Cyber and Data Security Proposal form
This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which sections of cover you require a quotation for. Please tick where appropriate. Cyber, data security and multimedia liability Cover for compensatory damages and defence costs for liabilities arising from: Your failure to correctly handle manage or store personal and commercial data Your violation of data protection and privacy regulation and/or legislation A third-parties good faith reliance on a hackers fraudulent use of the your electronic signatures Your failure to protect against unauthorised access to, unauthorised use of, or a denial of service attack by a hacker Your unintentional spreading of computer virus Your improper online activities such as web-scraping and web harvesting Multimedia exposures in the form of defamation and breaches of intellectual property rights arising from any matter or content you publish online including the content of your website. Mandatory minimum cover Cover is also given for your own costs to deal with: The reimbursement of any financial benefit that has been transferred to a third-party by a hacker and you cannot recoup Public relations and crisis management specialists to help you respond to and mitigate the damage from an insured event Regulatory investigations and penalties (Where insurable by law) The withdrawal of any content you publish and which is deemed to breach advertising standards Compensating you for the costs of having employees in court to deal with any claims covered under the policy. Data breach costs cover Cover to help you deal with the costs and event response following a Cyber or data security event, including a breach of privacy and/or data protection regulation. Cover includes: The costs to notify individuals that their data has been breached, including legal drafting The cost of credit monitoring where personal financial data has been breached The cost of a call centre to coordinate and handle a data breach notification response. Information and communication asset rectification costs cover Cover to help you deal with the costs of: Repairing, restoring or replacing the affected parts of your information and communication assets (including software, hardware, firmware and electronic data) following any damage, destruction, alteration, corruption, copying, theft or misused by a hacker. Cyber business interruption costs cover Cover to help you deal with the costs of: Replacing your lost profit as a result you being unable to trade during a total or partial interruption, degradation in service or failure of information and communication assets following a hacker attack. Cyber extortion cover Cover to help you deal with the costs of: Handling and dealing with the response to a threat from a hacker to attack your information and communication assets. Cover also includes the value of a ransom you make have had to pay to avoid such event. Please note that cover is subject to policy terms and conditions. Please ask your broker for a copy of the policy wording. 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P2 / 10
Company information 1 Company name 2 Website address 3 Postal address Postcode 4 Email address 5 Do you require cover for any other locations which are not stated as your main postal address? If Yes, please provide details 6 Business established since: 7 Number of employees: 8 Please provide a description of your business services: 9 Please give a breakdown of your turnover, including fee income, for the past and current financial years, and estimate for the next year: Financial year end (date) Total turnover including fee income: Profit (net before income tax) Past year (actual) Current Year (estimate) Next year (estimate) Please provide an estimated percentage split of turnover including fee income by geographical territory: Past year (actual) Current year (estimate) Next year (estimate) United Kingdom clients European clients USA and Canadian clients NOT subject to USA/Canada law USA and Canadian clients subject to USA/Canada law Rest of world clients Total 100 100 100 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P3 / 10
Network and data structure 1 Please provide brief details of the functions of your internal IT network 2 Please provide details of the size of your IT network, number of: Computer users: Servers: Portables: (Laptops, smartphones, notebooks, tablets) Server locations: PC s: 3 Please provide a financial value for your IT network (including but not limited to hardware, software, cabling and firmware) 4 Please estimate the total number of Personally Identifiable Information records, including employees and customers that your company holds. Personally Identifiable Information is defined as: information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Do you see this changing substantially in the next 12 months? If Yes please provide details below: 5 Please highlight which bands of Personally Identifiable Information records you hold: Low Sensitivity Name E-mail address Moderate Sensitivity Home address Telephone numbers Date of birth Drivers Licence number Protected health information Insurance Policy number National Insurance number Passport number Highly Sensitivity Banking or Saving Account number Debit Card number Credit Card number 6 Please estimate what proportion of the total number of Personally Identifiable Information records you hold include a highly sensitive element: 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P4 / 10
7 Do you seek explicit consent from all third parties before selling or sharing their Personally Identifiable Information? 8a Do you outsource any part of your IT network including but not limited to data storage, data hosting and/or data-processing of Personally Identifiable Information records? If Yes please prove the name of the third-party company: b Does this involve the transfer any Personally Identifiable Information records to third-parties outside of the European Economic Area (EEA)? c If Yes, do you ensure that the countries in which these third-parties hold your Personally Identifiable Information records have strict government legislation and regulation on data protection? If No please provide details below: d Do you have a written contract in place with these third parties that will indemnify you for IT system or data security breaches arising from their services? Network and data security 1 Do you have a Chief Information Officer (CIO ) and/or a Chief Security Officer (CSO)? If No please provide details of who controls your IT network and data/information security. 2 Do you adhere to and comply with the following: Data Protection Act 1998: Privacy and Electronic Communications Regulations Payment Card Industry (PCI) Data Security Standards: ISO 27001: 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P5 / 10
