Cyber Insurance Form 1 Applicant Details 2 Data Security 3 Personal Data 4 Claims 5 Sector Specific Section 1 – Details of the applicant 1. Insured Entity Type (please select): Sole TraderPartnershipPublic Listed CompanyUnlisted Limited CompanyNot for profit / AssociationPrivate Company (Pty Ltd) 2. ABN / ACN: 3. Insured Name: 4. Trading Name (if applicable): 5. Insured’s Registered Address: Place where business is registered / incorporated 6. Place of Incorporation: 7. Date Established: 8. Insured’s Website Address: N/A – Insured does not have a website 9. Occupation / Business Description: Provide detailed description of all business activities including related entities. Section 2 – Business and employee information Subsidiaries 1. Are you domiciled in Australia with no subsidiaries outside Australia or New Zealand? YesNo If NO, please confirm: a. Are you domiciled in Australia? YesNo b. Where are the Insured’s overseas subsidiaries? Please specify below in which countries the Insured’s subsidiaries are located and indicate the percentage of total revenue derived. Subsidiary Name Country Revenue % Turnover 2. Please provide: Past Year Current Year Estimated Next Year Total Turnover (AUD) % of Turnover Derived from Online Channels 3. Is more than 25% of the Insured’s revenue derived from the USA and Canada? YesNo Stamp Duty 4. What is the Insured’s breakdown of turnover? We use this information to apportion the payment of stamp duty across states and territories where the Insured operates. NSW % ACT % QLD % VIC % TAS % SA % WA % NT % O/S % Total 100% If you have declared Overseas Turnover, please complete the table below: a. From which country or countries is the Overseas Turnover derived? b. What activities are conducted overseas? c. How many Personally Identifiable Information (PII) records are held overseas? Country(ies) Percentage of Total Turnover % Activities PII Records 5. Is the Insured exempt from GST? YesNo 6. Is the Insured exempt from Stamp Duty? YesNo If YES, I declare that the Insured is relying on a stamp duty exemption (for example a charity organisation exemption) in relation to this policy. I have obtained a copy of the exemption certificate(s) or declaration(s) and any other supporting documentation to verify this exemption and I will provide a copy to DUAL on binding or upon request. 7. Please confirm: YesNo Employees 7. Please confirm your staff size: Include all principals, partners, directors, and employees (full time, part time and casual staff, interns and volunteers). Category Number of Employees Principal / Partner / Directors Professional Staff Administration / Support Information Technology Cyber / Information Security Other (please specify) Total 8. Please confirm the number of employees that are full time: Previous Next Section 3 – Data security details 1. Do you secure remote access to your network and data (SSL, IPSec, SSH, etc.)? YesNo 2. Do you use operating systems with embedded firewalls and anti-virus protection software (such as Windows or Mac OS X), or run commercially licensed separate firewall or anti-virus protection software? YesNo 3. Do you enforce a policy of auditing and managing computer and user accounts? YesNo 4. Do you enforce a restricted access management policy for administrator rights and critical resources? YesNo 5. Are all mobile devices (such as laptops, tablets, smartphones and memory sticks) password protected? YesNo If NO, please explain: 6. Do you encrypt all mobile devices and back up media? YesNo If NO, please explain: 7. Are you compliant with Payment Card Industry Standards (if applicable), as set out by the PCI Security Standards Council (PCI SSC)? Compliance with PCI Standards is required for all entities that store, process or transmit cardholder data. If the PCI Standards do not apply, answer "Yes" to this question. YesNo 8. How often do you back up sensitive, confidential, critical or valuable data? 9. Do you regularly test re-establishing network functionality and data restoration from backups? YesNo 10. Is all sensitive, confidential, critical or valuable data encrypted? YesNo If YES, which of the following? At rest on the networkIn transitIn back-up 11. Are staff trained on cyber security? YesNo If YES, how often? 12. Do you distribute written cyber security training materials to your staff? YesNo If YES, how often? 13. Do you require staff to update passwords at least every 45 days? YesNo If YES, how often? 14. Have you performed penetration and/or social engineering testing? YesNo If YES, please provide details (and/or attach report): 15. Are software patches installed within 30 days of release? YesNo 16. Is multi factor authentication required for any and all remote access to your systems (including webmail, Citrix desktop, cloud based applications, or Remote Desktop Protocol “RDP”)? YesNo 17. Are you ISO 27001 (InfoSec Management) certified or to an equivalent framework? YesNo 18. Do you have an online platform? YesNo If YES, are you on HTTPS Protocol? YesNo 19. Does the Insured (directly or by re-selling such service) provide, operate, administer or maintain any cloud hosting services, website hosting services or ISP services, to or on behalf of third parties? YesNo 20. Do you use any end-of-life or unsupported operating systems or software, including on an extended support basis? YesNo 21. Do you use a security information and event monitoring (SIEM) tool? YesNo 22. Do you have an e-mail filtering system (e.g. MimeCast or equivalent) in place that is activated for all email accounts? YesNo 23. Do you utilise a privilege access management tool (such as Microsoft Privileged Identity Management)? YesNo Section 4 – Business interruption 1. Do you have any of the following in place? YesNo If YES, please select: A data breach response planA business continuity plan / disaster recovery plan which takes cyber perils into considerationAn IT security policy / framework If selected, please provide a copy (optional upload): 2. Is the Disaster Recovery Plan or Business Continuity Plan tested annually? N/AYesNo If NO, how often? QuarterlyHalf yearly Other, please specify: 3. Network Dependency. After how long will your business be impacted by a loss to your site/systems? 