@ISACA Volume 15  26 July 2017

Tips for Understanding Risk Transfer

By Lisa Young, CISA, CISM

Lisa Young Organizations increasingly recognize that cyberrisk is no longer limited to the digital domain and now extends across the entire financial and physical risk spectrum. Responsibility for risk management cannot be transferred. The impact from a realized risk can be reduced if the right risk management and internal control strategy is adopted. This is especially important for intangible assets, such as information, intellectual property and customer records.

Risk management is an organizational discipline with many facets that need further explanation, discussion, implementation and metrics to achieve a fully functioning risk management capability in enterprises. A business strategy often takes a risk to meet its objectives while at the same time avoiding the hazards or incidents that would prevent the achievement of successful outcomes.

An effective risk management process is generally comprised of the following components:

  • Establish the context
  • Identify risk
  • Analyze risk
  • Evaluate and prioritize risk
  • Respond to or treat risk
  • Monitor and control the risk management process

Of course, communications and feedback are necessary for success.

There are 4 general strategies for risk response. They are: accept, avoid, mitigate and transfer. Acceptance is just that; the identified risk is within tolerance of the risk appetite and no further action is necessary. Avoidance involves taking steps to remove a hazard or exposure or engaging in an alternate activity that has a lower probability of risk occurrence. Mitigation of risk is probably the most common response to an identified risk and many people in the risk industry are familiar with the different types of controls that are available to bring the identified risk within tolerance and appetite. The last strategy is risk transfer, and it is probably the most underutilized risk response option, especially for cyberrisk. Cyber security is considered a key risk for many organizations. Here are some considerations to think about when trying to determine if cyberrisk transfer is a good option for your organization:

  • Have you assessed the types of intangible information, customer records, intellectual property or tangible assets that are most important to your organization? Figuring out where information is created, stored, processed and transmitted will give a good indication of exposure should a data breach or privacy violation occur. It is also important to make the connection between the intangible information and the tangible asset (server, database, physical plant, industrial control system) where the information lives.
  • Do you know what your outsourcing contracts say about intangible information protection or liability if a third-party provider were to have a data breach, business interruption or information destruction incident? This may be especially important considering cloud or other third-party service providers as the vendor may maintain the right to change the service policies. Spend some time understanding the roles and responsibilities of each party should an incident occur.
  • Check your current insurance policies to see what kind of protection you have for business interruption events caused by technical difficulties. For example, if you have tangible assets such as a fleet of delivery trucks, does your insurance provide coverage in the event of a malicious software infection that renders the trucks unusable? For intangible assets, make sure to understand if your policy has vague language about “electronic data” exclusions. Make sure to clarify what type of information you have and ask your insurance carrier, broker or risk manager how to clarify the language before something happens.
  • Ransomware is a cyberextortion crime. Many insurance policies that an organization carries protect physical assets from criminal activity but may not protect against cybercrime, especially depending on how the crime was perpetrated. Double check your insurance policy so you know what actions to take before something bad happens.
  • What about intellectual property (IP) protections? Usually, theft or destruction of IP is not covered by risk transfer, so you will want to make sure your protections, monitoring, detection and response capabilities are fully functional. There may be insurance policies that cover business interruption from the impact of lost data, however, so make sure you know what exactly is included or excluded in your policy.
  • Have you performed an exposure assessment to understand the financial impact due to risk and which risk areas lack effective control coverage or proper insurance? Many chief information officers and chief information security officers are not yet educated about the value of cyberinsurance and how it fits into a protection or control strategy. Confidence in preventative controls is not a complete risk management strategy.
  • Where in your financial statements and how would you disclose a material loss that is not covered by insurance? The cost of a cyberbreach may reach the threshold of materiality depending on the organization’s capability to monitor, detect and respond to incidents.
  • If your organization were to experience an incident related to intangible assets, such as information, customer records or destruction of data, is there a plan in place for forensics, cleanup or other timely incident response? Make sure that your business continuity and incident response plans factor these capabilities into the response actions.

Organizations that intend to improve their cyberrisk and non-cyberrisk management capabilities need to consider these questions and make sure they are satisfied with the answers. With a well-developed thought process and subsequent plan, risk transfer can become an important part of the enterprise risk management strategy.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Blockchain Tech Discovery Course

Blockchain Tech Discovery Course
Source: John Lund
& Drew Kelly/Getty

Blockchain is an emerging technology that could change the way records are processed. From registrations, records of ownership, transfers of value and stock purchases to identities and health care, blockchain can be utilized. ISACA’s Blockchain Tech Discovery course focuses on blockchain technologies’ revolutionary impact.

Blockchain is helping to create a secure and trustworthy infrastructure to support the Bitcoin cryptocurrency system. While it may disrupt the current practice for creating and using ledgers, blockchain does not need to be limited to that application.

Upon completion of this course, you will be able to:

  • Provide a high-level explanation of what blockchain is and how it works
  • Identify the key roles or players that are impacted by this technology
  • Determine the risk and benefits associated with implementing blockchains

Earn 1 continuing professional education (CPE) hour by purchasing and completing this course within 60 days. The course cost is US $59 for members and US $69 for nonmembers and takes about 1 hour to complete from start to finish. For more information or to register for this course, visit the Tech Discoveries page of the ISACA website.


Mobile Workforce Security Considerations and Privacy

Mobile Workforce Security Considerations and Privacy
Source: hocus-focus/
Getty Images

Flexible working arrangements are becoming more common as people embrace a new work-life balance policy, but these arrangements may be abused if proper security measures are not in place. ISACA Journal volume 4 author Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3, PMP, discusses the ways companies can protect their assets and resources as they relate to mobile working in his article “Mobile Workforce Security Considerations and Privacy.”

In 2012, a software developer who mainly worked remotely for a US firm had the idea of fully outsourcing his work to China. He was finally caught after a few months because of suspicions about the origination of his virtual private network (VPN) connections. He literally sent his physical VPN key access to his remote “employee” to allow him to access the company’s systems. Although this story might appear to some extent anecdotal, it raises some serious issues about security considerations and even privacy around remote working and what it entails. How is it possible that an employee gave unauthorized access to his company information to an outsider for so long without it being noticed? What are the legal and reputational consequences for the company? Are the connections of employees always monitored, and what are the employer’s intentions when monitoring them?

Remote working has a lot of advantages, both for the company and the employees. In the past years, it has become increasingly used by companies as a perk. In some countries such as the UK, it is even an employee right to request mobile working. The desire for mobility comes from the sense of flexibility, liberty and self-management it entails, especially for those who need to watch over their children and/or have a long commuting time to reach their physical office location. It also gives a sense of job ownership to the employees, although it often adds a “hidden” pressure on them. For example, remote employees do not want their management to think that if they are not delivering as expected it is because working remotely is holding them back; therefore, they will work even more than the contractual hours to deliver. It also helps companies cut costs, especially in rent and utilities, and find skilled employees regardless of their location. With the progress of technology, the mobile workforce is a trend that is not going to stop and will even expand. It is forecasted that by 2020, 72.3% of the US workforce will be remote.

It is also clear that this modern workforce comes with risk, which can be substantial if not properly addressed.

Read Guy Ngambeket’s full ISACA Journal article, “Mobile Workforce Security Considerations and Privacy.”