Professional Documents
Culture Documents
Ransomware Supplementary Proposal
Ransomware Supplementary Proposal
This document allows Chubb to gather the needed information to assess the risks related to your information systems. If your
information systems security policies differ between your companies or subsidiaries, please complete separate proposal forms
for each information system.
Company Information
Company name:
Primary Industry:
Company Profile
1
2. Business Activities - Please describe what your company does to generate the turnover listed above,
including subsidiary activities:
3. Scope of Activities - Do you have any company or subsidiary offices domiciled Yes No
outside of your country of headquarters for which coverage is required?
a. If yes, please complete the table below. If you need more space, please include as an attachment to this proposal.
Note: This information is to ensure that each of your entities are eligible for coverage in the
countries in which you operate.
2
Data Privacy
1. On all external access to your systems is Multi Factor Access (MFA) applied? Yes No
If Yes, what is the 2nd factor used to enter the network? Example: certificate, token, SMS, application on separate device,
biometric _
Token
_____________________________________________________
Do users and administrators have separate unique accounts in place and Administrators do not have access to own
workstations. Yes No
All access logs are stored for at least 90 days and weekly monitored. Yes No
Strong passwords are used for all Admin accounts. At least 16 characters mixed. Yes No
For all Admin access (internal and external) MFA is in place. Yes No
The emergency Admin password is at least 30 characters long (if no MFA is applied) and stored in a vault or password
manager. Yes No
Do you use the Microsoft Active Directory Tier structure or alternatives? Yes No
We use Microsoft AD
____________________________________________________________________________
3. All accounts (users, Admin, vendors, service) are audited at least every quarter? Yes No
4. Backups are stored offline (Offline are e.g. tapes, non-mounted disks etc.) Yes No
Do you make use of immutable (or Worm) backup solutions? (If yes: are the backup servers not connected with the Active
Directory or other domains. Is a separate account used for access and is MFA applied?)
Yes No
Backups of all critical systems and data are at least made daily? Yes No
Vulnerability scans are performed in- and external at least quarterly? Yes No
At least annually a penetration test is performed on all external facing systems? Yes No
Network and incoming traffic is monitored for anomalous and suspicious data and IDS or IPS is used?
Yes No
3
At least weekly all logs from all Internet facing firewalls are reviewed by dedicated security personnel?
Yes No
A SIEM system combined with a SOC (in- or external) is used and all logs from critical assets are send to the SIEM?
Yes No
Endpoint Detection & Response (EDR) systems are implemented on all endpoints? Yes No
Email Security
5. All incoming email is scanned and filtered on malware and automatically placed in quarantine? Yes No
Your network is segmented segmentation from your critical systems, WIFI, OT and End of Life systems?
Yes No
End of Life (EoL) systems are isolated and not connected to the Internet? Yes No
Describe any additional (security) measures you have in place and if applicable full detail on any question you have
answered “No” to above.
Declarations
I declare (i) that we have made a fair presentation of the risk, by disclosing all material matters which we know or ought to know or,
failing that, by giving the Insurer sufficient information to put a prudent insurer on notice that it needs to make further enquiries
in order to reveal material circumstances; and that (ii) I have obtained, and will obtain in the future, the express consent to the
disclosure and use of sensitive personal data from every data subject whose sensitive personal data is supplied in relation to this
proposal for the purposes of (a) underwriting the risks and (b) administering and performing any resulting insurance contract.
I undertake to inform the insurer promptly in writing of any material alteration to those facts occurring before completion of the
contract of insurance.
/ /