0 to 6 hours6 to 12 hours12 to 24 hoursAbove 24 hours 4. Please provide the following Gross Profits: For the last financial year (AUD): Estimated for current financial year (AUD): 5. Do you wish to have cover for Contingent Business Interruption? For further information regarding this Optional Extension, please visit the website. This cover is available under Platinum only. YesNo If YES, please confirm details of those external suppliers you wish this cover to apply to (aside from any outsourced network providers previously declared). This must be a third-party business with which the Insured has an agreement for the provision of products or services, otherwise cover under Optional Extensions 4.1 may not apply. Name of External Supplier Product / Service Supplied Section 5 – Outsourcing 1. Do you outsource any critical business functions to third parties, including storage? YesNo If YES, please describe: Name of Service Provider Type of Business Function 2. Do you outsource any IT function to third parties? YesNo If YES, please describe: Name of Service Provider Type of Business Function 3. Do you periodically audit the functions of the outsourcers to ensure that they align with your risk management and security policies? YesNo If YES, how often? QuarterlyHalf yearlyYearly Other, please specify: 4. Do you waive your rights of recourse against the services provided by the outsourcers? YesNo 5. How do you select and manage outsourcers? 6. Do you require the outsourcers to carry professional indemnity insurance? YesNo 7. Do you have written agreements in place between yourself and the outsourcers defining each party’s responsibilities? YesNo If NO, please explain: Previous Next Section 6 – Personal data 1. How many records of personally identifiable information (PII) do you hold? An Insured may hold various pieces of personal information for one client (for example name, address and age) and that information is counted as one record. 2. What type of personal data do you hold? Bank details, including Banking/Saving Accounts, Debit Card and/or Credit CardHealthcare informationTax records, including Tax File NumbersPersonal (Email address, Physical address, Telephone/Mobile Number)Date of birthIdentification Numbers, including Identification Card, Drivers Licence and/or Passport Others, please describe: 3. Please provide the number of records in these categories: Bank Details Healthcare Information Tax records Personal Date of birth Identification Numbers Others 4. Please provide % breakdown of records stored by: a. Owned Network % b. Third Party Network % 5. What is the estimated maximum number of records currently residing on: a. One Server: b. One Centralized Location: Section 7 – Social Engineering, Phishing and Cyber Fraud 1. Do you wish to have cover for Social Engineering, Phishing and Cyber Fraud? YesNo If YES please confirm the following, or if NO please continue to Section 8. a. Are all requests to establish/create or alter supplier and customer details including bank account details, independently verified with a known contact, either in person or via a telephone call, for authenticity? YesNo b. Does the Insured ensure that at least two members of staff authorise any transfer of funds, signing of cheques (above $2,000) and the issuance of instructions for the disbursement of assets, funds or investments? YesNo If comprised of only 2 staff or fewer, answer YES by default. c. Does the Insured maintain procedures for the provision of written training materials to all employees regarding Social Engineering Fraud and Cyber Fraud which incorporate regular review? YesNo d. Does the Insured maintain procedures for changing passwords for all online accounts and banking platforms at least every 45 days and ensure password best practices or 2FA? YesNo Section 8 – Regulatory issues 1. Have you ever been investigated in respect of personally identifiable information or your privacy practices? YesNo 2. Have you been asked to supply any regulator with information relating to personal information or privacy practices? YesNo 3. Have you ever been asked to sign a consent order or equivalent relating to personal information handling or privacy? YesNo 4. Have you ever received a complaint relating to the handling of someone’s personal information? YesNo If YES, please specify details (attach additional information if required): Previous Next Section 9 - Claim details 1. After enquiry of all Partners, Principals, Directors, Officers, Trustees and Senior Managers: a. Have there been any claim(s) made against the Insured or any loss or expense incurred which might fall