1 2 3 4 5 6 7 8 Last Page Cyber Insurance Form Company Name * Type of Business * SelectSole ProprietorPartnershipNon ProfitCorporation Zip Code * State * Select...AlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWest VirginiaWisconsinWyoming City * Address * Contact Person * Email * Phone Website * Date Business Established * Total number of employees * Description of Operations * Next 1 2 3 4 5 6 7 8 Last Page Revenues Current Fiscal Year ending (Projected) * Last Fiscal Year ending * Two Fiscal Years ago ending * Back Next 1 2 3 4 5 6 7 8 Last Page Records Do you collect, store, host, process, control, use or share any private or sensitive information* in either paper or electronic form? * Yes No*Private or sensitive information includes any information or data that can be used to uniquely identify a person, including, but not limited to, social security numbers or other government identification numbers, payment card information, drivers’ license numbers, financial account numbers, personal identification numbers (PINs), usernames, passwords, healthcare records and email addresses. Provide the approximate number of unique records: Paper records Electronic records Do you collect, store, host, process, control, use or share any biometric information or data, such as fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral characteristics that can be used to uniquely identify a person? * Yes No Have you reviewed your policies relating to the collection, storage and destruction of such information or data with a qualified attorney and confirmed compliance with applicable federal, state, local and foreign laws? * Yes No Do you process, store, or handle credit card transactions? * Yes No Are you PCI-DSS Compliant? Yes No Back Next 1 2 3 4 5 6 7 8 Last Page IT Department Within the Applicant’s organization, who is responsible for network security? Name * Title * Phone * Email * IT Security Designation(s) * The Applicant’s network security is * SelectOutsourcedManaged internally/in-house Provide the name of your network security provider * Are you the main contact for the network security provider named Yes No Provide the name and email address for the main contact How many IT personnel are on your team? * How many dedicated IT security personnel are on your team? * By accepting, you confirm that you have reviewed all questions of this application regarding the Applicant’s security controls, and, to the best of your knowledge, all answers are complete and accurate. Additionally, you consent to 1) the Insurer conducting non-intrusive scans of your internet-facing systems / applications for common vulnerabilities, and 2) receiving direct communications from the Insurer and/or its representatives regarding the results of such scans and any potentially urgent security issues identified in relation to the Applicant’s organization. Back Next 1 2 3 4 5 6 7 8 Last Page Information and network security controls Do you use a cloud provider to store data or host applications? * Yes No Provide the name of the cloud(s) provider(s): * Do you use Multi-Factor Authentication (MFA) to secure all cloud provider services that you utilize (e.g. Amazon Web Services (AWS), Microsoft Azure, Google Cloud)? * Yes No Do you encrypt all sensitive and confidential information stored on your organization’s systems and networks? * Yes No Access control with role-based assignments? Yes No Segregation of servers that store sensitive information? Yes No Back Next 1 2 3 4 5 6 7 8 Last Page Ransomware controls Do you pre-screen emails for potentially malicious attachments and links? * Yes No Provide the name of your email security provider Do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user? Yes No Can your users access email through a web application or a non-corporate device? * Yes No Do you enforce MFA? Yes No Do you allow remote access to your network? * Yes No Do you use MFA to secure all remote access to your network, including any remote desktop protocol (RDP) connections? * Yes No Select your MFA provider SelectAuth0DuoLastPassOktaOneLoginOther Provide the name of your MFA provider Select your MFA type SelectMobile OTP (One-time Password)Physical KeyPush-based AuthenticationCertificated-basedOther Describe your MFA type Does your MFA configuration ensure that the compromise of a single device will only compromise a single authenticator? Yes No Do you use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise? * Yes No Select your NGAV provider SelectBitDefenderCarbon BlackCheck Point Software TechnologiesCiscoCrowdStrike Falcon PreventCylanceESETESETFortinetF-SecureKasperskyMalwarebytesMcAfeeMicrosoftPalo Alto NetworksPanda SecuritySentinelOneSophosSymantecTrendMicroOther Provide the name of your NGAV provider Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise? * Yes No Do you enforce application