AIG CYBEREDGE - PROPOSAL FORM

Private & Confidential

Proposer Details
Name of Firm(s) SOFARMAMORRA SPA
Principal Address of Company SEGRATE (MI9 VIA LAMBRETTA N.2
City and postcode 20090
VAT no. 11985010153
Website WWW.SOFARMAMORRA.IT
Date Firm(s) was Established* 1979
Have any mergers or acquisitions ✔ Yes No
taken place in the last 5 Years?
If ‘Yes’, please provide details
including how processes, policies all the main business functions are managed by our administrative offices following our own tested procedures.

and procedures have been

integrated with the main group
Are there planned Mergers or
yes there are.
Acquisitions for the next 12
months?
Are you involved in any joint Yes ✔ No
ventures? If ‘Yes’, please provide
details including how processes,
policies
and procedures have been
integrated with the main group
Please state the number of
employees 550
*If less than one year old please provide details of relevant experience of the directors on a separate sheet.

Please complete the following revenue table:

Currency:

Revenue Amount
Last Complete year Current Year
Geography Next Year (Estimate)
(Actual) (Estimate)
UK / Europe 709.812.340 711.585.028 780.000.000

USA/Canada 1.000.000 1.000.000

Rest of
World 6.277.902 8.500.000 10.000.000

1 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Please state the number of data records currently processed/stored in the following categories:

UK/Europe US/Canada Rest of World

Processed Stored Processed Stored Processed Stored
Basic Personal
none none
Information none none

Sensitive
Personal none
none none
Information none

Payment Card
none none none
Information none

Financial
Account none none none none
Information none

Health Related none

none none none
Information

Employee
Personal none none none
none
Information

3rd Party none

Corporate none none
none
Information

Please confirm which of the following definitions is closer to your organization (please flag all answers
which apply)

General
(All business that does not fit in a category below, including Construction and Agriculture)
Financial
Pharma and Food ✔
Manufacturing Automotive
Transport & Logistics ✔
Airlines
Wholesales ✔
Retail
Hospitality
Media
Professional Services
IT & Telco
Healthcare
Energy & Utilities
2 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Construction
Software & IT Products
Education
Public Administration
Mining

Kind of deployed Systems

WebApplications
✔ ICS, SCADA, OT
✔
POS
✔ Healthcare Systems
End User Systems
✔ OBUs (control of vehicles)
Terminals (ATM, Kiost, Payment terminals) Critical IoT
✔
Removable Media
✔ Non-critical IoT

Please describe your Cyber Exposure and IT structure risk answering to the following questions:

Cyber_Exposure • Business Interruption

o How fast would an IT failure cause a
IMMEDIATELY
business interruption?
o Business interruption history NONE FOR CYBER EXPOSURE
o Redundancies in production? BUSINESS CONTINUITY AND DR
o Buffer, etc.?
• How many PII of which type are
processed?
• Dependencies on
o Internet connection YES
o Accessibility YES
o Phone YES
o Supply Chain YES
IT_Structure • Number of IT users 280
• Number of servers 60
• Number of ICS 10
• Number of essential central applications
(ERP, CRM,...)
7
• Core applications 4
• Locations 23
• Network segments
• Uplinks
• RZs (redundancies)

3 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Executive Support

1 Reporting Lines
Cyber security staff has no ability to raise topics directly to the top management.

Cyber security is exclusively addressed within the CIO organization.

The top-management is collectively accountable for all cyber security matters.

The security organization does not directly report to the top-management.

The security organization directly reports to the top-management. ✔

The top-management has appointed an individual accountable for all cyber security
matters. The security organization directly reports to this director.

At board level, at least one responsible person for cyber security has been identified. ✔
2 Reporting Schedule
Cyber security topics are never reported to the top-management.

Cyber security is not on a routine reporting schedule. ✔

Cyber security is reported on routinely.

Only significant incidents are ever reported to the top-management. ✔

The data points consists mostly of number of attacks, number of vulnerabilities found, etc.

The reporting includes representative metrics and KPIs. ✔

This includes hard to measure KPIs like meantime-to-detect.

