Zero Trust, 100% Verify: How is Self-Attestation Done in Compliance

Cyber insurance is soaring in demand, despite skyrocketing prices and shrinking coverage. Global premiums are set to reach $23 billion by 2025. But a recent case illustrates a significant flaw in the apparent safety net that is cyber insurance. In Travelers Property Casualty Company of America v. International Control Services, Inc. (ICS) (No. 22-cv-2145), ICS applied to Travelers for a cyber insurance policy in early 2022. The policy required holders to use multifactor authentication (MFA). ICS provided an attestation as part of its policy application to show that it would follow the MFA requirement. In May 2022, ICS suffered a ransomware attack—because it had MFA for only some of its digital assets. In the end, Travelers did not have to pay up.

So, how is self-attestation done successfully for Compliance professionals? Are attestations worthless? Let’s discuss. 

What are attestations, and do they prove anything?

We've previously discussed the difference between assurance, attestation and audit. Let's redefine attestation here. An attestation is defined as “an act or instance of attesting something: such as a proving of the existence of something through evidence or an official verification of something as true or authentic.” So an attestation—theoretically—proves something is true. But does it? That can depend on the kind of attestation it is: first party, second party, or third party:

First-party attestation:

• What does self-attestation mean? A person self-attests to something, based on their judgment. For example, they attest to having adequate controls and safeguards. The term “first party” is used similarly in “first-party audit,” which is an internal audit.
• Self-attestation, unaccompanied by hard evidence, is the least reliable type. It should be relied on only when there is a small potential amount of impact.

Second-party attestation:

• Attestation about a related party. For example, a customer attests that I, their supplier, am meeting my obligations. Analogous to the idea of a “second-party audit,” which is conducted by a related party.
• It’s likely more objective than a first-party assessment, since it’s done by someone other than the business being assessed. But there may be a conflict of interest.

Third-party attestation:

• An independent third party makes the attestation. Analogous to an independent audit conducted by an external, independent party, i.e., a “third-party audit.”
• It’s the most objective type of attestation and, therefore, the type most likely to be accurate.

Evidence to back up attestations: Zero Trust Compliance

The Travelers case illustrates why Zero Trust has become a cybersecurity goal. The old stance of “Trust but Verify” implied that some actors could be trusted.  Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021), acknowledged that “trust but verify” was not a viable approach. It required government agencies to migrate to a “Zero Trust Architecture” framework. “Zero Trust Architecture” is defined under the Executive Order, in part, as:

“a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses... [A] Zero Trust Architecture … assumes that a breach is inevitable.” (emphasis added).

The shorter definition: Zero Trust goes beyond “trust but verify” to a principle of “never trust, always verify.”

How do you verify, then? Let’s consider how frameworks verify Compliance. Using a first-party attestation didn’t work out too well in the Travelers case. Yet frameworks often settle for first-party attestation.

Examples of attestation required by frameworks

Self-assessment is prevalent. Some examples:

Payment Card Industry Data Security Standard (PCI DSS) Attestation: 

An organization that is required to be PCI compliant has to fill out an Attestation of Compliance (AOC), but only if it processes more than six million credit card transactions a year must it be audited by a Qualified Security Assessor in addition to completing the self-assessment. And it has the alternative of submitting a report by an internal resource, if signed by an officer of the company. (These are the requirements as per Visa.)

HIPAA regulations: 

The Department of Health and Human Services (HHS), requires an organization that is subject to HIPAA (a covered entity) to “periodically evaluate the effectiveness of security measures.” HIPAA does not require a covered entity to “certify” compliance. The evaluation can be performed by the covered entity or by an external organization. A “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

ISO and IEC International Standards: 

Interestingly, ISO/IEC allows “conformity assessments” to be made through self assessment or assessment by a second or third party. (A conformity assessment demonstrates that “specified requirements relating to a product, process, service, person, system or body are fulfilled.”) Therefore, ISO directs its standards writers, when they are drafting ISO international standards that contain requirements, to draft them “in accordance with the "neutrality principle," such that conformity can be assessed by a first party, second party, or third party.”

Types of evidence that are relevant to attestation

If self-attestation is widely accepted but not very reliable, what is? To consider what kind of evidence is most valuable, and how attestation fits into that spectrum, look to audit engagements. These require different types of evidence collected via audit procedures. The types of audit procedures include: 

• inspection 
• observation 
• inquiry 
• confirmation 
• recalculation 
• reperformance, or 
• analytical procedures. 

According to the AICPA, which procedures to use depends on the risk of material misstatement.  

Information that can be used as audit evidence takes a number of forms. It includes:

• oral information obtained through a verbal response to an inquiry,
• visual information obtained through observation,
• paper documents, and
• electronic information, including documents in electronic form and data stored in the entity's IT system or obtained electronically from an external source.

How reliable is the audit evidence?

Which evidence is considered more reliable? That depends on the nature and source of the evidence and the circumstances under which it is obtained. Reliability increases when evidence is:

• obtained from external parties, 
• obtained directly by the auditor, or
• in documentary form, rather than obtained through oral inquiries.

An external auditor might utilize technology and do an in-depth collection and analysis of data in order to understand the control environment for an organization being audited and to determine, based on the evidence, whether the controls are adequate. In contrast, to audit a less material item such as a petty cash account, the auditor might be satisfied with a screenshot of the bank account at year end that confirms the amount. 

How is self-attestation done and why it needs data-based evidence 

The Travelers case and the AICPA rules both make clear that self-attestation alone is not always reliable, especially compared to written evidence from external parties or real-time data from multiple sources.

Contrast unsupported self-attestation with the federal government’s requirement that federal agencies only use software provided by software producers that:

1. self-attest to complying with the secure software development practices set out by the National Institute of Standards and Technology (NIST) (and provide third-party attestation, as deemed necessary), and 
2. provide evidence in the form of a software bill of materials (SBOMs) and/or other artifacts, as deemed necessary.

Therefore, when exploring how is self-attestation done effectively, data-based evidence is essential where numbers or risk are material. Because of the greater reliability, backing up a self-attestation with data-backed evidence maximizes the trust between the attestor and the party requiring the attestation.

Save time and effort: Don’t trust. Just verify.

We live in a world where “trust but verify” is insufficient to ward off increasingly sophisticated cyber threats. The Travelers case makes clear that in the cyber insurance industry, self-attestation on its own is not a mature form of validation. So how is self-attestation done in accordance with the Zero Trust Compliance outlook?

Insurers and frameworks that until now have accepted naked self-attestation might take a page from auditors’ books, and require self-attestation backed up by reliable, data-based evidence. This approach would serve insurers and policyholders better, allowing both parties greater trust.

Discover how anecdotes, the all-in-one workspace for Compliance leaders can help you back up your self-attestations with reliable, objective data.