Internal Audit’s Role in Cybersecurity Insurance Questionnaires

Source: McKonly & Asbury

Cybersecurity continues to be an emphasis for organizations because of the constant change that occurs in today’s digital landscape. As changes occur, cybersecurity becomes especially important for organizations that are looking to obtain insurance coverage for potential cyber threats and risks. Insurance companies that offer this kind of coverage typically require organizations to complete comprehensive cybersecurity questionnaires. These questionnaires are used to assess risk profiles prior to the issuance of cybersecurity insurance policies. Internal audit can play a significant role in the completion of these questionnaires by verifying that the responses accurately represent the organization’s cybersecurity position. This is important since insurance providers expect the insured to have specific security protocols in place. If the insurance company determines that the cyber incident was due to failing to implement basic security protocols, they could deny the claim.

Cybersecurity Questionnaires

To understand the vital role of internal audit in cybersecurity and related insurance questionnaires, it is first crucial to understand what cybersecurity questionnaires are and what they aim to do. Insurance companies use these questionnaires to evaluate potential policyholders’ security controls, practices, and incident response capabilities. The subject areas covered in the questionnaires include data protection, network security, incident management, and employee training. Cybersecurity questionnaires assess the level of cybersecurity risk and threats and the corresponding cybersecurity controls in place to mitigate these risks. Insurance companies use the responses to determine the details of the cybersecurity insurance they offer to organizations, including policy terms, premiums, and coverage limits.

The Role of Internal Audit in Cybersecurity Insurance

Within organizations, internal auditors are in a unique position to increase the reliability of the responses recorded on cybersecurity insurance questionnaires. Offering assessments of organizations’ risk management processes, policy compliance, and adequacy of the cybersecurity controls in place, internal auditors can provide trustworthy insight into the status of an organization’s cybersecurity program. Internal auditors contribute to the cybersecurity questionnaire process by:

1. Assessing and Identifying Risks
The involvement of internal auditors in performing inherent risk assessments to highlight vulnerabilities and potential threats to organizations is fundamental work that increases organizational awareness of the cybersecurity areas of risks. The inherent risk assessment looks at risks with the assumption that no controls are in place and provides an inherent risk profile for the organization. This increased awareness assists an organization in determining the areas where controls should be in place to mitigate risks, resulting in a proactive approach to cybersecurity risk mitigation. This proactive approach provides a basis for informed and educated responses on cybersecurity insurance questionnaires.

2. Evaluating Controls
Internal auditors assess the design and operating effectiveness of the organizations’ cybersecurity controls and provide best practices recommendations. The internal control assessment is applied to the risk assessment and provides a residual risk profile. This provides the information needed for an organization to reduce residual risk resulting in increasing the strength of the organization’s cybersecurity program. The residual risk profile also provides a basis for the responses recorded on questionnaires. This independent assessment leads to increased confidence from potential insurance companies and may reduce the risk of a claim denial.

3. Assessing the Accuracy and Integrity of Data
Cybersecurity insurance questionnaires rely heavily on the accuracy of the responses. Internal auditors offer an additional level of assurance that responses are honest and backed by credible evidence. The level of scrutiny used by internal auditors to assess the accuracy of the responses recorded on these questionnaires can help minimize any issues that might result in denied claims or gaps in coverage.

4. Reviewing Policy Compliance
Reviewing compliance with applicable laws, regulations, and standards is an important part of internal audit’s work. Internal auditors can review compliance with the insurance policy cybersecurity requirements. By mapping the requirements to internal controls, the organization gains a level of understanding of any gaps and opportunities for improvement in their compliance with the cybersecurity insurance policy.

Potential Risks, Incidents, and Lack of Coverage

Cybersecurity incidents pose a great threat to organizations, especially if their cybersecurity insurance provider determines that the organization does not have sufficient cybersecurity controls in place. The discrepancy between the incident response and the cybersecurity environment can lead to the denial of insurance claims made for damages incurred. If cybersecurity insurance providers find that organizations, either intentionally or by accident, were not truthful about their security postures, not only can severe financial losses occur due to lack of insurance coverage, but it can also damage the organization’s reputation. Similarly, false representation of organizations’ cybersecurity environments can expose organizations to further regulatory issues and liabilities.

About the Author
Cecily Carl
Cecily joined McKonly & Asbury in 2023 and is currently a Senior Consultant in the firm’s Consulting Services group.

Subscribe to Our Newsletter