DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a Non-Final Office Action in response to application 	17/513,854 entitled "MULTIDIMENSIONAL ASSESSMENT OF CYBER SECURITY RISK" filed on October 28, 2021, with claims 1 to 20 pending.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 17 recites the limitation "of the company."  There is insufficient antecedent basis for this limitation in the claim.
Therefore the claim is rejected.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Please  see MPEP 2106 for additional information regarding Patent Subject Matter Eligibility Guidance.
Claims 1-20 are directed to a system, method/process, machine, or composition of matter, which are/is one of the statutory categories of invention. (Step 1: YES).
The claimed invention is directed to an abstract idea without significantly more. 
Independent Claim 1 recites: 
“intelligent assessment and management of cyber risk” 
“deploying or verifying deployment of a cyber risk agent….”
“assess the end points for cyber risk ….”
“generating a risk score….”
“aggregating the risk scores ….”
“modifying a base insurance premium….”
 These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Specific instances include instructing to generating a risk score or modifying a base insurance premium recite a fundamental economic principles or practice   and/or commercial or legal interactions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic, commercial, or financial action, principle, or practice then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims recite an abstract idea).
A judicial exception is not integrated into a practical application. In particular, the claims DO NOT recite any additional elements.
Any alleged additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads, “[0047]  client device 120 may be a computer desktop or laptop, mobile phone, virtual assistant, virtual reality or augmented reality device, wearable, or any other suitable device [0091] This apparatus may ... comprise a general purpose computer [0092] Various general purpose systems may be used with programs in accordance with the teachings herein”. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.   The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, Claim 1 is directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Dependent Claims   recite additional elements.
This judicial exception is not integrated into a practical application. In particular, the recited additional elements of 
Claim 2: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 3: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 4: 
“client device, a user interface (UI)”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
“display… a dashboard”: insignificant extra-solution activity to the judicial exception of data gathering and display
Claim 5: 
“client device”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
Claim 6: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 7: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 8: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 9: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 10: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 11: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 12: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 13: (none found: does not include additional elements and merely narrows the abstract idea)
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes.  For example, the Applicant’s Specification reads, “[0047]  client device 120 may be a computer desktop or laptop, mobile phone, virtual assistant, virtual reality or augmented reality device, wearable, or any other suitable device [0091] This apparatus may ... comprise a general purpose computer [0092] Various general purpose systems may be used with programs in accordance with the teachings herein”. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.   Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, these dependent claims are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Independent Claim 14 recites: 
“intelligent assessment and management of cyber risk” 
“deploying or verifying deployment of a cyber risk agent….”
“assess the end points for cyber risk ….”
“generating a risk score….”
“aggregating the risk scores ….”
“modifying a base insurance premium….”
 These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Specific instances include instructing to generating a risk score or modifying a base insurance premium recite a fundamental economic principles or practice   and/or commercial or legal interactions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic, commercial, or financial action, principle, or practice then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims recite an abstract idea).
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional elements of:
“non-transitory computer-readable medium containing instructions”:
merely applying computer processing, storage, and networking technology  as  tools to perform an abstract idea 
  are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads, “[0047]  client device 120 may be a computer desktop or laptop, mobile phone, virtual assistant, virtual reality or augmented reality device, wearable, or any other suitable device [0091] This apparatus may ... comprise a general purpose computer [0092] Various general purpose systems may be used with programs in accordance with the teachings herein”. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.   The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, Claim 14 is directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Dependent Claims   recite additional elements.