whitelisting/blacklisting? Yes No Select your EDR provider SelectBitDefenderCarbon Black CloudCisco AMPCrowdStrike Falcon InsightCybereason Defense PlatformCynet360Endgame Endpoint ProtectionFireEye Endpoint SecurityFortinet FortiEDRIntercept XMalwarebytes Endpoint Protection and ResponseMcAfee MVision EDRRedCanaryRSA NetwitnessSentinelOneSolarWindsSophos Intecept XSymantec EDRSymantec Endpoint Security (SES) CompleteWindows Defender EndpointOther Provide the name of your NGAV provider Is EDR deployed on 100% of endpoints? Yes No Can users access the network with their own device (“Bring Your Own Device”)? Yes No Is EDR required to be installed on these devices? Yes No Do you use MFA to protect all local and remote access to privileged user accounts? * Yes No Select your MFA type SelectMobile OTP (One-time Password)Physical KeyPush-based AuthenticationCertificated-basedOther Describe your MFA type Do you use a data backup solution? * Yes No Which best describes your data backup solution? SelectBackups are kept locally but separate from your network (offline/air-gapped backup solution).Backups are kept in a dedicated cloud backup service.You use a cloud-syncing service (e.g. Dropbox, OneDrive, SharePoint, Google Drive).Other Describe your data backup solution Check all that apply Your backups are encrypted. You have immutable backups. Your backups are secured with different access credentials from other administrator credentials. You utilize MFA for both internal and external access to your backups. You have tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months. How frequently are backups run? Daily Weekly Monthly Estimated amount of time it will take to restore essential functions using backups in the event of a widespread malware or ransomware attack within your network? 0-24 hours 1-3 days 4-6 days 1 week or longer Back Next 1 2 3 4 5 6 7 8 Last Page Phising controls Do any of the following employees at your company complete social engineering training: Employees with financial or accounting responsibilities? * Yes No Employees without financial or accounting responsibilities? * Yes No Does your social engineering training include phishing simulation? Yes No Does your organization send and/or receive wire transfers? * Yes No Does your wire transfer authorization process include the following: A wire request documentation form? Yes No A separation of authority protocol? Yes No A protocol for obtaining proper written authorization for wire transfers? Yes No A protocol for confirming all payment or funds transfer instructions/requests from a new vendor, client or customer via direct call to that vendor, client or customer using only the telephone number provided by the vendor, client or customer before the payment or funds transfer instruction/request was received? Yes No A protocol for confirming any vendor, client or customer account information change requests (including requests to change bank account numbers, contact information or mailing addresses) via direct call to that vendor, client or customer using only the telephone number provided by the vendor, client or customer before the change request was received? Yes No Back Next 1 2 3 4 5 6 7 8 Last Page Loss History In the past 3 years, has the Applicant or any other person or organization proposed for this insurance: Received any complaints or written demands or been a subject in litigation involving matters of privacy injury, breach of private information, network security, defamation, content infringement, identity theft, denial of service attacks, computer virus infections, theft of information, damage to third party networks or the ability of third parties to rely on the Applicant’s network? * Yes No Been the subject of any government action, investigation or other proceedings regarding any alleged violation of privacy law or regulation? * Yes No Notified customers, clients or any third party of any security breach or privacy breach? * Yes No Received any cyber extortion demand or threat? * Yes No Sustained any unscheduled network outage or interruption for any reason? * Yes No Sustained any property damage or business interruption losses as a result of a cyber-attack? * Yes No Sustained any losses due to wire transfer fraud, telecommunications fraud or phishing fraud? * Yes No Do you or any other person or organization proposed for this insurance have knowledge of any security breach, privacy breach, privacy-related event or incident or allegations of breach of privacy that may give rise to a claim? * Yes No In the past 3 years, has any service provider with access to the Applicant’s network or computer system(s) sustained an unscheduled network outage or interruption lasting longer than 4 hours? * Yes No Did the Applicant experience an interruption in business as a result of such outage or interruption? Yes No Submit
