Cyber insurance is soaring in demand, despite skyrocketing prices and shrinking coverage. Global premiums are set to reach $23 billion by 2025. But a recent case illustrates a significant flaw in the apparent safety net that is cyber insurance. In Travelers Property Casualty Company of America v. International Control Services, Inc. (ICS) (No. 22-cv-2145), ICS applied to Travelers for a cyber insurance policy in early 2022. The policy required holders to use multifactor authentication (MFA). ICS provided an attestation as part of its policy application to show that it would follow the MFA requirement. In May 2022, ICS suffered a ransomware attack—because it had MFA for only some of its digital assets. In the end, Travelers did not have to pay up.
So, how is self-attestation done successfully for Compliance professionals? Are attestations worthless? Let’s discuss.
We've previously discussed the difference between assurance, attestation and audit. Let's redefine attestation here. An attestation is defined as “an act or instance of attesting something: such as a proving of the existence of something through evidence or an official verification of something as true or authentic.” So an attestation—theoretically—proves something is true. But does it? That can depend on the kind of attestation it is: first party, second party, or third party:
The Travelers case illustrates why Zero Trust has become a cybersecurity goal. The old stance of “Trust but Verify” implied that some actors could be trusted. Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021), acknowledged that “trust but verify” was not a viable approach. It required government agencies to migrate to a “Zero Trust Architecture” framework. “Zero Trust Architecture” is defined under the Executive Order, in part, as:
“a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses... [A] Zero Trust Architecture … assumes that a breach is inevitable.” (emphasis added).
The shorter definition: Zero Trust goes beyond “trust but verify” to a principle of “never trust, always verify.”
How do you verify, then? Let’s consider how frameworks verify Compliance. Using a first-party attestation didn’t work out too well in the Travelers case. Yet frameworks often settle for first-party attestation.
Self-assessment is prevalent. Some examples:
An organization that is required to be PCI compliant has to fill out an Attestation of Compliance (AOC), but only if it processes more than six million credit card transactions a year must it be audited by a Qualified Security Assessor in addition to completing the self-assessment. And it has the alternative of submitting a report by an internal resource, if signed by an officer of the company. (These are the requirements as per Visa.)
The Department of Health and Human Services (HHS), requires an organization that is subject to HIPAA (a covered entity) to “periodically evaluate the effectiveness of security measures.” HIPAA does not require a covered entity to “certify” compliance. The evaluation can be performed by the covered entity or by an external organization. A “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
Interestingly, ISO/IEC allows “conformity assessments” to be made through self assessment or assessment by a second or third party. (A conformity assessment demonstrates that “specified requirements relating to a product, process, service, person, system or body are fulfilled.”) Therefore, ISO directs its standards writers, when they are drafting ISO international standards that contain requirements, to draft them “in accordance with the "neutrality principle," such that conformity can be assessed by a first party, second party, or third party.”
If self-attestation is widely accepted but not very reliable, what is? To consider what kind of evidence is most valuable, and how attestation fits into that spectrum, look to audit engagements. These require different types of evidence collected via audit procedures. The types of audit procedures include:
According to the AICPA, which procedures to use depends on the risk of material misstatement.
Information that can be used as audit evidence takes a number of forms. It includes:
Which evidence is considered more reliable? That depends on the nature and source of the evidence and the circumstances under which it is obtained. Reliability increases when evidence is:
An external auditor might utilize technology and do an in-depth collection and analysis of data in order to understand the control environment for an organization being audited and to determine, based on the evidence, whether the controls are adequate. In contrast, to audit a less material item such as a petty cash account, the auditor might be satisfied with a screenshot of the bank account at year end that confirms the amount.
The Travelers case and the AICPA rules both make clear that self-attestation alone is not always reliable, especially compared to written evidence from external parties or real-time data from multiple sources.
Contrast unsupported self-attestation with the federal government’s requirement that federal agencies only use software provided by software producers that:
Therefore, when exploring how is self-attestation done effectively, data-based evidence is essential where numbers or risk are material. Because of the greater reliability, backing up a self-attestation with data-backed evidence maximizes the trust between the attestor and the party requiring the attestation.
We live in a world where “trust but verify” is insufficient to ward off increasingly sophisticated cyber threats. The Travelers case makes clear that in the cyber insurance industry, self-attestation on its own is not a mature form of validation. So how is self-attestation done in accordance with the Zero Trust Compliance outlook?
Insurers and frameworks that until now have accepted naked self-attestation might take a page from auditors’ books, and require self-attestation backed up by reliable, data-based evidence. This approach would serve insurers and policyholders better, allowing both parties greater trust.