This judicial exception is not integrated into a practical application. In particular, the recited additional elements of 
Claim 15: 
“non-transitory computer-readable medium”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
Claim 16: 
“non-transitory computer-readable medium”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
Claim 17: 
“non-transitory computer-readable medium “, “client device, a user interface (UI)”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
“display … a dashboard… UI dashboard displays”: insignificant extra-solution activity to the judicial exception of data gathering and display
Claim 18: 
“non-transitory computer-readable medium”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
Claim 19: 
“non-transitory computer-readable medium”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
Claim 20: 
“non-transitory computer-readable medium”: merely applying computer processing, networking, and display technologies  as a tool to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes.  For example, the Applicant’s Specification reads, “[0047]  client device 120 may be a computer desktop or laptop, mobile phone, virtual assistant, virtual reality or augmented reality device, wearable, or any other suitable device [0091] This apparatus may ... comprise a general purpose computer [0092] Various general purpose systems may be used with programs in accordance with the teachings herein”. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.   Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, these dependent claims are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using  computer hardware and/or software amounts to no more than mere instructions to apply the exception using a generic computer component. For example, the Applicant’s Specification reads, “[0047]  client device 120 may be a computer desktop or laptop, mobile phone, virtual assistant, virtual reality or augmented reality device, wearable, or any other suitable device [0091] This apparatus may ... comprise a general purpose computer [0092] Various general purpose systems may be used with programs in accordance with the teachings herein”. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.   The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f).     Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. Dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for the reasons presented above.  The dependent claims do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the dependent claims are directed to an abstract idea.  Thus, Claims 1-20 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more) 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-9 and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby (“AUTOMATED AND CONTINUOUS RISK ASSESSMENT RELATED TO A CYBER LIABILITY INSURANCE TRANSACTION”, U.S. Publication Number: 20200394314 A1), in view of Venna (“RELATIONSHIPS AMONG TECHNOLOGY ASSETS AND SERVICES AND THE ENTITIES RESPONSIBLE FOR THEM”, U.S. Publication Number: 20170236079 A1)








Regarding Claim 1, 
Hamby teaches,
configured to assess the end points for cyber risk based on detection of a plurality of cyber risk factors at the end points;
(Hamby [0007] assess risk associated with a cyber-liability transaction pertaining to one or more insured devices.
Hamby [0006]  recommend and/or monitor security controls designed to mitigate cyber-risks and threats to a cyberspace operational environment. The recommendation and/or monitoring of security controls may be performed in connection with a cyber-liability instrument, such as an insurance transaction.
Hamby [0076] l server 100 may scan covered devices or servers to discover operational processes that match specific attributes)
generating a risk score for each cyber risk factor detected at the end points;
(Hamby [0081]  the monitoring engine 240 may produce an evaluation report, or scorecard, which assesses the cyber threats and risks of an enterprise system(s) based on the monitoring of security controls
Hamby [0097] security controls may enhance the security posture of one or more insured devices)
aggregating the risk scores for the cyber risk factors to generate an overall risk score for the client; 
(Hamby [0117] then security control B's total score of 7 (i.e., 7 [points scored from heuristic #4 rank]*50%+7 [points scored from algorithm]*50%))
and modifying a base insurance premium based on the overall risk score.
(Hamby [0118]  the insured can implement the recommended control(s) to reduce the risks associated with the transaction, and, thereby reduce the premium.)
Hamby does not teach A method for intelligent assessment and management of cyber risk, the method comprising: deploying or verifying deployment of a cyber risk agent to a plurality of end points associated with a client, wherein the cyber risk agent
Venna teaches,
A method for intelligent assessment and management of cyber risk, the method comprising: deploying or verifying deployment of a cyber risk agent to a plurality of end points associated with a client, wherein the cyber risk agent
(Venna [0238] Cyber insurance underwriters write policies for companies (entities) to cover a company's losses and damages arising from a cyber event.
Venna [0240] Insurance carriers maintain a portfolio of companies (entities) that they insure; the carrier tries to balance its risk
Venna [0251] can help lead to recommendations for software or technology stack strategies for clients.
