Auditing Cybersecurity within Insurance firms

New Guidance from The European Confederation of Institutes of Internal Auditing (ECIIA) on Auditing Cybersecurity within Insurance firms.

Internal Audit plays a vital role in the provision of assurance regarding the efficiency and effectiveness of the key cybersecurity processes and controls in insurance and reinsurance undertakings. Key stakeholders such as Management and the Board rely on the work of Internal Audit in regard to cyber-related risks.

This position paper aims to set out the view from the ECIIA Insurance Committee and intends to provide guidance to Chief Audit Executives (CAEs) in the Insurance sector in regard to the audit of cybersecurity. Cyber risk is important, in light of the recent increase of cyberattacks and the new European Regulations: General Data Protection Regulation and the Network and Information Systems Directive in 2018.

The need for effective IT Cybersecurity controls has been highlighted by the European Insurance and Occupational Pensions Authority (EIOPA), saying that cyber risk is becoming a growing concern for institutions, individuals and also financial markets and is now at the top position of the list of global risks for businesses.

The Solvency II Directive encourages Own Risk Self-Assessment and the use of risk categories based on the specific characteristics of the undertakings and not just the Solvency II standard classification. The paper does not aim to provide a one size fits all solution for auditing Cybersecurity risks, but it provides a framework from which internal audit departments may build a multi-year long term approach to auditing cyber risks.