This article originally appeared in the March 2020 of Best Review’s monthly insurance magazine. To view the original article, click here.
- The Issue: Insurers continually face cyberthreats and regulatory changes that necessitate a secure information technology environment.
- The Problem: Insurers cannot assume their IT safeguards are impenetrable.
- The Solution: To maintain IT security insurers should implement an audit process to ensure the protection of their data and ensure their security controls function.
Insurers are in the business of uncertainty. However, the uncertainty of information technology security is a relatively new concern for the industry. Every insurer faces possible cyberthreats and a regulatory landscape that can seem insurmountable, all while on a limited IT and IT security budget. To combat these threats and comply with regulations, insurers implement safeguards, or controls, assuming those controls actually work. But how can the insurer know those controls work, and what is the executive leadership's role in achieving peace of mind?
Administrative, technical and physical controls are often implemented and assumed to function in perpetuity, and never validated. When insurers apply controls and assume they function, they risk expensive and reputationally damaging breaches and regulatory fines, and costly reimplementations of those same controls. Mitigating these risks is the objective of an IT security audit, which validates the controls meet their purpose.
Building an IT security audit process is challenging for all insurers, but especially for those without internal audit and specialized processes. The primary obstacles when building a best practices IT security audit process generally include IT security governance, establishing a standard for reasonable assurance and achieving cost effective audit processes. The following explains how leadership can support the insurer overcoming each of these obstacles.
Effective IT security governance begins with defining an insurer's risk appetite, such as dollars lost or days of downtime. Achieving a quantifiable risk appetite requires classifying sensitive information, such as customers' financial information and the cost involved if it is compromised. If the compromise relates to confidentiality, the cost is likely to be a calculation of regulatory fines or reputational impact. If the compromise relates to integrity, the cost is likely to be a calculation of the price of repairing or reacquiring the data via process; and if it involves availability, the cost is likely to be expressed in days of downtime, with an implicit or explicit financial cost.
Next, the insurer should adopt an information security standard. Rather than chasing individual regulatory requirements, the adoption of a standard like NIST (National Institute of Standards and Technology) or ISO (International Organization for Standardization) empowers an insurer to use a widely accepted framework to conduct an audit, which can be cross-mapped to new and evolving regulatory requirements. With the adoption of a standard, insurer leadership doesn't need to worry about what regulation is coming tomorrow.
Finally, one of the greatest obstacles facing existing IT security audit processes is that the function is often carried out by IT. Not only does this constitute a conflict of interest, where IT personnel audit their own escalated privilege use and their own technical control implementations, but IT personnel are often not trained in audit best practices. This leads to an audit process that takes a backseat to operational firefighting, and costs more, often without producing valuable output for leadership.
The best practices approach is to designate and authorize an information security auditor or officer with the appropriate audit skill set, who is separate from IT, and who reports directly to the company's executive leadership. This person should carry out the objectives set by an information security committee, comprised of board members, executive leadership and stakeholders from every business unit that has a critical role in managing sensitive information.
Assurance is difficult in the world of information security. In a financial audit, mathematical operations tell the auditor whether the books balance or not. However when auditing information security, it's difficult to achieve assurance that a firewall will always block the most dangerous malicious traffic, that a user's training will always be effective in stopping them from clicking a link in a phishing email, or even that a threat is controlled against at all.
Reasonable assurance in an IT security audit begins with an information security risk assessment. Through risk assessment, the IT security audit process can focus on controls safeguarding systems and processes that store, process and manage the most sensitive information. An effective assessment should account for reasonably foreseeable threats, document their inherent risks, account for existing controls mitigating them and arrive at a residual risk for each threat. Through risk assessment, additional controls can be prioritized, and the controls mitigating the highest and most numerous risks can be prioritized in the IT security audit process.
Once prioritized, the IT security audit process can monitor controls to the standard authorized by stakeholders. Generally, for critical controls, the insurer's executive leadership should seek positive assurance over negative assurance. It's easy to fall into the trap of accepting a lack of incidents or discovered vulnerabilities as assurance, but this assurance is negative assurance. Instead, audits of critical controls should seek positive assurance: The firewall is blocking organizationally defined malicious traffic that's deemed to be high risk, or ongoing phishing testing reveals that an acceptable ratio of users consistently do not click links when tested. These methods of positive assurance aren't an indication of risk being completely eliminated, but do indicate risk being acceptable.
When insurers apply controls and assume they function, they risk expensive and reputationally damaging breaches and regulatory fines, and costly reimplementations of those same controls.
Insurers both big and small struggle to achieve best practices IT security audit processes that are cost-effective. Of course, the cost of not having such a process may lead to a higher likelihood of expensive breaches and regulatory fines, followed by the cost of still having to implement an IT security audit process after the cost of the compromise. But organizing a cost-effective IT security audit process even without a breach or fine is still difficult.
The first concern an insurer's board and executive leadership should have regarding cost-effectiveness is whether the IT security audit process is providing meaningful reporting. Reporting should answer whether an insurer's overall IT security objectives are being met and whether they will continue to be met. Too often, leadership demands to see better results, whatever the measure of those results might be. In response, IT security auditors are pressured to maintain the same level of assurance and consider only previously considered threats, for fear of downward audit trends. This results in insurers committing resources to a process that doesn't serve to improve the IT security posture, which is the least cost-effective IT security audit process of all. Instead, leadership should expect to see reporting that reflects the current threat landscape, and how well those threats are being mitigated by current and planned controls, so resources can be effectively allocated.
Additionally, third-party vendors can be contracted to supplement the IT security audit process, especially when insurers have limited personnel. Third-party assurance activities achieve independence, and are often more cost-effective at answering IT security audit concerns due to specialized personnel and tools.
Assurance activities can be broadly scoped, to assist the audit process to focus on problem areas, or narrowly scoped, to help to find answers to challenging concerns for which the insurer might not have the expertise. Furthermore, activities can range in levels of assurance—from vulnerability-based exercises, like penetration tests where the third-party acts as an attacker and looks for vulnerabilities to exploit and demonstrate impact, to control-based exercises like general controls audits, where the third-party rigorously audits specified controls to a specified standard. However, leadership should remember that while third-party vendors are an excellent supplement to an existing IT security audit process, they can never replace personnel who know the insurer inside and out.
Information security is an ongoing process, as threats continue to emerge and evolve. Without effective controls, insurers face expensive breaches and regulatory fines, and without an IT security audit process, controls cannot be validated as effective.
Rather than risk costly outcomes and the inefficiencies of reimplementing controls, leadership should understand the value of investing in a sound IT security audit process, including a supporting IT security governance structure, a standard for determining reasonable assurance and cost-effective reporting and process augmentation. And in the end, through best practices IT security audit, the insurer's leadership can spend less time worrying about what might go wrong, because the answers are already there and there's assurance the answers will actually work.
Best’s Review contributor Alex Beeler is a certified information systems auditor and lead program assessor at BPM LLP. He can be reached at firstname.lastname@example.org.