Chubb Cyber Enterprise Risk Management

Supplementary Ransomware Questionnaire

This document allows Chubb to gather the needed information to assess the risks related to your information systems. If your
information systems security policies differ between your companies or subsidiaries, please complete separate proposal forms
for each information system.

Company Information

Company name:

Company headquarters (Address, City, Country, Postcode):

Year established: Number of employees: Website:

Primary Industry:

Company Profile

1. Turnover – Please describe how much turnover you generate

Turnover Prior complete Estimated current year Projected following year

financial year

Global EUR EUR EUR

USA/Canada EUR EUR EUR

Domestic

USA/Canada EUR EUR EUR

Exports

Rest of World EUR EUR EUR

Percentage of global turnover generated from online sales ______ %

1
2. Business Activities - Please describe what your company does to generate the turnover listed above,
including subsidiary activities:

3. Scope of Activities - Do you have any company or subsidiary offices domiciled Yes No
outside of your country of headquarters for which coverage is required?

a. If yes, please complete the table below. If you need more space, please include as an attachment to this proposal.

Note: This information is to ensure that each of your entities are eligible for coverage in the
countries in which you operate.

Name of subsidiary/entity Country (if USA or Australia, % of global turnover earned

please include the State)

2
Data Privacy

1. On all external access to your systems is Multi Factor Access (MFA) applied? Yes No

If Yes, what is the 2nd factor used to enter the network? Example: certificate, token, SMS, application on separate device,
biometric _
Token
_____________________________________________________

2. Privileged accounts and, if applicable, access to Active Directory Protections:

Do users and administrators have separate unique accounts in place and Administrators do not have access to own
workstations. Yes No

All access logs are stored for at least 90 days and weekly monitored. Yes No

Strong passwords are used for all Admin accounts. At least 16 characters mixed. Yes No

For all Admin access (internal and external) MFA is in place. Yes No

The emergency Admin password is at least 30 characters long (if no MFA is applied) and stored in a vault or password
manager. Yes No

Do you use the Microsoft Active Directory Tier structure or alternatives? Yes No

Additional commentary on the above if applicable.

We use Microsoft AD
____________________________________________________________________________

3. All accounts (users, Admin, vendors, service) are audited at least every quarter? Yes No

Backups and Network Security

4. Backups are stored offline (Offline are e.g. tapes, non-mounted disks etc.) Yes No

Do you make use of immutable (or Worm) backup solutions? (If yes: are the backup servers not connected with the Active
Directory or other domains. Is a separate account used for access and is MFA applied?)
Yes No

Additional comments if applicable: ____________________________________________________

Backups of all critical systems and data are at least made daily? Yes No

Full restore tests are performed at least annually? Yes No

A dedicated ransomware restore plan is utilised? Yes No

Critical patches are implemented within one week? Yes No

Vulnerability scans are performed in- and external at least quarterly? Yes No

At least annually a penetration test is performed on all external facing systems? Yes No

Network and incoming traffic is monitored for anomalous and suspicious data and IDS or IPS is used?

Yes No

3
 At least weekly all logs from all Internet facing firewalls are reviewed by dedicated security personnel?

Yes No

Logs are kept for 90 days? Yes No

A SIEM system combined with a SOC (in- or external) is used and all logs from critical assets are send to the SIEM?

Yes No

Endpoint Detection & Response (EDR) systems are implemented on all endpoints? Yes No

Heuristic based antivirus is present on all end points? Yes No

Email Security

5. All incoming email is scanned and filtered on malware and automatically placed in quarantine? Yes No

Sandboxing is used for further investigation of email attachments? Yes No

All employees follow an awareness training in information security? Yes No

Your network is segmented segmentation from your critical systems, WIFI, OT and End of Life systems?

Yes No

End of Life (EoL) systems are isolated and not connected to the Internet? Yes No

Describe any additional (security) measures you have in place and if applicable full detail on any question you have
answered “No” to above.

Every EOL system must be replaced with latest system

_____________________________________________________________________________

Declarations

I declare (i) that we have made a fair presentation of the risk, by disclosing all material matters which we know or ought to know or,
failing that, by giving the Insurer sufficient information to put a prudent insurer on notice that it needs to make further enquiries
in order to reveal material circumstances; and that (ii) I have obtained, and will obtain in the future, the express consent to the
disclosure and use of sensitive personal data from every data subject whose sensitive personal data is supplied in relation to this
proposal for the purposes of (a) underwriting the risks and (b) administering and performing any resulting insurance contract.
I undertake to inform the insurer promptly in writing of any material alteration to those facts occurring before completion of the
contract of insurance.

Name of Director, Officer, or Risk Manager:

Signature of Director, Officer, or Risk Manager: Date (MM/DD/YYYY):

/ /