ISACA Journal
Volume 2, 2,014 

Features 

Auditing Cyberinsurance Policy 

Jide Olakunle, CISA, CISM, CISSP 

The importance of information technology to an organization’s productivity, profitability and processes is increasing exponentially. There is unprecedented reliance on the IT infrastructure to leverage product design, marketing and reporting; handle management of information; and enhance service deliverables. As dependence on IT systems increases, the associated risk increases.

In recent years, as the result of increased system interconnectivity, government and private facilities transitioning from paper to electronic data storage, enhanced traffic in e-channel trading platforms, and improved technology products (e.g., cloud services), the cyberincident has become one of the most reported types of IT security breaches. The impact, frequency and magnitude of cyberincidents have reached an all-time high; in business continuity planning for cyberincidents, the notion of if has turned to when these incidents will occur. In the first quarter of 2013, five of the major US banks suffered denial-of-service (DoS) attacks; Twitter, Facebook, Microsoft and Apple systems were hacked; and in South Korea, financial institutions’ and media houses’ systems were crashed by hackers.

The financial and reputation cost associated with cyberattacks is high. Organizations should implement risk management strategies to help delay, deny, destroy and document cyberattacks. Risk management objectives are to protect assets, conserve resources and improve the quality of decision making. Risk management strategies include risk acceptance (taking on risk and making budgetary provisions for the expected loss), risk mitigation (implementing strategies to contain risk and the effects), risk avoidance (eliminating risk by avoiding processes, events or actions that create risk) and risk transfer (transferring the liability arising from risk to third parties).

Cyberinsurance policies are one product developed to cater to the transfer of risk emanating from cyberactivities. In 2012, cyberinsurance premiums in the US rose from US $800 million to more than US $1 billion.1 The market is expected to grow an additional 25 percent within the next five years. As the market continues to grow, the role of information systems (IS) professionals in identifying cyberexposure, enumerating preventive techniques and determining security gaps will become more critical. The adoption of cyberinsurance as the strategy for risk transfer by many organizations has created another frontier for IS auditors to explore and review. For effective and efficient auditing of a cyberinsurance policy’s adequacy, completeness and appropriateness, IS auditors need to understand cyberinsurance intricacies and complexities.

Reasons for Cyberinsurance

Preventive, detective and corrective controls implemented by an organization cannot completely eliminate cyberincidents. Cyberinsurance is a way to handle the residual risk. It is an insurance product used to protect organizations from Internet-based risk as well as that of other related IT activities, tools and processes. Gone are the days when organizations that suffer a cyberattack keep the information secret; now, industry regulators and media act as enforcers of transparency. The US Securities and Exchange Commission CF Disclosure Guidance mandates that companies report the material risk associated with specific data breaches or other cyberincidents; companies must disclose the financial cost, legal cost and document control in place to guide against future recurrence.2 Hackers are becoming more forthcoming, using YouTube, Twitter and other social media to disclose their exploits and compromised data. The competition for news by 24-hour cable networks also ensures that all news is reported.

Governments and various industry regulators have also intensified pressure on businesses to protect personal data, using significant fines for any breaches. In the US, 46 states have enacted legislation that mandates that businesses notify customers of data breaches. US federal laws such as the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), the European Data Protection Directive (2003), the Japanese Personal Identifiable Information Law (2005), and other international privacy laws also hold organizations liable for a customer data breach.

In 2011, one question in the PricewaterhouseCoopers Global State of Information Security Survey was, “Does your organization have an insurance policy that protects it from theft or misuse of electronic data, consumer records, etc.?” Of the 12,840 worldwide respondents, 46 percent answered yes.3 There is not only an increase in reliance on cyberinsurance policies as a risk transfer strategy, but also in acceptance of the product by organizations.

Types of Cyberinsurance

The most common types of cyberinsurance are first-party risk exposures and third-party risk exposures. First-party coverage insures against damage to and costs incurred directly by the insured organization in responding to cyberbreaches and cyberattacks. Figure 1 describes the types of exposure covered by first-party insurance.

Figure 1
Figure 2

Third-party coverage insures against liability, damages, attorney fees, costs and expenses incurred in responding to allegations against an insured company made by third parties arising from cyberattacks and cyberbreaches. Figure 2 shows some types of exposure covered by third-party insurance.