Metrics and KPIs are adjusted and improved frequently to fully capture all dependencies to
the business operation.
3 Top Level Support
Cyber security is not a top-level management topic.

4 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 The Top-Management sees cyber security as a purely IT topic.

The picture gained during the risk dialogue suggests, that senior management need to get
further education to understand cyber risk and best management practices in this regard.

The Top-Management discusses cyber security issues infrequently. ✔

The Top-Management is briefed regularly on cyber security topics. A clear reporting
schedule is in place.
The Top-Management is well-educated on cyber topics and fully understands to ✔
implications for the business.
Cyber discussions take place frequently. ✔
Cyber security is an integral part of regular board discussions

Information Security Organization

1 Organizational Structure & Resources

No dedicated cyber security personnel have been appointed.

Clearly identified cyber security roles are assigned to IT personnel, while not having any
dedicated personnel, yet.
✔

A single cyber security professional has been appointed within the IT organization. The
executed tasks focus mainly on establishing a good "cyber hygiene" across the enterprise.

A dedicated cyber security organization is in place.

Additionally, cyber security is incorporated through the business units.

"Cyber hygiene" is well under control. A vulnerability management capability is in place.

Capabilities span excellence in cyber hygiene, vulnerability management, and security

operations / threat hunting.
2 Policies, Procedures, etc.

No formal policies and/or procedures that address cyber security have been implemented.
A simple policy that outlines the approach toward cyber security is in place. Procedures are
mostly ad-hoc.

5 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 ✔
A policy / procedure framework, focusing on user awareness and cyber hygiene is in place.

A policy / procedure framework, addressing all security domains, is in place.

A good policy / procedure framework, addressing all security domains, aligned to well-
known standards (ISO, NIST) is in place.

Areas like BCM/DRP and Crisis Management are sufficiently addressed as well.
3 Continuous Improvement Process

Cyber security controls are static, and an improvement is not foreseen.

Cyber security improvements are conducted infrequently, in a project mode. A security

program is not in place.
✔
Security controls are changed according to professional judgment of IT personel but not by
a contious management cycle.

An initial security program has been established and it is currently being executed.

The initial security program was executed and successfully implemented. A follow-on
program is currently being developed.

A strong continuous security program is in place.

The implemented controls are leading in the industry, compared to peers.

4 Governance

No cyber security governance is in place.

Cyber security governance is starting to get addressed.

✔
Currently, cyber security is still mainly handled within the IT organization.

Good governance for the core of the enterprise, including the internal IT, as well as the
business side, is in place.
Governance, addressing internal, as well as outsourced and supply-chain security, has been
established.

A strong reporting mechanism to the top-level management is in place.

A strong reporting mechanism to the top-level management, including a timely feedback
loop, is in place.
5 Use of Standards

6 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Cyber security is addressed in an ad-hoc way. No standards are being followed.

Cyber security is loosely aligned with well-known standards.

A gap analysis has not been conducted, therefore important security controls might be
lacking.

Cyber security is aligned toward well-known standards.

A maturity component is present.

A mapping of security controls against the standards exists.

Cyber security follows all relevant standards, including maturity assessments.

Audits are being conducted regularly.

High risk areas are addressed in a timely manner.

Cyber security has been certified against all relevant standards, including maturity
assessments.

Operational infosec mgmt.

1 Vulnerability Management
No vulnerability management capability is present.

An initial vulnerability management capability is present. ✔

Processes are ad-hoc.

A basic patch and vulnerability management is established.

Good processes are in place.

The vulnerability management capability is well defined. Strong, pro-active processes are
in place.
Processes are measured and controlled.

Processes are measured and controlled, with strong focus on continuous improvement.

2 Audits & Pen Tests

Audits & Pen Tests are not performed.

Audits / Pen Tests are performed very infrequently (>2 years). ✔

7 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 A simple Audit / Pen Test schedule is in place, which guarantees a technical audit at least
annually.
A good audit / pen test schedule is in place.

All areas of IT are covered by separate, tailored audits.

Pen test are conducted as a regular part of the Software Development Life Cycle (SDLC).

