Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Transcription

1 PROPOSAL FORM Cyber Insurance Underwritten by The Hollard Insurance Co. Ltd, an authorised Financial Services Provider ITOO is an Authorised Financial Services Provider. FSP

2 1 Please answer ALL questions completely Should any question or part thereof not be applicable, please state N/A Should insufficient space be provided, please continue on your company letterhead 1. Name of Insured 2. Physical Address 3. Primary contact phone number 4. Primary contact address 5. Registration Number 6. VAT Number 7. Public facing URL addresses (websites and services such as file transfer facilities) 8. Choose an item which closely matches primary nature of business Choose an item >> If other please specify 9. Products and services offered 10. Subsidiary names (if applicable) 11. Revenue Annual Turnover/ Gross Revenue Last year Current year Gross e-business revenue Last year Current year Value of asset base Last year Current year 12. Geographical split of gross revenue by region South Africa Last year % Current year % Europe (specify) Last year % Current year % USA Last year % Current year % Other (specify) Last year % Current year %

3 2 13. Number of employees Permanent Contractors Temporary SECURITY POLICIES AND STANDARDS 1. Have you implemented information security policies which have been approved by management 2. Are security policies reviewed on an annual basis 3. What security certifications do you hold (for example PCI DSS) 4. What is the minimum password length restriction applied to accounts Choose an item >> 5. How regularly are users required to change their passwords Choose an item >> 6. After how many failed authentication attempts are accounts locked out Choose an item >> 7. How long are accounts locked out for after failed authentication attempts Choose an item >> 8. Are users prevented from re-using their passwords for at least 5 changes 9. Are password rules enforced on all sensitive systems, for example password parameters defined on active directory SECURITY REVIEWS AND ASSESSMENTS 1. How frequently are your IT environments subjected to vulnerability or penetration testing Choose an item >> Please attach the latest testing report SENSITIVE AND PRIVATE INFORMATION 1. Do you collect/store/process any of the following EMPLOYEE & CLIENT data Bank records or financial account details Medical records or health information Payment card details Personal identity information (names, contact details, addresses) Third party corporate confidential data 2. Have your internet facing systems been configured so that no sensitive or personal data resides directly on them, but is instead stored behind a firewall on internal databases/systems

4 3 3. Have you implemented encryption for the following Data stored on portable devices (laptops, external storage devices, tablets, phones, etc.) Sensitive data transmitted outside your environment Sensitive data/backups stored outside your environment Sensitive data stored in your environment If YES, please provide additional information SECURITY IMPLEMENTATION 1. Have you implemented anti-virus software on all computers and mission critical servers (where applicable) 2. Have you implemented firewalls at all breakout points to external networks 3. As part of system configuration do you ensure that all default vendor accounts are secured, via disabling/deleting or changing the account password 4. Do you actively in real time monitor sensitive/critical servers and applications 5. Do you secure all computers and servers according to your technical security configuration standards 6. Have you implemented controls to restrict unauthorised access to sensitive data via your wireless network 7. Do you allow for remote access to your network Choose an item >> 7.1. If yes, is remote network access exclusively over secured channels (for example Virtual Private Network (VPN) with 2 factor authentication) 7.2 If yes, are controls implemented to protect accounts including installation and administration accounts from brute force password attacks PHYSICAL AND ENVIRONMENTAL SECURITY 1. Have you implemented physical controls such as surveillance cameras or access control mechanisms to restrict access to your server room and other sensitive processing facilities 2. Have you implemented physical security controls such as reception to screen visitors or access control mechanisms to restrict access to your offices 3. Do your remote locations including disaster recovery and redundant processing sites have physical security that is at least aligned to the primary processing site

5 4 SYSTEM AND SECURITY LOGS 1. For what period of time do you maintain logs Choose an item >> SECURITY PATCHES AND VIRUS DEFINITIONS 1. How frequently do you update virus definition files on computers and servers Choose an item >> 2. How long after release do you implement security related patches and updates on computers, servers and network appliances (routers, firewalls, etc.) Choose an item >> THIRD PARTY SERVICE PROVIDERS Functions outsourced to third party providers Outsourced to third party provider Third party providers name Cloud data processing/storage Data centre/hosting Data processing (marketing/payroll) Managed security services Network implementation/maintenance Off-site archiving, backup and/or storage Payment processing Software implementation/maintenance Systems development, customisation and maintenance Other (please specify) 1. What level of access do you grant to third party service providers Choose an item >> 2. Do agreements with third party service providers require levels of security commensurate with your information security policies 3. Do you review that third party service providers are adhering to contractual and/or regulatory requirements regarding data protection 4. Do you require indemnification from third party service providers for any liability attributable to them (including data breach and system downtime)

6 5 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY 1. Do you have documented and approved disaster recovery and business continuity plans 2. Do you review, test and update disaster recovery plans on at least an annual basis 3. How frequently do you generate backups Choose an item >> 4. Do you monitor for the successful generation of backups PERSONNEL SECURITY 1. Do you conduct background checks on potential employees as part of the recruitment process 2. Do you have a process implemented for granting, reviewing and disabling user accounts and privileges 3. How long after termination of employment do you typically revoke user privileges Choose an item >> 4. Have employees been required to attended any security/data privacy training/ awareness courses within the past 12 months 5. Have you implemented controls to manage and/or restrict internet access and usage CLAIMS AND INSURANCE HISTORY If YES, please provide additional information 1. Have you ever had an insurance policy cancelled or been declined insurance cover 2. Have you sustained an unscheduled network outage over the past 24 months Cause and duration of outage 3. Are you or any of the partners, directors or officers, aware of or are there any circumstances within the past 5 years that would have given, may give, or have given, rise to a claim against the organisation or against this insurance policy 4. Have you previously held similar cover to this application

7 6 LIMIT OF INDEMNITY Option 1 Option 2 Option 3 Option 4 Quote Deductible DECLARATION I/We, the undersigned, declare that the statements set forth in this proposal form together with any other information supplied are true and correct and that I/we have not misstated or suppressed any material facts. I/We agree that this proposal form together with any other information supplied by me/us shall form the basis upon which the contract of insurance is concluded and shall be incorporated therein. I/We further undertake that in the event that the information provided changes between the date of this application and inception of cover, I/We will notify ITOO of such changes as soon as reasonably possible. Name (duly authorised) Designation Signature D D M M Y Y Y Y Date