub · Schorenweg 44b, Arlesheim
The Blind Spot in Traditional Credit Assessment
Traditional credit assessment evaluates financial health, balance sheets, cash flow, payment history. It does not address the IT infrastructure that increasingly determines whether a business can operate, recover from disruption, or meet regulatory obligations.
A ransomware incident, a data breach, or a failure to comply with NIS2 or GDPR can render a borrower unable to service its debt. Banks and insurers need a structured, independent view of IT risk to make informed decisions.
EICG was established to fill this gap, providing a standardised, repeatable assessment methodology that financial institutions can rely on.
Cyber Risk as a Financial Consideration
Cyber incidents can materially affect business continuity, liquidity, and creditworthiness.
Prevalence of Cyber Incidents
Within the European financial sector, more than 50% of institutions report experiencing cyberattacks on an annual basis.
Approximately one third of these incidents result in major ICT-related events with operational impact.
Financial Impact
The median direct loss associated with a cyber incident is estimated at approximately $400,000.
In more severe cases, losses may escalate significantly, with potential implications for liquidity and solvency.
Implications for Business Continuity
European and international authorities highlight that cyber incidents can result in substantial operational disruption and, in certain cases, broader systemic risk.
Such disruptions may contribute to elevated counterparty and credit risk.
How an Assessment Works
The assessment process is designed to be straightforward for applicants while providing depth of analysis for the requesting institution.
Institution Requests Assessment
A bank or insurer commissions EICG to assess a specific organisation with their consent. A secure, personalised invitation link is generated and shared with the applicant.
Applicant Completes Questionnaire
The applicant completes a short structured review of the organisation's security posture. Takes approximately 10 minutes.
Independent Evidence Review
In parallel, EICG conducts an independent evidence-based analysis of the organisation's external security posture.
IT Auditor Review: No Exceptions
Before any report is released, a qualified expert IT team reviews every finding. Edge cases are assessed individually, and no decision ever reaches the institution without human sign-off.
Report Delivered to Institution
The reviewed, signed-off report is released to the requesting institution via the secure bank portal. The applicant receives confirmation of completion, no score, no detail.
Six Assessment Domains
Every assessment evaluates the same six domains, enabling consistent comparison across organisations and over time.
Cloud Maturity
Assessment of cloud service adoption, configuration management, and the security posture of cloud-hosted workloads and data.
Weight: 20%Security Hygiene
Evaluation of patch management, email authentication (SPF/DKIM/DMARC), TLS certificate validity, and baseline hardening practices.
Weight: 22%Risk Exposure
Identification of externally exposed services, open ports, vulnerable software versions, and indicators of past compromise.
Weight: 22%Tech Modernity
Review of technology stack currency, end-of-life software usage, and the capacity of the infrastructure to support secure, modern operations.
Weight: 13%Data Breach Risk
Cross-referencing of organisational identifiers against known breach databases and dark web exposure indicators.
Weight: 13%Digital Sovereignty
Evaluation of data residency, third-party dependency concentration, and reliance on infrastructure outside European jurisdiction.
Weight: 10%Built for Financial Institutions and Their Clients
EICG operates at the intersection of cybersecurity and financial risk, serving both the institutions that commission assessments and the organisations that complete them.
Independent Risk Intelligence
- Standardised IT risk score (A–E) as a complement to credit assessment
- OSINT-based analysis independent of applicant self-reporting
- Confidential reporting delivered directly to the institution
- GDPR-compliant data processing with documented consent
- Consistent methodology enabling portfolio-level comparison
- Aligned with NIS2, DORA, and EBA ICT risk guidance
Transparent, One-Time Process
- Invited directly by your bank, no unsolicited contact
- 10-question questionnaire, approximately 10 minutes
- Email verification and secure data handling throughout
- Data shared exclusively with the requesting institution
- No data sold to third parties or used for marketing
- GDPR rights fully preserved, request deletion at any time
Independence, Transparency, Confidentiality
Organisational Independence
EICG has no financial interest in the outcome of any assessment. We do not advise the organisations we assess, eliminating conflicts of interest.
GDPR-Compliant Processing
All personal data is processed on a lawful basis with explicit consent. Data is stored within the European Union and Switzerland and not transferred to third countries.
Standardised Methodology
Every assessment uses the same six-domain framework and scoring model, ensuring comparability and eliminating assessor bias.
Strict Confidentiality
Assessment results are shared exclusively with the commissioning institution. Applicants are not ranked publicly and results are not disclosed to any other party.
NIS2 & DORA Aligned
Our assessment framework reflects the requirements of the EU's NIS2 Directive and the Digital Operational Resilience Act, keeping institutions ahead of regulatory expectations.
Auditability
Every assessment generates a timestamped, numbered certificate. The methodology, scoring weights, and data sources are documented and available to commissioning institutions on request.
European Institute for Cyber Governance (EICG)
EICG was established to address a structural gap in financial risk assessment: the absence of a standardised, independent method for evaluating the cyber risk posture of credit applicants and insured parties.
We operate as an independent assessment body, working exclusively with financial institutions and their nominated applicants. We do not provide cybersecurity consultancy, remediation services, or vendor recommendations, our sole function is objective assessment and reporting.
Our methodology draws on open-source intelligence techniques, structured questionnaire design, and AI-assisted analysis, combined with human expert IT review before any report is released.
EU-based operations. All data processing, storage, and analysis takes place within the European Union.
Human review on every report. AI-assisted analysis is reviewed by a qualified expert IT team before release. No automated decisions are made without oversight.
Reproducible scoring. Scores are calculated using a documented, weighted model. The same inputs always produce the same output.
Certificate-based reporting. Each released report carries a unique certificate number for audit trail purposes.