Continuous improvements are incorporated in a timely manner.

3 Patch Management
Patches / Updates are not being installed.

Patches are rolled out in an infrequent, ad-hoc manner.

Patches are rolled out within 4 weeks across the whole enterprise.

Patches are rolled out within 1 week across the whole enterprise.

Patches are rolled out based on a criticality assessment.

Patches are rolled out semi-instantly across the whole enterprise ✔

Patches are rolled out in close collaboration with the vulnerability management

4 Change Management
Change management is not present. ✔
Changes are implemented as-hoc.

A basic change management processes are implemented.

Changes get documented.

A strong change management processes including documentation and change advisory

board is implemented.
Change management processes include risk assessments and formal approval by a
change advisory board.
A fundamental change management process of changes documented and coordinated
exists.
5 Identity & Access Management (IAM)
Identity and Access Management is not present.

Identities are provided on request by IT by limited persons.

Creation of Identities is triggered by the HR department.

8 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Identities and access rights are provided within an informal process via email.

A managed review process on user access rights is not in place.

Access rights are assigned according to template users.

Joiner / Mover / Leaver Processes are in place.

Access rights are revoked immediately if needed.

There is a 4 eyes principle, continuous review, conflict check in place.

6 Privileged Access Management (PAM)

Administrators use a single account.

Administrators have dedicated admin accounts. ✔

A privileged access management tool to grant critical access only temorarily is in
implemented.
There is a 4 eyes principle, continuous review, conflict check in place.

Infosec Technology

1 IDS, IPS, SIEM

No IDS / IPS / SIEM present.

The internet gateways are protected by IDS. ✔

The internet gateways are protected by IPS. ✔
Security events are fed into a SIEM.

Automated blocking is in place.

Dynamic blocking is in place.

A ng-Firewall deploying recent technologies is applied on each internet outbreak.

2 Firewalls, Segmentation, NAC

No Firewall, segmentation, network access control is present.

A proper firewalling throughout the enterprise is in place. ✔

Some network segments are in place.

9 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Detailed and granular network segmentation is in place.

Ports and network traffic are constantly monitored

Network access control (NAC) is not in place.

NAC is in place.

3 WAF, Virtual Patching

No Web Application Firewall or Virtual Patching is present. ✔
Web Application Firewall is in place.

A basic Web Application Firewall functionality is provided by the firewall. However, more
sophisticated attacks will most properly not be detected.

The Web Application Firewall rules are constantly updated.

Logs and Security events are constantly monitored and assessed.

Virtual Patching is in place.

4 Endpoints
No Endpoint protection present.

A basic antivirus solution is in place.

A next-generation AV is in place.

A next-generation Endpoint protection solution is in place. ✔

USB ports are open and not monitored.

USB ports are monitored by the Endpoint Protection. ✔

USB ports are closed.

A Data Loss Prevention solution is installed.

Logs and security events are monitored.

5 Remote Access
No dedicated remote access security controls in place.

Remote access is protected via additional SMS / Text message

Dual Factor Authentication is implemented for selected remote access users.

10 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Dual Factor Authentication is implemented for all remote access users.

A jump server solution is in place.

All access is logged. ✔

All access are constantly monitored.

6 Mobile Device Security

The use of mobile devices is not regulated. ✔
The use of mobile devices is covered by organisational rules.

Users are obliged to notity lost or stolen mobile devices immediately.

Mobiles are not managed centrally.

Company data cannot be accessed via mobiles.

Mobiles can be used to access mail, phonebook and calender only.

Company data (e.g. Files) can be accessed using company mobiles.

Mobiles are managed by a MDM and can be wiped remotely.

Company data on Mobiles is protected by security containers.

7 DDoS Protection
No DDoS Protection is in Place.

The risk from DDoS attacks has been evaluated as not relevant.

Webhosting is done by a hosting provider who deploys DDoS protection.

A basic DDoS protection by an loadbalancer is implemented.

A CDN is used.

DDoS Protection Services are contracted with the ISP. ✔

DDoS Szenarios are frequently trained as part of the ITSCM.

