Cyber Security Application

""
1
Cyber Application
General Information
Name of Organization
Contact
Mailing Address
Contact Telephone
Type of BusinessChoose One
Description of Business
0 /
Total Annual Revenue
Website Address
Annual revenue generated from/attributable to activites conducted through website
Coverages Requested
Please select limit of insurance requested
Policy Effective Date
Overall Aggregate
Web Site Publishing Liability
Programming Errors and Omissions Liability
Replacement or Restoration of Electronic Data
Extortion Threats
Business Income Threats
Public Relations Expense
General Underwriting Questions
Do you collect and/or store any of the following types of electronic data of third parties (e.g. customers or business partners, etc)? Check all that apply.
Do you collect and/or store any of the following types of electronic data of third parties (e.g. customers or business partners, etc)?check all that apply
Estimated number of customer data that you keep electronic records:
Is the customer data encrypted?
Are you subject to Health Insurance Portability and Accountability Act (HIPPA) and Health Information Technology for Economic and Clinical Health Act (HITECH) law? If so, are you in compliance?
Are you subject to Health Insurance Portability and Accountability Act (HIPPA) and Health Information Technology for Economic and Clinical Health Act (HITECH) law? If so, are you in compliance?
Employment Practices
Do you publish and distribute information technology and privacy policies to all employees?
Do you provide training to your employees on information security awareness?
Do you conduct any of the following screening on new employees?check all that apply
Risk Controls
Do you have a firewall?
How often do you review the rules within the firewall?
When was the last time a rule was removed/deactivated?
Are your IT department or outsourced third party vendors/providers to adhere to a software up- date process, including software patches and anti-virus software definition upgrades?
Do you perform virus scans of emails, downloads, and portable devices?
Do you restrict access to sensitive client, customer, employee, or other third party information?
Do you have a process for managing user accounts, including the timely revocation of access for terminated employees and the removal of outdated accounts?
Are there physical security controls in place to restrict access to your computer systems and sensitive paper records?
Do you have role-based controls, or other procedures that address user access to critical and sensitive computer systems, applications, or records?
Do you have a written business continuity/disaster recovery plan that includes procedures to be followed in the event of a disruptive computer or network incident?
Do you have a designated individual or group responsible for information security and compliance operations?check all that apply
Is all sensitive customer, client, and employee data:
Encrypted at rest?
Encrypted in transit?
Accessible via mobile devices, laptops or other storage media encrypted?
If yes, are the mobile devices or other storage media encrypted?
How long would it take to restore your operations after a computer attack or other loss / corruption of data?
Are mission-critical transactions and security logs reviewed periodically for suspicious activity?
If yes, how frequently?
Have you undergone an information security or privacy compliance evaluation? If yes:
Who performed the evaluation?
What date was the evaluation performed?
What type of evaluation was performed?
Were all recommendations implemented and deficiencies corrected?
If no, please explain:
Do you outsource critical components of your network/computer system or internet access /presence to others
Do you have a program in place to periodically test your data security controls?
Do you have written contracts in place to enforce your information security policy and procedures with third party service providers?
Do those contracts contain hold harmless or indemnification clauses in your favor?
Do you audit all vendors and service providers who handle or access your data and require them to have adequate security protocols?
Do you have a document destruction and retention policy?
Do you monitor your network in real time to detect possible intrusions or abnormalities in the performance of the system?
Loss Experience
During the past three (3) years whether insured or not, have you sustained any losses due to unauthorized access, unauthorized use, virus, denial of service attack, electronic media liability, data breach, data theft, fraud, sabotage or other similar electronic security events?
Within the past three (3) years, have you experienced any network related business interruption exceeding (8) hours other than planned maintenance of your computer systems(s)?
During the last three (3) years, has anyone alleged that you were responsible for damage to their computer system(s) arising out of the operation of your computer system(s)?
During the last three (3) years, have you been the subject of an investigation or action by regulatory or administrative agency for privacy-related violations?
During the last three (3) years, have you received a complaint or other proceeding (including an injunction or other request for non-monetary relief) arising out of intellectual property infringement, copyright infringement, media content, or advertising material?
During the last (3) years, has anyone made a demand, claim, complaint, or filed a lawsuit against you alleging invasion of interference of rights of privacy or the inappropriate disclosure of Personally Identifiable Information (PII)?
Privacy Controls
Are you in compliance with the following:
Do you restrict employee access to customer files and Personally Identifiable Information (PII) of employees to those with a business need-to-know basis?
If no, please explain:
Does your hiring process include the following for all employees and independent contractorscheck all that apply
Do you allow employees to download the Personally Identifiable Information (PII) of customers or confidential information in your care belonging to third parties onto laptop computers or other storage media?
If yes, is information required to be encrypted when it is stored onto the laptop or other storage media?
Do you have a current computer network and information security policy that applies to employees, independent contractors, and third-party vendors?
If yes, is the information published within the companycorporate intranet, employee handbook, etc.
Are all employees periodically instructed on their specific job responsibilities with respect to information security, such as the proper reporting of suspected security incidents?
Do you require the transmission of personal customer information such as credit card numbers, contact information, etc., as part of your internet-based web services?
Media Liability Controls
Do you have a process to review content or materials (including meta tags) before they are published, broadcasted, distributed, or displayed on your website for the following:
Defamation (Slander/Libel)
Right to privacy or publicity
Copyright, trademark or domain name
Are any of the following types of content disseminated on your website?
Previous
Next