Venna [0073]  entity relationship map can display information about the nodes as text  
Venna [Claim 1] providing information indicative of cyber-security risks to one or more of the entities based on the identified service relationships)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the node identification and relationship mapping teachings of Venna   “to identify relationships between the organizations with respect to the assets.” (Venna [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e. node identification and relationship mapping) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “For example, an insurance company may want to know which cyber security company has a service relationship with a retailer to protect data of the retailer's customers” Venna [0056]… “an insurance company may want to know what percentage of retailers that it insures have contracted with a particular cyber security company for protecting customer data” Venna [0057])
Regarding Claim 2, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
receiving additional cyber risk data pertaining to the end points;
(Hamby [0076]  server 100 may scan covered devices or servers to discover operational processes that match specific attributes
Hamby [0010]    receiving, at the security control server, information on each of one or more security controls associated with the one or more selected cyber-risks, wherein the information includes an indication of whether each of the one or more security controls has been implemented on the insured device or has not been implemented on the insured device.  )
generating one or more additional risk scores based on the additional cyber risk data;
(Hamby [0117] security control B's total score of 7....is higher than security control A's score of 5)
and modifying the base insurance premium based on the re-aggregated risk scores.
(Hamby [0118]  the insured can implement the recommended control(s) to reduce the risks associated with the transaction, and, thereby reduce the premium.)
Hamby does not teach re-aggregating the risk scores for the cyber risk factors based on at least the one or more additional risk scores;
Venna teaches,
re-aggregating the risk scores for the cyber risk factors based on at least the one or more additional risk scores;
(Venna [0011]  nodes of the displayed information include nodes representing the business entities that belong to the portfolio....includes information organized based on a scope of the aggregate risk...indicators of risk include at least one of: a security rating, and a BitSight® Security Rating. 
Venna [0118] Aggregating Data from Multiple Data Sources
Venna [0131]  collector which may handle only a subset of the raw data than in the aggregated translation layer through which all data passes.)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the node identification and relationship mapping teachings of Venna   “to identify relationships between the organizations with respect to the assets.” (Venna [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e. node identification and relationship mapping) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “For example, an insurance company may want to know which cyber security company has a service relationship with a retailer to protect data of the retailer's customers” Venna [0056]… an insurance company may want to know what percentage of retailers that it insures have contracted with a particular cyber security company for protecting customer data Venna [0057])
Regarding Claim 3, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby does not teach upon deploying the cyber risk agent, detecting a data breach at one or more of the end points of the client; in response to detecting the data breach, providing one or more post-breach incident response recommendations.
Venna  teaches,
upon deploying the cyber risk agent, detecting a data breach at one or more of the end points of the client; in response to detecting the data breach, providing one or more post-breach incident response recommendations.   
(Venna [0203] For example, an active or passive collector might discover a login form on another page, but also detect that it's insecurely configured, and could reveal the user's password to local adversaries if they attempted to login.
Venna [0239] Cyber breaches can result in a loss of data,.... especially for loss of sensitive data like employee records or customer transactions. 
Venna [0248] if a fourth party entity.... has a history of breaches or demonstrates a low BitSight® security rating
Venna  [0251] knowledge of the fourth-party ecosystem (and analysis from either of the prior two use cases) can help lead to recommendations)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the node identification and relationship mapping teachings of Venna   “to identify relationships between the organizations with respect to the assets.” (Venna [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e. node identification and relationship mapping) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “For example, an insurance company may want to know which cyber security company has a service relationship with a retailer to protect data of the retailer's customers” Venna [0056]… an insurance company may want to know what percentage of retailers that it insures have contracted with a particular cyber security company for protecting customer data Venna [0057])
Regarding Claim 4, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
providing, for display on a client device, a user interface (UI) dashboard, wherein the UI dashboard displays at least the aggregated risk score of the client.
(Hamby [0017]  generating, by the security control server, a report indicating a change in the operation status or performance of one or more of the one or more security controls
Hamby [0081] monitoring engine 240 may produce an evaluation report, or scorecard.... such that the evaluation report's “score” changes. 