Threat Intelligence Management

1 Purchased Feeds & Source Variety

11 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 No Cyber Threat Intelligence feeds are being consumed. ✔
Cyber Threat Intelligence is consumed in an ad-hoc, unstructured manner

Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in an
unstructured manner.
Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in a
structured manner.
Cyber Threat Intelligence is being fed into the security operations capability
automatically.
Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in a
structured manner.
Intelligence is being integrated into the security operations capability automatically, and
defenses are updates in a dynamic manner.

2 Monitoring
No security monitoring capability is present.

Monitoring is focused on availability and up-time. ✔

All systems & services, across the enterprise, excluding OSPs, are monitored.

Changes are incorporated into the monitoring ad-hoc.

Changes are incorporated into the monitoring frequently.

Changes are incorporated into the monitoring as part of the configuration management
process.
All systems & services, across the enterprise, including OSPs, are monitored.

3 Log & Tools Evaluation

No Log & Tools evaluation capability present.

Security events are being analyzed in an ad-hoc manner by the IT-staff.

Security logs are collected in a consolidated manner. Review is conducted infrequently. ✔

Security logs are collected into a SIEM solution. Logs are analyzed continuously.

IOCs are incorporated in a timely manner.

IOCs are incorporated in a dynamically manner.

4 SOC / Threat Hunting

No Security Operation Center / Threat Huntingreat Hunting capability present.

12 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Security operations are part of IT operations. No dedicated resources are present.

A Security Operation Center (or Threat Hunting) capability is available during working ✔
hours.
A Security Operation Center (or Threat Hunting) capability is available 24/7.

Threat Huntinge Security Operation Center (or Threat Hunting) capability covers OSP's

Threat Huntinge Security Operation Center (or Threat Hunting) capability covers
boThreat Hunting for IT and OT.

Incident Response & IT Service Continuity

1 Backup & Recovery

No backup & restore capabilities present.

Some ad-hoc backups are present. ✔

Backup & restore capabilities are present. ✔
Backups are stored locally. ✔
Backups are stored off-site. ✔
Backups are stored in multiple locations. ✔
A backup plan, covering all aspects of the enterprise, is being executed.

A strong backup plan, using clear RPOs and covering all aspects of the enterprise, is being
executed.
Restore/Recovery has never been tested.

Recovery has been tested. ✔

Recovery testing and failovers are tested continuously.

2 Security Incident Management

No security incident management capability is present.

Security incidents are handled in an ad-hoc basis by the available (not security specific) ✔
staff.
A simple IR process is present, and incidents are handled with dedicated IR staff.

A strong IR process is present, covering all incident scenarios across the enterprise.

13 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Additionally, an Incident Response Orchestration capability is present.

Incidents are exercised regularly.

3 IT Emergency Planning
No IT emergency plan present.

Some rudimentary IT emergency planning is present.

Processes and resources for IT emergencies are allocated. ✔

IT emergency planning is a developed capability, which is embedded into a larger
framework.
IT emergency exercises have been tested initially.

IT emergency exercises are scheduled regularly.

Resilience measures support the IT emergency planning.

Resilience measures fully support the IT emergency planning.

4 Cyber Crisis Organization

No cyber crisis organization present. ✔
A cyber crisis is dealt with on an ad-hoc basis.

An enterprise-wide crisis organization, with no specialized cyber expertise, is present.

An enterprise-wide crisis organization, with specialized cyber expertise, is present.

Cyber crisis are exercised regularly.

Cyber crisis are exercised regularly with other partners (e.g. industry peers, government,
IT providers, etc.).
5 Cyber Resilience of Business Processes / BCM
No cyber resilience capability present. ✔
The cyber resilience capability is very limited, resulting in basic backup and restore
capabilities.

The cyber resilience capability is modeled around business requirements.

The existing BCM is not linked to the IT organization.

The cyber resilience capability is modeled around business requirements via business
impact analysis.

14 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 RTOs and RPOs are well defined.

Resilience is focused on disaster recovery.

Resilience is focused on disaster recovery, as well as business continuity.

For critical services, active-passive setups are deployed.

