Do you have cyber insurance?
Demonstrate that the organization maintains current, adequate cyber insurance coverage aligned with its risk appetite and operational exposures, with documented policy terms, coverage limits, and breach notification procedures.
Description
What this control does
Cyber insurance is a risk transfer mechanism that provides financial coverage for losses resulting from cybersecurity incidents, including data breaches, ransomware attacks, business interruption, and legal liabilities. Organizations procure policies with defined coverage limits, deductibles, and exclusions tailored to their risk profile, operational scale, and regulatory environment. This control ensures the organization maintains active, appropriate cyber insurance coverage as part of a comprehensive risk management strategy, reducing financial exposure when preventive and detective controls fail.
Control objective
What auditing this proves
Demonstrate that the organization maintains current, adequate cyber insurance coverage aligned with its risk appetite and operational exposures, with documented policy terms, coverage limits, and breach notification procedures.
Associated risks
Risks this control addresses
- Catastrophic financial loss from ransomware payment demands, recovery costs, and operational downtime exceeding available organizational reserves
- Unbudgeted legal expenses and regulatory fines following data breach incidents involving personally identifiable information or protected health information
- Third-party liability claims from customers, partners, or vendors harmed by security incidents originating from the organization's environment
- Business interruption costs including lost revenue, customer attrition, and emergency response expenses without financial backstop
- Forensic investigation and incident response costs overwhelming incident management budgets during active compromise
- Reputational damage and customer notification costs following breach disclosure requirements mandated by privacy regulations
- Inadequate coverage limits or policy exclusions leaving critical exposures uninsured during ransomware or supply chain attacks
Testing procedure
How an auditor verifies this control
- Obtain the current cyber insurance policy declaration page, full policy terms, and endorsements from the risk management or finance department
- Verify the policy effective and expiration dates confirm active coverage with no lapses in the past 12 months
- Review coverage limits for first-party losses (data recovery, business interruption, extortion payments) and third-party liabilities (legal defense, regulatory fines, customer notifications)
- Examine policy exclusions, sub-limits, and waiting periods to identify gaps relative to the organization's primary cyber risk exposures documented in the risk register
- Interview the Chief Financial Officer or Risk Manager to confirm the policy limits align with the organization's risk appetite statement and worst-case scenario financial impact assessments
- Verify the policy requires or incentivizes specific security controls (MFA, endpoint detection, backup practices) and confirm the organization meets these requirements through control testing
- Review the incident response plan to confirm it references the cyber insurance policy, includes insurer contact procedures, and designates responsibility for breach notification coordination with the carrier
- Sample two incident reports from the past year and verify the organization evaluated insurance claim eligibility and documented the decision to file or not file a claim