Cyberinsurance Policy Audit Objectives

To perform an audit in an effective and efficient manner, the auditor must understand the objective of the exercise. Some of the objectives of cyberinsurance audits include:

  • Verifying the effectiveness of the risk management process
  • Determining that adequate procedures have been developed to identify and analyze risk, implementing processes to decrease exposure, and monitoring progress
  • Ensuring that cyberinsurance coverage is adequate to compensate for identified risk
  • Determining that the cyberinsurance policy covers all critical IT infrastructure
  • Verifying the existence and adequacy of procedures for reporting incidents and making claims

Approach to Auditing Cyberinsurance

The auditing of cyberinsurance policies can be divided into two major components:

  1. Condition precedent to the cyberinsurance policy
  2. Condition concurrent with the cyberinsurance policy

The IS auditor must understand the business, critical assets and IT infrastructure in order to properly audit the cybersecurity policy. The auditor should use this baseline knowledge to review the condition that necessitated the purchase of the cyberinsurance policy. The following are issues IS auditors should consider:

  • Review the network diagram and the business process flow chart. The network diagram shows the sequence of steps to depict the IT infrastructure and to identify critical processes that need to be protected. The network diagram should be updated regularly.
  • Check whether the organization’s risk management framework identifies and classifies all IT assets according to their criticality to the business. All assets must be ranked according to their importance. The IS auditor should check the completeness of the asset documentation, ensuring that all critical assets are documented, ranked and continuously reviewed as processes change.
  • Verify whether risk management strategies are updated periodically and reflect the current business and IT infrastructure. In this era of zero-day exploits, defense mechanisms should be reviewed daily.
  • Evaluate the adequacy of IT security strategies. The IS auditor should review IT security, tools and processes for adequacy. Preventive controls are the first step to a secure system.
  • Review the IS incident report within a specific period.The incident report will enable the IS auditor to understand the historical trend of attack, targeted systems and channel of attack.

The IS auditor understands that the objective of cyberinsurance is to relieve the insured of the financial losses these cyberactivities bring. Concurrent with obtaining the cyberinsurance policy, the IS auditor should take the following steps:

  • Obtain the sample proposal form submitted by the organization to the insurance provider to evaluate the completeness and truthfulness of the data therein. The proposal form documents the nature, size and complexities of the network, data structure, security system in place and the entire IT infrastructure. The insurance company uses the information in the proposal form to determine premiums and make other insurance decisions. In the event of a claim, the policy may be declared null and void if it is discovered that the organization deliberately or mistakenly omitted critical information in the questionnaire. The IS auditor should verify the truthfulness of detail in the proposal form, and management should be notified of any inaccurate answers.
  • Obtain copies of the insurance policies, and review them for adequacy of coverage and assurance that all critical areas have been included in the policy. If the policy does not cover all systems that are critical and prone to incident based on the organization’s past security incidents or industry trend, the auditor should analyze the impact and notify management. An example of this would be an online retailer that stores customers’ critical credit card data in third-party cloud storage, but fails to cover the asset in a cyberinsurance contract. The retailer has limited control over the security of the cloud operations, but has complete responsibility to ensure the security of customers’ data.
  • Validate the security measures that are in place. Prior to issuing an insurance policy, the organization must submit a security status in the proposal form. The IS auditor should test the existing control for adequacy. Management should be promptly notified of any security gaps.
  • Examine the incident reporting documentation. The IS auditor should ensure that the adequacy of the reporting incident is in tandem with the cyberinsurance policy.
  • Interview IT employees to verify whether cyberinsurance policies and procedures have been communicated to the appropriate personnel. Employees should have adequate knowledge of the cyberinsurance policy, reportable incidents and steps to be taken in the event of a covered incident. A successful claim is dependent on the actions taken within a few minutes of the insured incident.
  • Determine how material changes in the IT infrastructure are communicated to the carrier, and obtain a copy of the physical assets covered in the policy to compare with the present assets. Any exceptions noted should be reported for action.
  • Select a sample of claims or covered incidents from previous years to determine any remedial action that can be implemented to reduce the risk of incidents. Any reported increase in incidents should be investigated and resources diverted as appropriate.

Conclusion

Cyberattacks and the resulting security breaches are part of the rapidly expanding security threats organizations face. The frequency, nature and cost of cyberincidents are growing at an alarming rate. IS auditors must ensure that the organization adequately protects itself and safeguards critical data. IS auditors must plan for cyberinsurance policy audits as part of risk management reviews or as a stand-alone review. Cyberinsurance is not a mandatory requirement, but as more organizations adopt this strategy to transfer risk, IS auditors must understand the processes and test the insurance policy for completeness, adequacy and integrity.

Endnotes

1 Airmic, “Airmic Review of Recent Developments in the Cyber Insurance Market,” 8 June 2012, www.airmic.com/sites/default/files/Airmic%20Review%20of%20Recent%20Developments%20in%20the%20Cyber.pdf
2 Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2, “Cybersecurity,” 13 October 2011, www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
3 PricewaterhouseCoopers, “Global State of Information Security Survey 2011,” www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml

Jide Olakunle, CISA, CISM, CISSP, is an auditing and security expert with Alfa Vision Insurance. Prior to joining Alfa Vision, Olakunle worked for more than 10 years in the compliance, auditing and security group of three new-generation banks in Nigeria. He is currently studying information technology, security and assurance as a Ph.D. student at Capella University (Minneapolis, Minnesota, USA).

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.