For critical services, active-active setups are deployed.

Human Resource Security Policies

1 User Awareness
No user awareness program present.

A one-time user awareness training on cyber risks was conducted.

Cyber risks are part of the enterprise staff training program at least once a year. ✔
A dedicated cyber user awareness program, spanning several modules, is in place.

Additionally, micro trainings on specific topics are offered in a very timely manner.

Cyber security is integral part of the corporate culture.

2 Admin/Dev Awareness
No special group user awareness program present.

Admins / Developers are subject to the regular user awareness training ✔

Admins / Developers are subject to the regular user awareness training, and undergo
additional training addressing their privileged access.

Admins and/or developers are subject to tailored awareness programs, focusing on their
privileged access to IT systems.

A formal framework, e.g. SSDLC, OWASP, etc. is in place.

Training success feedback (e.g. exercises, capture the flag, etc.) is provided routinely.

3 External Personnel

15 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 No dedicated external personnel training framework in place.

External Personnel is briefed on cyber security requirements by an information sheet. ✔

External Personnel is been trained like internal staff.

4 Education & Training of IT staff

No security education & training framework present.

IT staff is trained mainly 'on the job'. ✔

IT staff is trained according to local (e.g. team based) planning.

IT staff is trained according to a globally managed process.

5 Personnel selection
No personnel selection framework present. ✔

OT Security

1 Patching
No OT patching process established. ✔
The OT environment is patch infrequently.

The OT environment is patched frequently.

A good patching process is in place.

The OT environment is patched pro-actively

A clear visibility into the existing vulnerabilities exists.

Additional security controls to mitigate unpatched vulnerabilities are implemented in an

ad-hoc manner.
Additional security controls to mitigate unpatched vulnerabilities are implemented in an
very timely and controlled manner.

2 Segmentation / Isolation
No OT segmentation / isolation present. ✔
The OT environment is in a flat network.

The OT environment is separated from the rest of the enterprise (IT) network by a
switch.

16 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 The OT environment is separated from the rest of the enterprise (IT) network by a
firewall.
The OT environment is separated into several domains / networks.

Each segment is firewalled off.

Data-diodes are being used to limit traffic flow.

3 Remote Maintenance
No OT remote maintenance security controls present. ✔
Dial-up connections, with non-default usernames / passwords are present.

All remote access points are centrally controlled (e.g. RADIUS).

Logs are generated.

Access is passed through a Citrix / Jump server solution.

All actions are being recorded down to the command level.

4 Monitoring / Attack Detection

No OT monitoring / attack detection capability present. ✔
No active OT monitoring / attack detection capability is present.

Log files are being stored and are available for analysis.

Log files are being stored and routinely analyzed.

OT Log information and OT security event information are fed into a SIEM solution.

An OT SOC capability is present.

Analyses are conducted on the traditional network protocols.

Analyses are conducted on the OT protocol level.

5 Malware Protection
No OT malware protection in place. ✔
A Traditional AV solution is deployed onto the OT endpoints.

USB ports are not secured.

NextGen AV is deployed onto the OT endpoints.

17 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 USB ports are blocked / monitored.

Application whitelisting is deployed.

Vendor provided managed security services are deployed.

Secure Software Development

1 Developer training
No dedicated developer training present. ✔
Developers are trained in securing the artefacts of their work appropriately.

Additionally, a fundamental knowledge on best coding practices is in place.

Additionally, structured knowledge on best coding practices (e.g. OWASP) is in place.

Secure coding classes are mandatory for all developers.

The development tools actively guide the developers in coding more securely.

2 Environment Protection
No dedicated development environment security controls present.

The development environment is in a different network segment. ✔

Developer accounts are restricted in rights or the development is de-coupled from the ✔
rest of the enterprise environment.
Data is clearly managed between DEV, TEST, PROD environments. ✔
Code is being promoted following well established processes.

A framework like SecDevOps is in place.

3 SRA / Security Testing

No SRA / Security Testing present. ✔
Security Requirements are defined in an ad-hoc manner. Some security tests might be
conducted as part of the SDLC.
Basic Security Requirements are defined as part of the SDLC.