Hamby [0117] then security control B's total score of 7 (i.e., 7 [points scored from heuristic #4 rank]*50%+7 [points scored from algorithm]*50%) 
Hamby [0136] screens... may be shown on a graphical user interface)
Regarding Claim 5, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
providing, to the client device, one or more recommended actions based at least on the assessment of the end points and the aggregated risk scores.   
(Hamby [0006] security control system may further recommend and/or monitor security controls designed to mitigate cyber-risks and threats to a cyberspace operational environment.
Hamby [0147] the security control server 100 may implement the ranking of recommended security control features
Hamby [0014] control server may issue a notification, e.g., to a client device
Hamby [0081]  may produce an evaluation report, or scorecard, which assesses the cyber threats and risks of an enterprise system(s) based on the monitoring 
Hamby [0115] The weighted values, or combination weight, may be integers between 0 and 100)
Regarding Claim 6, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
determining the base premium 
(Hamby [0005] an insurance provider may advertise a policy with rules and coverages at a specific premium.... The rules and coverages determine the contractual guidelines of the policy
Hamby [0102] training set may highlight the cyber-insurance policy premium amount based on the coverages and the security controls implemented by the insured  )
by calculating cyber risk losses based on revenue band and activity.
(Hamby [0098]  heuristic may use one or more of the following attributes: i) an available budget for investing in security controls to mitigate risk; ii) cost factor for implementing specific controls
Hamby [0099]  heuristic to compute the cost advantage (cost reduction as specified in the policy) associated with each of the security controls by summing each calculated cost advantage associated with that control for each non-mitigated risk for which it provides coverage.)
Regarding Claim 7, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
  wherein the modifying of the base premium comprises: determining a modifier of the base premium based on the overall risk score.
(Hamby [0078]  changing policy premiums to account for a higher or lower risk level than originally estimated
Hamby [0117]   security control B's total score of 7 (i.e., 7 [points scored from heuristic #4 rank]*50%+7 [points scored from algorithm]*50%) is higher than security control A's score of 5 (10 [points scored from heuristic #1 rank] *50%+1 [points scored from algorithm] *50%) 
Hamby [0118] such that the insured can implement the recommended control(s) to reduce the risks associated with the transaction, and, thereby reduce the premium.)
Regarding Claim 8, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby does not teach capturing cyber risk data pertaining to one or more employees of the client; and determining a human risk assessment for the client based on the captured cyber risk data pertaining to the employees.
Venna teaches,
capturing cyber risk data pertaining to one or more employees of the client; and determining a human risk assessment for the client based on the captured cyber risk data pertaining to the employees.
(Venna [0163] external users of an entity (e.g., employees of a company) can be identified
Venna [0239] may in turn lead to lawsuits by impacted parties (entities), especially for loss of sensitive data like employee records or customer transactions.... Lost data can lead to a broken service level agreement (SLA) which can cause contractual penalties and loss of company (entity))
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the node identification and relationship mapping teachings of Venna   “to identify relationships between the organizations with respect to the assets.” (Venna [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e. node identification and relationship mapping) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “For example, an insurance company may want to know which cyber security company has a service relationship with a retailer to protect data of the retailer's customers” Venna [0056]… an insurance company may want to know what percentage of retailers that it insures have contracted with a particular cyber security company for protecting customer data Venna [0057])
Regarding Claim 9, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby does not teach wherein the cyber risk data pertaining to the one or more employees is grouped into one or more of: individual, location, team, and department categories.
Venna teaches,
wherein the cyber risk data pertaining to the one or more employees is grouped into one or more of: individual, location, team, and department categories.
