ID.RM-1 / ID.RM-3 NIST Cybersecurity Framework v1.1

Do you carry cyber insurance with ransomware coverage?

Demonstrate that the organization maintains current cyber insurance coverage with explicit ransomware provisions adequate to mitigate financial exposure from ransomware and related cyber incidents.

Description

What this control does

This control verifies the organization maintains an active cyber insurance policy that explicitly includes coverage for ransomware incidents, including costs associated with ransom payments, forensic investigation, business interruption, data recovery, legal fees, and regulatory fines. Cyber insurance serves as a financial risk transfer mechanism to mitigate the monetary impact of successful ransomware attacks and related cyber incidents. The policy should align with the organization's risk appetite, asset valuation, and regulatory requirements, with coverage limits appropriate to potential exposure.

Control objective

What auditing this proves

Demonstrate that the organization maintains current cyber insurance coverage with explicit ransomware provisions adequate to mitigate financial exposure from ransomware and related cyber incidents.

Associated risks

Risks this control addresses

Catastrophic financial loss from ransom payments exceeding available operating capital during a ransomware event
Unbudgeted costs for forensic investigation, incident response consultants, and legal counsel following a cyber incident
Extended business interruption and revenue loss during ransomware recovery without financial compensation
Regulatory fines and penalties from data breach notification failures or compliance violations without coverage
Litigation costs from customer or partner lawsuits related to compromised data or service unavailability
Data restoration and system recovery expenses exceeding IT budget allocations
Reputational damage requiring public relations and crisis management services without financial reserves

Testing procedure

How an auditor verifies this control

Request the current cyber insurance policy declarations page and full policy document from Risk Management or Finance
Verify the policy effective dates to confirm coverage is active and not expired or lapsed
Review the policy schedule and endorsements to identify explicit ransomware coverage provisions, including ransom payment reimbursement clauses
Compare coverage limits for ransomware-specific provisions against the organization's most recent cyber risk assessment and business impact analysis to assess adequacy
Examine exclusions, conditions, and sub-limits that may restrict ransomware coverage, including cryptocurrency payment limitations or notification requirements
Verify premium payment records for the current policy period to confirm the policy remains in force
Review incident response procedures to confirm alignment with policy notification requirements and claims processes
Interview the insurance broker or risk manager to confirm annual policy review practices and coverage adjustments based on changing threat landscape

Evidence required The auditor collects the current cyber insurance policy declarations page, full policy document with endorsements, premium payment receipts or invoices, and documented correspondence with the insurance carrier or broker regarding ransomware coverage scope. Additional evidence includes the organization's cyber risk assessment used to determine coverage adequacy, incident response plan referencing insurance notification procedures, and meeting minutes or reports documenting annual policy reviews.

Pass criteria The organization maintains an active cyber insurance policy with explicit ransomware coverage provisions including ransom payment reimbursement, with coverage limits justified by documented risk assessment, premiums paid current, and no material exclusions that eliminate ransomware protection.