Test cases are developed and defined against the requirements and tests are executed as
part of the release cycle.

18 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Comprehensive (and tailored) Security Requirements are defined as part of the SDLC.

Additional testing, e.g. Pen Testing, is being performed ad-hoc. ✔

Additional testing, e.g. Pen Testing, is being performed routinely.

Successful test completion is a mandatory requirement before new releases are

accepted.
High risk areas are addressed before release.

4 Code Reviews / Scans

No code reviews / code scans present. ✔
Code reviews / code scans have been conducted in the past, but they are not part of the
SDLC process.
Code reviews / code scans are part of the SDLC.

Code reviews / code scans are conducted as part of a major release.

Code reviews / code scans are conducted as part of every release.

Code reviews / code scans are conducted continuously.

Code reviews / code scans are conducted continuously and instant feedback is provided
to the developer.
5 Integration in Business
The topic of business integration was not discussed in detail.

No integration of secure development into the business is present.

Data Protection Management

1 Privacy by Design
The concept of privacy by design is not implemented.

Some privacy concepts are implemented, but only in an ad-hoc manner.

Privacy by design is being addressed from a forward-looking perspective for all new ✔
systems.
Existing systems are being left unchanged.

Existing systems are being looked at as part of a major refresh / renewal process.

Existing systems are being looked at proactively.

19 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Privacy by design has been implemented through all systems, and is being maintained
proactively.
2 Procedure Log
No procedure log has been implemented.

A procedure log has been implemented but does not completely cover all processes. ✔
A procedure log has been implemented in the past but was not maintained and is thus
outdated.

The procedure log covers all critical processes.

The procedure log covers all processes.

There is a regular process to maintain the procedure log.

3 Data Subject Information Processes

No data subject information process defined. ✔
Data subject information requests are dealt with in an ad-hoc manner.

Data subject information requests are dealt with in a structured manner, based on a
predefined process.
The process is covering most areas of the enterprise / most business units.

The process is covering all areas of the enterprise / all business units.

Data subject information requests are dealt with in semi-automated manner.

4 Data Deletion Processes

No data deletion process is defined. ✔
Data deletion requests are dealt with in an ad-hoc manner.

Data deletion requests are dealt with in a structured manner, based on a predefined
process.
This process is covering most areas of the enterprise / most business units.

This process is covering all areas of the enterprise / all business units.

Data deletion requests are dealt with in semi-automated manner.

Data deletion requests are dealt with in fully automated manner.

20 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
OSP Management

1 OSP Governance and risk management

There is no OSP governance and third parties are not identified and efficiently managed. ✔
There is an inventory of some critical OSPs.

All OSPs are identified and inventoried.

There is a complete inventory of all OSPs with a description of their services, dependency
with internal processes and the data flow is identified.

There is a written guideline/policy about handling OSPs.

Risks coming from OSPs are identified and red flags are reported to general risk
management.
Mitigation plans are established and executed for high risks.

2 Addressing security in agreements and OSPs

monitoring
Security is not addressed in agreements and contracts with OSPs.

Relevant security requirements are covered in some Agreements with third parties
involving accessing, processing or managing the organization’s information or services.

NDAs are signed by all OSPs.

A specific clause is included for the right to audit the provider and verity security
controls.
Security awareness training is done by all OSP‘s intervening personnel.

OSPs are regularly audited to monitor compliance with security requirements.

Third party access and data flow is efficiently monitored.

Third parties may only obtain access to data or systems where agreed by the application
owner.
Intrusion detection and prevention systems deployed on network interfaces to third
party networks.

3 OSP Service delivery and performance

Service definitions and delivery levels are not included in the agreements with OSPs

Clear SLAs are included in some of the agreements with OSPs

21 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 Service definitions and delivery levels are in line with business requirements.

Reporting is provided and service performance levels are monitored regularly to check
adherence to the agreements.

Changes to third party provided services are reviewed to ensure changes do not
compromise the security of company data.

Contingency processes are in place to ensure continuity in the event of a third party
failing to provide a service.
Also, a liability clause is included for all critical OSPs.