(Venna [0163] external users of an entity (e.g., employees of a company) can be identified
Venna [0075] employee count,...locations
Venna [0177] IP addresses/CIDR blocks (groups of IP address that are assigned by regional registrars).... entities that are related to each other, such as in a parent-child (subsidiary) relationship or an investment relationship)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the node identification and relationship mapping teachings of Venna   “to identify relationships between the organizations with respect to the assets.” (Venna [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e. node identification and relationship mapping) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “For example, an insurance company may want to know which cyber security company has a service relationship with a retailer to protect data of the retailer's customers” Venna [0056]… an insurance company may want to know what percentage of retailers that it insures have contracted with a particular cyber security company for protecting customer data Venna [0057])
Regarding Claim 12, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
wherein assessing the cyber risk for the end points comprises analysis of the security configuration and policy of each of the end points.
(Hamby [0076]  server 100 may scan covered devices or servers to discover operational processes that match specific attributes
Hamby [0010]    receiving, at the security control server, information on each of one or more security controls associated with the one or more selected cyber-risks, wherein the information includes an indication of whether each of the one or more security controls has been implemented on the insured device or has not been implemented on the insured device. 
Hamby [0006] security control system may further recommend and/or monitor security controls designed to mitigate cyber-risks and threats to a cyberspace operational environment.
Hamby [0147] the security control server 100 may implement the ranking of recommended security control features
Hamby [0081]  may produce an evaluation report, or scorecard, which assesses the cyber threats and risks of an enterprise system(s) based on the monitoring)
Regarding Claim 13, 
Hamby and Venna teach the intelligent assessment and management of cyber risk of Claim 1 as described earlier.
Hamby teaches,
wherein assessing the cyber risk for the end points comprises comparing the security configuration and policy of each of the end points to risk metrics calculated from a plurality of known good configurations and policies.
(Hamby [0146]  the configuration of the risk model specific to the policy may be optional where there is a standard policy that conforms to a pre-configured risk model...inputs from an insured client regarding specific security controls and the metadata about their deployment (host name or IP address, port number, process name, etc.))
Claim 14 is rejected on the same basis as Claim 1.
Claim 15 is rejected on the same basis as Claim 2.
Claim 16 is rejected on the same basis as Claim 3.
Claim 17 is rejected on the same basis as Claim 4.
Claim 18 is rejected on the same basis as Claim 5.
Claim 19 is rejected on the same basis as Claim 6.
Claim 20 is rejected on the same basis as Claim 7.


Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Hamby and Venna   in view of Piccin (“SYSTEMS AND METHODS FOR INSURING CONTINGENT LIABILITIES”, U.S. Publication Number: 20120078666 A1)

Regarding Claim 10, 
Hamby teaches,
providing the modified base insurance premium 
(Hamby [0078]  changing policy premiums to account for a higher or lower risk level than originally estimated
Hamby [0139]  workspace display may generate, in real time, a risk assessment table 840, such as a risk assessment for a specific date.....whether a security control or set of security controls mitigate the risk under each defined information asset  
Hamby [0098]  costs associated with IT assets being unavailable (this is typically computed for determining the policy coverages specified in the transaction)
Hamby [0099] cost advantage (cost reduction as specified in the policy) associated with each of the security controls by summing each calculated cost advantage associated with that control for each non-mitigated risk for which it provides coverage.)
Hamby does not teach in response to a request for the base insurance premium from one or more third parties.
Piccin teaches,
in response to a request for the base insurance premium from one or more third parties.
(Piccin [Claim 1] calculating, with a computer processor, a premium for a proposed insurance product to cover the contingent liability; and returning, to the requesting entity, terms of the proposed insurance product, the terms comprising the premium and a scope of coverage.)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the   contingent liabilities insurance  teachings of Piccin  “can customize an insurance product for a company to cover a contingent liability, wherein the cost of the insurance product considers various factors.” (Piccin [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e.    contingent liabilities insurance  ) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “Purchasing the insurance product can enable the company to more accurately reflect its financial position in a balance statement and, thus, to more appropriately disburse funds to shareholders” Piccin [Abstract])
Regarding Claim 11, 
Hamby teaches,
wherein the modified base insurance premium is provided in real or substantially real time
(Hamby [0078]  changing policy premiums to account for a higher or lower risk level than originally estimated
Hamby [0139]  workspace display may generate, in real time, a risk assessment table 840, such as a risk assessment for a specific date.....whether a security control or set of security controls mitigate the risk under each defined information asset  
Hamby [0098]  costs associated with IT assets being unavailable (this is typically computed for determining the policy coverages specified in the transaction)
Hamby [0099] cost advantage (cost reduction as specified in the policy) associated with each of the security controls by summing each calculated cost advantage associated with that control for each non-mitigated risk for which it provides coverage.)
