Back

Include purchasing insurance in the continuity plan.


CONTROL ID
00762
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography., CC ID: 06682
  • Obtain an insurance policy to cover business products and services delivered to clients., CC ID: 06683
  • Review the insurance coverage of the insurance policy, as necessary., CC ID: 12688


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O30.4: The organization should purchase insurance to cover the costs of the data, software, and hardware destroyed by computer viruses, recovery costs, liability for damages, and other related costs. O65.9: The organization should consider buying insurance for compensation for loss of earnings and e… (O30.4, O65.9, O66.7, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is recommended to consider purchasing insurance in order to cover liability of damages, lost profits, and costs required for business continuity caused by unauthorized access from the outside. (P34.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Does the organization have cyber-insurance coverage for cyber-risks or fraud due to internal hackers and/or external hackers? (Table Row XII.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Purchasing insurance may be a risk treatment strategy the organization uses and should be used in conjunction with one or more other strategies. (§ 6.6.4 ¶ 2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • All equipment in the data center should be protected by an appropriate level of warranty for maintenance and troubleshooting support. The warranty level should be based on how mission-critical the system is to the business. (Annex E.2.4, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Insurance, if arranged properly, can provide financial compensation for loss of assets and working costs in the event of a disruption. Insurance often cannot cover all expenses from an incident, but by working with the Insurance Manager, the BCM can work to dovetail insurance with BCM parameters. Th… (Stage 2 Pg 34, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The organization should review its insurance coverage to ensure it is adequate to cover all risks to which the organization is vulnerable. The following 7 questions should be answered to determine the protection offered by the insurance policy: "What perils are covered?", "What property is covered?"… (Pg 1-I-A2, Pg 17-I-7, Pg 17-I-13, Pg 19-III-14, Revised Volume 1 Pg 2-I-A2, Revised Volume 1 Pg 2-I-A6, Protection of Assets Manual, ASIS International)
  • Transferring information risks may involve obtaining insurance against particular types of incident occurring for high risk activities. (SR.01.06.05b, The Standard of Good Practice for Information Security)
  • Transferring information risks may involve obtaining insurance against particular types of incident occurring for high risk activities. (SR.01.06.05b, The Standard of Good Practice for Information Security, 2013)
  • Service providers and outsourced service providers should buy insurance against loss or damage of equipment and storage media caused by theft, fire, failure of environmental control equipment, water pipe burst, and computer abuse by the staff. Service providers and outsourced service providers may b… (§ 9.5.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Organizations should consider purchasing insurance as part of the business continuity planning process. (§ 14.1.1, ISO 27002 Code of practice for information security management, 2005)
  • Is there insurance coverage for business interruptions or general services interruption? (§ D.3, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Is priority access to resources from your suppliers contractually insured in the event an adverse situation arises, affecting multiple customers of your suppliers (e.g., fuel oil, recovery center space)? (§ V.1.71, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Insurance; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 10, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Exam Tier II Obj E.1 Determine whether audit procedures for payment systems risk adequately consider the risks in wholesale electronic funds transfer (EFT). Evaluate whether ▪ Adequate operating policies and procedures govern all activities, both in the wire transfer department and in the originat… (Exam Tier II Obj E.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should determine the amount of insurance needed. The organization should review the amount of insurance coverage annually to ensure the level and type of coverage is adequate and meets any legal or Board requirements. (Pg 33, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should review its insurance coverage to determine if the coverage includes or excludes activities conducted over open networks. (Pg A-3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should purchase insurance. The amount of coverage should depend on how much financial loss the organization is willing to accept. The organization should consider specific coverage for IT equipment, e-banking, media reconstruction, errors and omissions, business interruption, valuab… (Pg 28, Pg 29, Exam Obj 3.8, FFIEC IT Examination Handbook - Management)