within the terms of this insurance cover? OR b. Have any circumstances occurred which may give rise to a claim against the Insured or result in any loss or expense incurred which might fall within the terms of this insurance cover? Incurred means any settlement made, legal fees, defence costs or reserved amounts. YesNo If YES, please provide further information (attach additional information if required): 2. Is the Insured aware of any matter that is reasonably likely to give rise to any loss or claim under such insurance, or has the Insured suffered any loss or claim including but not limited to a regulatory, governmental or administrative action against the Insured, or any investigation or information request concerning any handling of personally identifiable information? YesNo If YES, please provide further information (attach additional information if required): 3. Has the Insured or any Partners, Principals, Directors, Officers, Trustees and Senior Managers ever been declined this type of insurance, had similar insurance cancelled, had an application for renewal declined, or had special terms or restrictions imposed? YesNo If YES, please provide details (attach additional information if required): Section 10 - Indemnity Limit 1. Does the Insured currently have Cyber Liability and Data Protection insurance in place? YesNo a. If NO, would the Insured like to change their retroactive date from policy inception to unlimited for additional premium? YesNo b. If YES, please provide details: Name of Insurer: Limit of Indemnity: Deductible: Expiry Date of Policy: Retroactive Date of the Policy: 2. Please select the amount of Indemnity required: AUD 500,000AUD 1,000,000AUD 2,000,000AUD 3,000,000AUD 4,000,000AUD 5,000,000 Other (please state): Section 11 – Financial loss details 1. Has the business experienced a cyber incident in the last 3 years? YesNo 2. What types of sensitive customer records do you store? Medical Data Records If YES, please confirm the no.: Personal Data Records If YES, please confirm the no.: Credit Card Data Records If YES, please confirm the no.: 3. Please confirm your percentage of annual revenue from online business (%): 4. Which security measures has the business implemented? FirewallAntivirusUsing Backup Other: Previous Next Section 12 – Manufacturing only Complete this section only if applicable to your business. 1. Is the manufacturing process computerised? YesNo 2. Do you run CNC machinery on a Direct Numerical Control basis? YesNo 3. Describe cyber protection for manufacturing environment: Section 13 – E-commerce / Online retail only Complete this section only if applicable to your business. 1. State % of revenue derived from online sales: 2. Do you have mechanisms to mitigate web-skimming attacks? YesNo 3. Describe cyber protection for online sales environment: Section 14 – Funds management only Complete this section only if applicable to your business. 1. What investment strategies do the funds utilise? 2. Do funds engage in high frequency or algorithmic trading? YesNo 3. Current & 12 month forecast – Funds Under Management (FUM): Section 15 - Transport and logistics only Please complete this section if this is applicable to your business. 1. Please describe the exact nature of your operations, including rail, road, air and sea capabilities: 2. Please state percentage of revenue derived from online bookings: 3. Please describe how your clients could make bookings if the online booking channel is offline: 4. Please describe how your clients could make bookings if the online booking channel, emails and landlines were offline: 5. How would you manage your scheduling and operational activities without access to your network? 6. Do you segregate the critical operational networks from non-critical networks? YesNo Declaration Signing this Proposal Form does not bind the proposer or the Insurer to complete this insurance. The undersigned declares that the statement and particulars in this Proposal Form are true and that no material facts have been misstated or suppressed after enquiry. The undersigned agree that should any of the information given by us alter between the date of this proposal and the inception date of the insurance to which this proposal relates, the undersigned will give immediate notice thereof. The undersigned agrees that the Underwriters may use and disclose our personal information in accordance with the Privacy Collection Statement at the beginning of this proposal. The undersigned acknowledges that they have read the policy wording and associated endorsements and are satisfied with the coverage provided, including the limitations and restrictions on coverage. The undersigned agrees that this proposal, together with any other information supplied by us shall form the basis of any contract of insurance effected thereon. To be signed by the Insured for whom this insurance is intended for Full name: Position: Signature: Date: It is important the undersigned of the declaration above is fully aware of the scope of this insurance so that these questions can be answered correctly. If in doubt, please contact the broker or agent, since non-disclosure may affect an Insureds right of recovery under the policy. DUAL Australia recommends that you keep a record of all information supplied for the purpose of entering into an insurance contract (including copies of this proposal form and correspondence). Previous Next