Hamby does not teach in response to the request for the base insurance premium from the one or more third parties.
Piccin teaches,
in response to the request for the base insurance premium from the one or more third parties.
(Piccin [Claim 1] calculating, with a computer processor, a premium for a proposed insurance product to cover the contingent liability; and returning, to the requesting entity, terms of the proposed insurance product, the terms comprising the premium and a scope of coverage.)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the a cyber liability insurance  risk assessment  of Hamby to incorporate the   contingent liabilities insurance  teachings of Piccin  “can customize an insurance product for a company to cover a contingent liability, wherein the cost of the insurance product considers various factors.” (Piccin [Abstract]).        The modification would have been obvious, because it is merely applying a known technique (i.e.    contingent liabilities insurance  ) to a known concept (i.e. cyber liability insurance  risk assessment ) ready for improvement to yield predictable result (i.e. “Purchasing the insurance product can enable the company to more accurately reflect its financial position in a balance statement and, thus, to more appropriately disburse funds to shareholders” Piccin [Abstract])
Prior Art Cited But Not Applied














The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Crabtree (“PLATFORM FOR LIVE ISSUANCE AND MANAGEMENT OF CYBER INSURANCE POLICIES”, U.S. Publication Number: 20180322584 A1) proposes autonomous issuance and management of insurance policies for computer and information technology related risks, including but not limited to business losses due to system availability, cloud computing failures, current and past data breaches, and data integrity issues. The system will use a variety of current risk information to assess the likelihood of business interruption or loss due to both accidental issues and malicious activity. Based on these assessments, the system will be able to autonomously issue policies, adjust premium pricing, process claims, and seek re-insurance opportunities with a minimum of human input.
King-Wilson (“VALUING CYBER RISKS FOR INSURANCE PRICING AND UNDERWRITING USING NETWORK MONITORED SENSORS AND METHODS OF USE”, U.S. Publication Number: 20190166156 A1) proposes network threat analysis and remediation using network monitored sensors are provided herein. An example system includes one or more network devices deployed within a network or networks to collect entity information and to monitor network data and traffic of the network or networks that is related to security information. The network or networks include computing systems that are subject to a security risk policy having breach parameters defining one or more events that are indicative of an electronic threat. 
Blazek (“SYSTEMS AND METHODS FOR DETERMINING INSURANCE COVERAGE RECOMMENDATIONS BASED ON LIKELIHOOD OF USE”, U.S. Publication Number: 20210158451 A1) proposes systems and methods are disclosed for generating a coverage recommendation. A computer-implemented method may use a computer system that includes one or more physical processors. The computer-implemented method may include: obtaining business information for a business entity, determining business type of the business entity based on the business entity information, obtaining historic incident information for business entities of the business type, determining a likelihood of occurrence of one or more incidents that adversely impact the business entity based upon the business information and the historic incident information, determining a coverage product for mitigating the likelihood of occurrence of each incident, generating a coverage recommendation including an explanation for the coverage product determination, and effectuating presentation of the coverage recommendation to the user via a graphical user interface.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHINEDU EKECHUKWU whose telephone number is (571)272-4493.  The examiner can normally be reached on Mon-Fri 10am to 4pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Behncke, can be reached on (571) 272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/C.E./Examiner, Art Unit 3697

/HAO FU/Primary Examiner, Art Unit 3697