3a Have you had a third party security audit undertaken on your IT network? b If Yes have you implemented the recommendations of the audit? 4 Do you ensure that all Personally Identifiable Information records are backed up and held at a secondary location? 5 Do you have firewalls protecting all external IT network gateways? 6 Do you use encryption tools to ensure the integrity and confidentiality of all Personally Identifiable Information records including those on removable media? 7 Do you use anti-virus software and anti-spyware? 8 Do you have a vulnerability assessment program that monitors for IT network security and data security breaches and ensures timely updates of anti-virus and anti-spyware signatures and critical security patches. 9 When recruiting new employees to you undertake thorough background checks before employment is offered? Such as: CRB (Criminal Record Bureau), Identity, Qualifications, Disciplinary. 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P6 / 10
10a Do you have an internet and email usage policy written into all employment contracts which is clearly communicated to all employees? b If Yes, does this permits the monitoring and investigation of computer activity of your employees? If No to either of the above, please provide details: 11 Do you implement a data protection policy for the handling of data including Personally Identifiable Information records which is clearly communicated to all employees? 12 Do you have physical controls and registration for visitors at your company s entrance area? 13 Are all Personally Identifiable Information records, including those contained in a physical form (paper, disks, CDs, hard drives), disposed of or recycled by a confidential and secure means which is recognised throughout the organisation? Business impact 1 How fast are you likely to incur a loss of profit as a result of an IT network compromise and a total system downtime? Level 1: 48 hours + Level 3: 12-24 hours Level 5: Immediately Level 2: 24-48 hours Level 4: 1-12 hours 2 In the event of your IT network being subjected to a non-scheduled closure and total downtime; please estimate your maximum daily loss of profit (net profit before tax). 3 Do you have a disaster recovery plan which protects you against any sudden or unexpected failure of your IT network and security breach/data compromise? If No then please advise how you would deal with such an event in a time critical manner? If Yes : a Is the back-up system managed by a Third Party? b How regularly is it tested? c When was it last tested? d How long did it take to switch to this back-up system? 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P7 / 10
Online media 1 Do any of your websites (including websites you may host for third-parties) contain any of the following: Financial transactions via payment cards Medical records or private information of individuals Legal advice or services Streaming music or video Social networking If you answered Yes to any of the above please provide details below: 2 Do you have a privacy policy on your website? If No, please provide details: 3 Do you have a specific policy for managing all opt-in / opt-out marketing requests including the use/storage of cookies on a browsers system/device? 4 Do you have a procedure for responding to allegations that content created, displayed or published is libelous, infringing intellectual property rights, or in violation of a third party s privacy rights? 5 Are third parties able to contribute to message boards, chat rooms or forums on your websites (including websites you may host for third-parties)? If Yes, please describe what procedures you have in place for monitoring or moderating content posted on your website including your take-down policy. 6 Do you have a qualified lawyer (or other legally qualified individual) review all content prior to posting on your websites (including websites you may host for third-parties)? If No then who authorises this? 7 Do you obtain written warranties and indemnities from third parties for content they have created for you (including advertising agents)? If No, please provide details: 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P8 / 10
Claims and insurance history 1 Have you previously been insured in respect of Cyber and Data Security? If Yes please provide details (UNLESS YOU ARE INSURED WITH QBE) Cyber and Data Security Insurer Limit of indemnity Excess (each & every claim) Premium Expiry date 2 Has your business ever been declined for a Cyber and Data Security insurance policy, or had an existing policy cancelled? If Yes please provide full details: 3 Have you ever experienced an event that did or may have given rise to a claim or circumstance under a cyber and data security policy, including but not limited to hacking incident, virus or malicious code attack, cyber extortion attempt, breach of secure data, wrongful disclosure of personal data or interference with rights of privacy? If Yes please provide details including what measures have been taken to prevent a reoccurrence? 4 Please provide details of any matter which may be relevant to Underwriters consideration of your proposal and which has not been disclosed elsewhere in this proposal: 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P9 / 10
Declaration I/We declare that this proposal has been completed after appropriate enquiry and that the statements and particulars in this proposal (including all attachments, if applicable) are true and that I/We have neither misrepresented or suppressed any material facts. I/We undertake to inform Underwriters of any material alteration to these facts whether occurring before or after the completion of the contract of insurance. Signature of Principal/Partner/Director Date 3326/CYBER&DATASECURITY/PROPOSAL/APR2014 P10 / 10 QBE European Operations is a trading name of QBE Insurance (Europe) Limited, no. 01761561 ( QIEL ), QBE Underwriting Limited, no. 01035198 ( QUL ), QBE Management Services (UK) Limited, no. 03153567 ( QMSUK ) and QBE Underwriting Services (UK) Limited, no. 02262145 ( QSUK ), whose registered offices are at Plantation Place, 30 Fenchurch Street, London, EC3M 3BD. All four companies are incorporated in England and Wales. QIEL and QUL are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. QUL is a Lloyd s managing agent. QMSUK and QSUK are both Appointed Representatives of QIEL and QUL.