Merchants, Points of Sale and PCI

Section to be completed only if the proposer accepts payment by card

1. Do you accept payment via Card-Present transactions? ................................... ………… ✔ Yes No

If ‘Yes’:
a. Are you fully compliant with EMV card processing standards ...................... ………… Yes No
b. Do your POS systems have anti-tampering features? .................................. ………… Yes No
c. Please describe the encryption and/or tokenisation process of
data flowing through your POS network, please include whether
point-to-point encryption is used:
d. Do changes on individual files on the POS system create alerts
in real-time? .................................................................................................. ……….. Yes No
e. Do changes to the POS systems require formal approval prior
to implementation? ...................................................................................... ……….. Yes No
f. Are your POS devices regularly scanned for malware or
skimming devices? ........................................................................................ ……….. Yes No
g. How often is your POS network assessed by a 3rd party?
h. Did your last POS network assessment highlight any critical
or high level vulnerabilities? .......................................................................... ……….. Yes No
If Yes, Have these been remediated? ........................................................... ……….. Yes No
i. Is your POS system developed and maintained by a PA-DSS
compliant vendor? ........................................................................................ ……….. Yes No
j. Have all vendor-provided default passwords been changed? ...................... ……….. Yes No
22 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 k. Please describe how you segregate your POS
and corporate network?
l. Is all user activity on the network monitored? ............................................. ………… Yes No
m. Is payment transaction log data collected and reviews
on a regular basis? ........................................................................................ ………… Yes No

2. Do you accept payment via Card-not-Present transactions? ............................. ………… Yes ✔ No

If ‘Yes’:
a. Do you use 3rd party payment gateways to process payments? .................. ………… Yes No
b. Please describe how payment card data is captured and
transferred to the credit card processor, including the encryption
and/or tokenisation process?

Incident Response and Claims History

1. Do you keep an incident log of all system security breaches

and network failures? ......................................................................................... ……..…… Yes No

If ‘Yes’, please describe the escalation

and review process for such incidents:

2. Do you have an incident response plan which includes a team with

specified roles and responsibilities? .................................................................. …..…….. Yes No

If ‘Yes’, has this been tested within the last 12 months? ................................... ……..….. Yes No

3. During the last 5 years, have you suffered from any of the following?
The unauthorised disclosure or transmission of any confidential
information for which you are responsible......................................................... ……..…. Yes No
Any intrusion of, unauthorised access to, or unauthorised use of
your computer system ....................................................................................... …..……. Yes No
Any accidental, negligent or unintentional act or failure to act by an
employee or an employee of any third party service provider whilst
operating, maintaining or upgrading your computer system ............................ …..……. Yes No
The suspension or degradation of your computer system ................................. ………… Yes No
Your inability to access data due to such data being deleted,
damaged, corrupted, altered or lost ................................................................... ………… Yes No
Receipt of an extortion demand or security threat ............................................ ………… Yes No
Receipt of a claim in respect of any of the above ............................................... ………… Yes No
Any formal or official action, investigation, inquiry or audit by a regulator
arising out of your use, control, collection, storing, processing or
suspected misuse of personal information ........................................................ ………… Yes No
23 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
 If ‘Yes’ to any of the above, please provide full details:

Declaration

It is declared that to the best of the knowledge and belief of the insured, after enquiry, that the statements
and responses set out herein are true and accurate. The insured understands that it is under a duty to
make a fair presentation of the risk to the insurer, and that all material circumstances that the insured is
aware of or ought to be aware of have been disclosed to the insurer, or failing that, sufficient information
to put a prudent insurer on notice that further enquiries are needed.

The insured understands that non-disclosure or misrepresentation of a material fact or matter may impact
the terms of the policy or impact whether the policy responds in whole or in part to a claim.

The insured undertakes to inform the Insurers of any material alteration to the information provided herein
or any new fact or matter that arises which may be relevant to the consideration of the proposal for
insurance.

(to be signed by Partner, Director, Principal or equivalent)

Signed

Title

Organisation

Date

24 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved